1package eu.siacs.conversations.utils;
2
3import android.os.Bundle;
4import android.util.Base64;
5import android.util.Pair;
6
7import org.bouncycastle.asn1.x500.X500Name;
8import org.bouncycastle.asn1.x500.style.BCStyle;
9import org.bouncycastle.asn1.x500.style.IETFUtils;
10import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
11
12import java.net.MalformedURLException;
13import java.net.URL;
14import java.security.MessageDigest;
15import java.security.NoSuchAlgorithmException;
16import java.security.SecureRandom;
17import java.security.cert.CertificateEncodingException;
18import java.security.cert.CertificateParsingException;
19import java.security.cert.X509Certificate;
20import java.text.Normalizer;
21import java.util.ArrayList;
22import java.util.Arrays;
23import java.util.Collection;
24import java.util.Iterator;
25import java.util.LinkedHashSet;
26import java.util.List;
27import java.util.Locale;
28import java.util.regex.Pattern;
29
30import eu.siacs.conversations.Config;
31import eu.siacs.conversations.R;
32import eu.siacs.conversations.entities.Account;
33import eu.siacs.conversations.entities.Message;
34import eu.siacs.conversations.http.AesGcmURLStreamHandler;
35import eu.siacs.conversations.xmpp.jid.InvalidJidException;
36import eu.siacs.conversations.xmpp.jid.Jid;
37
38public final class CryptoHelper {
39 public static final String FILETRANSFER = "?FILETRANSFERv1:";
40 private final static char[] hexArray = "0123456789abcdef".toCharArray();
41
42 public static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}");
43 final public static byte[] ONE = new byte[] { 0, 0, 0, 1 };
44
45 public static String bytesToHex(byte[] bytes) {
46 char[] hexChars = new char[bytes.length * 2];
47 for (int j = 0; j < bytes.length; j++) {
48 int v = bytes[j] & 0xFF;
49 hexChars[j * 2] = hexArray[v >>> 4];
50 hexChars[j * 2 + 1] = hexArray[v & 0x0F];
51 }
52 return new String(hexChars);
53 }
54
55 public static byte[] hexToBytes(String hexString) {
56 int len = hexString.length();
57 byte[] array = new byte[len / 2];
58 for (int i = 0; i < len; i += 2) {
59 array[i / 2] = (byte) ((Character.digit(hexString.charAt(i), 16) << 4) + Character
60 .digit(hexString.charAt(i + 1), 16));
61 }
62 return array;
63 }
64
65 public static String hexToString(final String hexString) {
66 return new String(hexToBytes(hexString));
67 }
68
69 public static byte[] concatenateByteArrays(byte[] a, byte[] b) {
70 byte[] result = new byte[a.length + b.length];
71 System.arraycopy(a, 0, result, 0, a.length);
72 System.arraycopy(b, 0, result, a.length, b.length);
73 return result;
74 }
75
76 /**
77 * Escapes usernames or passwords for SASL.
78 */
79 public static String saslEscape(final String s) {
80 final StringBuilder sb = new StringBuilder((int) (s.length() * 1.1));
81 for (int i = 0; i < s.length(); i++) {
82 char c = s.charAt(i);
83 switch (c) {
84 case ',':
85 sb.append("=2C");
86 break;
87 case '=':
88 sb.append("=3D");
89 break;
90 default:
91 sb.append(c);
92 break;
93 }
94 }
95 return sb.toString();
96 }
97
98 public static String saslPrep(final String s) {
99 return Normalizer.normalize(s, Normalizer.Form.NFKC);
100 }
101
102 public static String random(int length, SecureRandom random) {
103 final byte[] bytes = new byte[length];
104 random.nextBytes(bytes);
105 return Base64.encodeToString(bytes,Base64.NO_PADDING|Base64.NO_WRAP);
106 }
107
108 public static String prettifyFingerprint(String fingerprint) {
109 if (fingerprint==null) {
110 return "";
111 } else if (fingerprint.length() < 40) {
112 return fingerprint;
113 }
114 StringBuilder builder = new StringBuilder(fingerprint);
115 for(int i=8;i<builder.length();i+=9) {
116 builder.insert(i, ' ');
117 }
118 return builder.toString();
119 }
120
121 public static String prettifyFingerprintCert(String fingerprint) {
122 StringBuilder builder = new StringBuilder(fingerprint);
123 for(int i=2;i < builder.length(); i+=3) {
124 builder.insert(i,':');
125 }
126 return builder.toString();
127 }
128
129 public static String[] getOrderedCipherSuites(final String[] platformSupportedCipherSuites) {
130 final Collection<String> cipherSuites = new LinkedHashSet<>(Arrays.asList(Config.ENABLED_CIPHERS));
131 final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
132 cipherSuites.retainAll(platformCiphers);
133 cipherSuites.addAll(platformCiphers);
134 filterWeakCipherSuites(cipherSuites);
135 return cipherSuites.toArray(new String[cipherSuites.size()]);
136 }
137
