1package eu.siacs.conversations.utils;
2
3import android.os.Bundle;
4import android.util.Base64;
5import android.util.Pair;
6
7import org.bouncycastle.asn1.x500.X500Name;
8import org.bouncycastle.asn1.x500.style.BCStyle;
9import org.bouncycastle.asn1.x500.style.IETFUtils;
10import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
11
12import java.net.MalformedURLException;
13import java.net.URL;
14import java.security.MessageDigest;
15import java.security.NoSuchAlgorithmException;
16import java.security.SecureRandom;
17import java.security.cert.CertificateEncodingException;
18import java.security.cert.CertificateParsingException;
19import java.security.cert.X509Certificate;
20import java.text.Normalizer;
21import java.util.ArrayList;
22import java.util.Arrays;
23import java.util.Collection;
24import java.util.Iterator;
25import java.util.LinkedHashSet;
26import java.util.List;
27import java.util.Locale;
28import java.util.regex.Pattern;
29
30import eu.siacs.conversations.Config;
31import eu.siacs.conversations.R;
32import eu.siacs.conversations.entities.Account;
33import eu.siacs.conversations.entities.Message;
34import eu.siacs.conversations.http.AesGcmURLStreamHandler;
35import rocks.xmpp.addr.Jid;
36
37public final class CryptoHelper {
38 private final static char[] hexArray = "0123456789abcdef".toCharArray();
39
40 public static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}");
41 final public static byte[] ONE = new byte[] { 0, 0, 0, 1 };
42
43 public static String bytesToHex(byte[] bytes) {
44 char[] hexChars = new char[bytes.length * 2];
45 for (int j = 0; j < bytes.length; j++) {
46 int v = bytes[j] & 0xFF;
47 hexChars[j * 2] = hexArray[v >>> 4];
48 hexChars[j * 2 + 1] = hexArray[v & 0x0F];
49 }
50 return new String(hexChars);
51 }
52
53 public static byte[] hexToBytes(String hexString) {
54 int len = hexString.length();
55 byte[] array = new byte[len / 2];
56 for (int i = 0; i < len; i += 2) {
57 array[i / 2] = (byte) ((Character.digit(hexString.charAt(i), 16) << 4) + Character
58 .digit(hexString.charAt(i + 1), 16));
59 }
60 return array;
61 }
62
63 public static String hexToString(final String hexString) {
64 return new String(hexToBytes(hexString));
65 }
66
67 public static byte[] concatenateByteArrays(byte[] a, byte[] b) {
68 byte[] result = new byte[a.length + b.length];
69 System.arraycopy(a, 0, result, 0, a.length);
70 System.arraycopy(b, 0, result, a.length, b.length);
71 return result;
72 }
73
74 /**
75 * Escapes usernames or passwords for SASL.
76 */
77 public static String saslEscape(final String s) {
78 final StringBuilder sb = new StringBuilder((int) (s.length() * 1.1));
79 for (int i = 0; i < s.length(); i++) {
80 char c = s.charAt(i);
81 switch (c) {
82 case ',':
83 sb.append("=2C");
84 break;
85 case '=':
86 sb.append("=3D");
87 break;
88 default:
89 sb.append(c);
90 break;
91 }
92 }
93 return sb.toString();
94 }
95
96 public static String saslPrep(final String s) {
97 return Normalizer.normalize(s, Normalizer.Form.NFKC);
98 }
99
100 public static String random(int length, SecureRandom random) {
101 final byte[] bytes = new byte[length];
102 random.nextBytes(bytes);
103 return Base64.encodeToString(bytes,Base64.NO_PADDING|Base64.NO_WRAP|Base64.URL_SAFE);
104 }
105
106 public static String prettifyFingerprint(String fingerprint) {
107 if (fingerprint==null) {
108 return "";
109 } else if (fingerprint.length() < 40) {
110 return fingerprint;
111 }
112 StringBuilder builder = new StringBuilder(fingerprint);
113 for(int i=8;i<builder.length();i+=9) {
114 builder.insert(i, ' ');
115 }
116 return builder.toString();
117 }
118
119 public static String prettifyFingerprintCert(String fingerprint) {
120 StringBuilder builder = new StringBuilder(fingerprint);
121 for(int i=2;i < builder.length(); i+=3) {
122 builder.insert(i,':');
123 }
124 return builder.toString();
125 }
126
127 public static String[] getOrderedCipherSuites(final String[] platformSupportedCipherSuites) {
128 final Collection<String> cipherSuites = new LinkedHashSet<>(Arrays.asList(Config.ENABLED_CIPHERS));
129 final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
130 cipherSuites.retainAll(platformCiphers);
131 cipherSuites.addAll(platformCiphers);
132 filterWeakCipherSuites(cipherSuites);
133 return cipherSuites.toArray(new String[cipherSuites.size()]);
134 }
135
136 private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
137 final Iterator<String> it = cipherSuites.iterator();
138 while (it.hasNext()) {
139 String cipherName = it.next();
140 // remove all ciphers with no or very weak encryption or no authentication
