Nosial/socialbox-php
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Changed Encryption to use LibSodium instead of OpenSSL, refactored many things and overall improved the code quality and performance with magic.

Browse source
This commit is contained in:
netkas 2025-01-03 12:27:04 -05:00
parent 46ad03a54d
commit 367399f0fd
44 changed files with 2971 additions and 2016 deletions
Download patch file Download diff file Expand all files Collapse all files

306
src/Socialbox/Classes/RpcClient.php
View file

@ -2,11 +2,10 @@
namespace Socialbox\Classes;
use Socialbox\Enums\Options\ClientOptions;
use Socialbox\Enums\StandardError;
use Socialbox\Enums\StandardHeaders;
use Socialbox\Enums\Types\RequestType;
use Socialbox\Exceptions\CryptographyException;
use Socialbox\Exceptions\DatabaseOperationException;
use Socialbox\Exceptions\ResolutionException;
use Socialbox\Exceptions\RpcException;
use Socialbox\Objects\ExportedSession;
@ -14,6 +13,7 @@
use Socialbox\Objects\PeerAddress;
use Socialbox\Objects\RpcRequest;
use Socialbox\Objects\RpcResult;
use Socialbox\Objects\Standard\ServerInformation;
class RpcClient
{
@ -22,9 +22,14 @@
private bool $bypassSignatureVerification;
private PeerAddress $peerAddress;
private KeyPair $keyPair;
private string $encryptionKey;
private string $serverPublicKey;
private string $serverPublicSigningKey;
private string $serverPublicEncryptionKey;
private KeyPair $clientSigningKeyPair;
private KeyPair $clientEncryptionKeyPair;
private string $privateSharedSecret;
private string $clientTransportEncryptionKey;
private string $serverTransportEncryptionKey;
private ServerInformation $serverInformation;
private string $rpcEndpoint;
private string $sessionUuid;
@ -42,14 +47,41 @@
$this->bypassSignatureVerification = false;
// If an exported session is provided, no need to re-connect.
// Just use the session details provided.
if($exportedSession !== null)
{
// Check if the server keypair has expired from the exported session
if(time() > $exportedSession->getServerKeypairExpires())
{
throw new RpcException('The server keypair has expired, a new session must be created');
}
$this->peerAddress = PeerAddress::fromAddress($exportedSession->getPeerAddress());
$this->keyPair = new KeyPair($exportedSession->getPublicKey(), $exportedSession->getPrivateKey());
$this->encryptionKey = $exportedSession->getEncryptionKey();
$this->serverPublicKey = $exportedSession->getServerPublicKey();
$this->rpcEndpoint = $exportedSession->getRpcEndpoint();
$this->sessionUuid = $exportedSession->getSessionUuid();
$this->serverPublicSigningKey = $exportedSession->getServerPublicSigningKey();
$this->serverPublicEncryptionKey = $exportedSession->getServerPublicEncryptionKey();
$this->clientSigningKeyPair = new KeyPair($exportedSession->getClientPublicSigningKey(), $exportedSession->getClientPrivateSigningKey());
$this->clientEncryptionKeyPair = new KeyPair($exportedSession->getClientPublicEncryptionKey(), $exportedSession->getClientPrivateEncryptionKey());
$this->privateSharedSecret = $exportedSession->getPrivateSharedSecret();
$this->clientTransportEncryptionKey = $exportedSession->getClientTransportEncryptionKey();
$this->serverTransportEncryptionKey = $exportedSession->getServerTransportEncryptionKey();
// Still solve the server information
$this->serverInformation = self::getServerInformation();
// Check if the active keypair has expired
if(time() > $this->serverInformation->getServerKeypairExpires())
{
throw new RpcException('The server keypair has expired but the server has not provided a new keypair, contact the server administrator');
}
// Check if the transport encryption algorithm has changed
if($this->serverInformation->getTransportEncryptionAlgorithm() !== $exportedSession->getTransportEncryptionAlgorithm())
{
throw new RpcException('The server has changed its transport encryption algorithm, a new session must be created');
}
return;
}
@ -62,51 +94,61 @@
// Set the initial properties
$this->peerAddress = $peerAddress;
// If the username is `host` and the domain is the same as this server's domain, we use our keypair
// Essentially this is a special case for the server to contact another server
if($this->peerAddress->isHost())
{
$this->keyPair = new KeyPair(Configuration::getInstanceConfiguration()->getPublicKey(), Configuration::getInstanceConfiguration()->getPrivateKey());
}
// Otherwise we generate a random keypair
else
{
$this->keyPair = Cryptography::generateKeyPair();
}
$this->encryptionKey = Cryptography::generateEncryptionKey();
// Resolve the domain and get the server's Public Key & RPC Endpoint
try
{
$resolvedServer = ServerResolver::resolveDomain($this->peerAddress->getDomain(), false);
}
catch (DatabaseOperationException $e)
{
throw new ResolutionException('Failed to resolve domain: ' . $e->getMessage(), 0, $e);
}
$resolvedServer = ServerResolver::resolveDomain($this->peerAddress->getDomain(), false);
$this->serverPublicKey = $resolvedServer->getPublicKey();
$this->rpcEndpoint = $resolvedServer->getEndpoint();
// Import the RPC Endpoint & the server's public key.
$this->serverPublicSigningKey = $resolvedServer->getPublicSigningKey();
$this->rpcEndpoint = $resolvedServer->getRpcEndpoint();
if(empty($this->serverPublicKey))
if(empty($this->serverPublicSigningKey))
{
throw new ResolutionException('Failed to resolve domain: No public key found for the server');
}
// Attempt to create an encrypted session with the server
$this->sessionUuid = $this->createSession();
// Resolve basic server information
$this->serverInformation = self::getServerInformation();
// Check if the server keypair has expired
if(time() > $this->serverInformation->getServerKeypairExpires())
{
throw new RpcException('The server keypair has expired but the server has not provided a new keypair, contact the server administrator');