138 private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
139 final Iterator<String> it = cipherSuites.iterator();
140 while (it.hasNext()) {
141 String cipherName = it.next();
142 // remove all ciphers with no or very weak encryption or no authentication
143 for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
144 if (cipherName.contains(weakCipherPattern)) {
145 it.remove();
146 break;
147 }
148 }
149 }
150 }
151
152 public static Pair<Jid,String> extractJidAndName(X509Certificate certificate) throws CertificateEncodingException, InvalidJidException, CertificateParsingException {
153 Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
154 List<String> emails = new ArrayList<>();
155 if (alternativeNames != null) {
156 for(List<?> san : alternativeNames) {
157 Integer type = (Integer) san.get(0);
158 if (type == 1) {
159 emails.add((String) san.get(1));
160 }
161 }
162 }
163 X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
164 if (emails.size() == 0) {
165 emails.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.EmailAddress)[0].getFirst().getValue()));
166 }
167 String name = IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[0].getFirst().getValue());
168 if (emails.size() >= 1) {
169 return new Pair<>(Jid.fromString(emails.get(0)), name);
170 } else {
171 return null;
172 }
173 }
174
175 public static Bundle extractCertificateInformation(X509Certificate certificate) {
176 Bundle information = new Bundle();
177 try {
178 JcaX509CertificateHolder holder = new JcaX509CertificateHolder(certificate);
179 X500Name subject = holder.getSubject();
180 try {
181 information.putString("subject_cn", subject.getRDNs(BCStyle.CN)[0].getFirst().getValue().toString());
182 } catch (Exception e) {
183 //ignored
184 }
185 try {
186 information.putString("subject_o",subject.getRDNs(BCStyle.O)[0].getFirst().getValue().toString());
187 } catch (Exception e) {
188 //ignored
189 }
190
191 X500Name issuer = holder.getIssuer();
192 try {
193 information.putString("issuer_cn", issuer.getRDNs(BCStyle.CN)[0].getFirst().getValue().toString());
194 } catch (Exception e) {
195 //ignored
196 }
197 try {
198 information.putString("issuer_o", issuer.getRDNs(BCStyle.O)[0].getFirst().getValue().toString());
199 } catch (Exception e) {
200 //ignored
201 }
202 try {
203 information.putString("sha1", getFingerprintCert(certificate.getEncoded()));
204 } catch (Exception e) {
205
206 }
207 return information;
208 } catch (CertificateEncodingException e) {
209 return information;
210 }
211 }
212
213 public static String getFingerprintCert(byte[] input) throws NoSuchAlgorithmException {
214 MessageDigest md = MessageDigest.getInstance("SHA-1");
215 byte[] fingerprint = md.digest(input);
216 return prettifyFingerprintCert(bytesToHex(fingerprint));
217 }
218
219 public static String getAccountFingerprint(Account account) {
220 return getFingerprint(account.getJid().toBareJid().toString());
221 }
222
223 public static String getFingerprint(String value) {
224 try {
225 MessageDigest md = MessageDigest.getInstance("SHA-256");
226 return bytesToHex(md.digest(value.getBytes("UTF-8")));
227 } catch (Exception e) {
228 return "";
229 }
230 }
231
232 public static int encryptionTypeToText(int encryption) {
233 switch (encryption) {
234 case Message.ENCRYPTION_OTR:
235 return R.string.encryption_choice_otr;
236 case Message.ENCRYPTION_AXOLOTL:
237 return R.string.encryption_choice_omemo;
238 case Message.ENCRYPTION_NONE:
239 return R.string.encryption_choice_unencrypted;
240 default:
241 return R.string.encryption_choice_pgp;
242 }
243 }
244
245 public static URL toAesGcmUrl(URL url) {
246 if (!url.getProtocol().equalsIgnoreCase("https")) {
247 return url;
248 }
249 try {
250 return new URL(AesGcmURLStreamHandler.PROTOCOL_NAME+url.toString().substring(url.getProtocol().length()));
251 } catch (MalformedURLException e) {
252 return url;
253 }
254 }
255
256 public static URL toHttpsUrl(URL url) {
257 if (!url.getProtocol().equalsIgnoreCase(AesGcmURLStreamHandler.PROTOCOL_NAME)) {
258 return url;
259 }
260 try {
261 return new URL("https"+url.toString().substring(url.getProtocol().length()));
262 } catch (MalformedURLException e) {
263 return url;
264 }
265 }
266
267 public static boolean isPgpEncryptedUrl(String url) {
268 if (url == null) {
269 return false;
270 }
271 final String u = url.toLowerCase();
272 return !u.contains(" ") && (u.startsWith("https://") || u.startsWith("http://")) && u.endsWith(".pgp");
273 }
274}