141 for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
142 if (cipherName.contains(weakCipherPattern)) {
143 it.remove();
144 break;
145 }
146 }
147 }
148 }
149
150 public static Pair<Jid,String> extractJidAndName(X509Certificate certificate) throws CertificateEncodingException, IllegalArgumentException, CertificateParsingException {
151 Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
152 List<String> emails = new ArrayList<>();
153 if (alternativeNames != null) {
154 for(List<?> san : alternativeNames) {
155 Integer type = (Integer) san.get(0);
156 if (type == 1) {
157 emails.add((String) san.get(1));
158 }
159 }
160 }
161 X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
162 if (emails.size() == 0 && x500name.getRDNs(BCStyle.EmailAddress).length > 0) {
163 emails.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.EmailAddress)[0].getFirst().getValue()));
164 }
165 String name = x500name.getRDNs(BCStyle.CN).length > 0 ? IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[0].getFirst().getValue()) : null;
166 if (emails.size() >= 1) {
167 return new Pair<>(Jid.of(emails.get(0)), name);
168 } else if (name != null){
169 try {
170 Jid jid = Jid.of(name);
171 if (jid.isBareJid() && jid.getLocal() != null) {
172 return new Pair<>(jid,null);
173 }
174 } catch (IllegalArgumentException e) {
175 return null;
176 }
177 }
178 return null;
179 }
180
181 public static Bundle extractCertificateInformation(X509Certificate certificate) {
182 Bundle information = new Bundle();
183 try {
184 JcaX509CertificateHolder holder = new JcaX509CertificateHolder(certificate);
185 X500Name subject = holder.getSubject();
186 try {
187 information.putString("subject_cn", subject.getRDNs(BCStyle.CN)[0].getFirst().getValue().toString());
188 } catch (Exception e) {
189 //ignored
190 }
191 try {
192 information.putString("subject_o",subject.getRDNs(BCStyle.O)[0].getFirst().getValue().toString());
193 } catch (Exception e) {
194 //ignored
195 }
196
197 X500Name issuer = holder.getIssuer();
198 try {
199 information.putString("issuer_cn", issuer.getRDNs(BCStyle.CN)[0].getFirst().getValue().toString());
200 } catch (Exception e) {
201 //ignored
202 }
203 try {
204 information.putString("issuer_o", issuer.getRDNs(BCStyle.O)[0].getFirst().getValue().toString());
205 } catch (Exception e) {
206 //ignored
207 }
208 try {
209 information.putString("sha1", getFingerprintCert(certificate.getEncoded()));
210 } catch (Exception e) {
211
212 }
213 return information;
214 } catch (CertificateEncodingException e) {
215 return information;
216 }
217 }
218
219 public static String getFingerprintCert(byte[] input) throws NoSuchAlgorithmException {
220 MessageDigest md = MessageDigest.getInstance("SHA-1");
221 byte[] fingerprint = md.digest(input);
222 return prettifyFingerprintCert(bytesToHex(fingerprint));
223 }
224
225 public static String getAccountFingerprint(Account account) {
226 return getFingerprint(account.getJid().asBareJid().toString());
227 }
228
229 public static String getFingerprint(String value) {
230 try {
231 MessageDigest md = MessageDigest.getInstance("SHA-256");
232 return bytesToHex(md.digest(value.getBytes("UTF-8")));
233 } catch (Exception e) {
234 return "";
235 }
236 }
237
238 public static int encryptionTypeToText(int encryption) {
239 switch (encryption) {
240 case Message.ENCRYPTION_OTR:
241 return R.string.encryption_choice_otr;
242 case Message.ENCRYPTION_AXOLOTL:
243 case Message.ENCRYPTION_AXOLOTL_NOT_FOR_THIS_DEVICE:
244 return R.string.encryption_choice_omemo;
245 case Message.ENCRYPTION_NONE:
246 return R.string.encryption_choice_unencrypted;
247 default:
248 return R.string.encryption_choice_pgp;
249 }
250 }
251
252 public static URL toAesGcmUrl(URL url) {
253 if (!url.getProtocol().equalsIgnoreCase("https")) {
254 return url;
255 }
256 try {
257 return new URL(AesGcmURLStreamHandler.PROTOCOL_NAME+url.toString().substring(url.getProtocol().length()));
258 } catch (MalformedURLException e) {
259 return url;
260 }
261 }
262
263 public static URL toHttpsUrl(URL url) {
264 if (!url.getProtocol().equalsIgnoreCase(AesGcmURLStreamHandler.PROTOCOL_NAME)) {
265 return url;
266 }
267 try {
268 return new URL("https"+url.toString().substring(url.getProtocol().length()));
269 } catch (MalformedURLException e) {
270 return url;
271 }
272 }
273
274 public static boolean isPgpEncryptedUrl(String url) {
275 if (url == null) {
276 return false;
277 }
278 final String u = url.toLowerCase();
279 return !u.contains(" ") && (u.startsWith("https://") || u.startsWith("http://")) && u.endsWith(".pgp");
280 }
281}