}
// If the username is `host` and the domain is the same as this server's domain, we use our signing keypair
// Essentially this is a special case for the server to contact another server
if($this->peerAddress->isHost())
{
$this->clientSigningKeyPair = new KeyPair(Configuration::getCryptographyConfiguration()->getHostPublicKey(), Configuration::getCryptographyConfiguration()->getHostPrivateKey());
}
// Otherwise we generate a random signing keypair
else
{
$this->clientSigningKeyPair = Cryptography::generateSigningKeyPair();
}
// Always use a random encryption keypair
$this->clientEncryptionKeyPair = Cryptography::generateEncryptionKeyPair();
// Create a session with the server, with the method we obtain the Session UUID
// And the server's public encryption key.
$this->createSession();
// Generate a transport encryption key on our end using the server's preferred algorithm
$this->clientTransportEncryptionKey = Cryptography::generateEncryptionKey($this->serverInformation->getTransportEncryptionAlgorithm());
// Preform the DHE so that transport encryption keys can be exchanged
$this->sendDheExchange();
}
/**
* Creates a new session by sending an HTTP GET request to the RPC endpoint.
* The request includes specific headers required for session initiation.
* Initiates a new session with the server and retrieves the session UUID.
*
* @return string Returns the session UUID received from the server.
* @throws RpcException If the server response is invalid, the session creation fails, or no session UUID is returned.
* @return string The session UUID provided by the server upon successful session creation.
* @throws RpcException If the session cannot be created, if the server does not provide a valid response,
* or critical headers like encryption public key are missing in the server's response.
*/
private function createSession(): string
private function createSession(): void
{
$ch = curl_init();
@ -116,28 +158,45 @@
StandardHeaders::CLIENT_NAME->value . ': ' . self::CLIENT_NAME,
StandardHeaders::CLIENT_VERSION->value . ': ' . self::CLIENT_VERSION,
StandardHeaders::IDENTIFY_AS->value . ': ' . $this->peerAddress->getAddress(),
// Always provide our generated encrypted public key
StandardHeaders::ENCRYPTION_PUBLIC_KEY->value . ': ' . $this->clientEncryptionKeyPair->getPublicKey()
];
// If we're not connecting as the host, we need to provide our public key
// Otherwise, the server will obtain the public key itself from DNS records rather than trusting the client
if(!$this->peerAddress->isHost())
{
$headers[] = StandardHeaders::PUBLIC_KEY->value . ': ' . $this->keyPair->getPublicKey();
$headers[] = StandardHeaders::SIGNING_PUBLIC_KEY->value . ': ' . $this->clientSigningKeyPair->getPublicKey();
}
$responseHeaders = [];
curl_setopt($ch, CURLOPT_URL, $this->rpcEndpoint);
curl_setopt($ch, CURLOPT_HTTPGET, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
// Capture the response headers to get the encryption public key
curl_setopt($ch, CURLOPT_HEADERFUNCTION, function($curl, $header) use (&$responseHeaders)
{
$len = strlen($header);
$header = explode(':', $header, 2);
if (count($header) < 2) // ignore invalid headers
{
return $len;
}
$responseHeaders[strtolower(trim($header[0]))][] = trim($header[1]);
return $len;
});
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
// If the response is false, the request failed
if($response === false)
{
curl_close($ch);
throw new RpcException(sprintf('Failed to create the session at %s, no response received', $this->rpcEndpoint));
}
// If the response code is not 201, the request failed
$responseCode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
if($responseCode !== 201)
{
@ -151,14 +210,44 @@
throw new RpcException(sprintf('Failed to create the session at %s, server responded with ' . $responseCode . ': ' . $response, $this->rpcEndpoint));
}
// If the response is empty, the server did not provide a session UUID
if(empty($response))
{
curl_close($ch);
throw new RpcException(sprintf('Failed to create the session at %s, server did not return a session UUID', $this->rpcEndpoint));
}
// Get the Encryption Public Key from the server's response headers
$serverPublicEncryptionKey = $responseHeaders[strtolower(StandardHeaders::ENCRYPTION_PUBLIC_KEY->value)][0] ?? null;
// null check
if($serverPublicEncryptionKey === null)
{
curl_close($ch);
throw new RpcException('Failed to create session at %s, the server did not return a public encryption key');
}
// Validate the server's encryption public key
if(!Cryptography::validatePublicEncryptionKey($serverPublicEncryptionKey))
{
curl_close($ch);
throw new RpcException('The server did not provide a valid encryption public key');
}
// If the server did not provide an encryption public key, the response is invalid
// We can't preform the DHE without the server's encryption key.
if ($serverPublicEncryptionKey === null)
{
curl_close($ch);
throw new RpcException('The server did not provide a signature for the response');
}
curl_close($ch);
return $response;
// Set the server's encryption key
$this->serverPublicEncryptionKey = $serverPublicEncryptionKey;
// Set the session UUID
$this->sessionUuid = $response;
}
/**
@ -168,15 +257,26 @@
*/
private function sendDheExchange(): void
{
// First preform the DHE
try
{
$this->privateSharedSecret = Cryptography::performDHE($this->serverPublicEncryptionKey, $this->clientEncryptionKeyPair->getPrivateKey());
}
catch(CryptographyException $e)
{
throw new RpcException('Failed to preform DHE: ' . $e->getMessage(), StandardError::CRYPTOGRAPHIC_ERROR->value, $e);
}
// Request body should contain the encrypted key, the client's public key, and the session UUID
// Upon success the server should return 204 without a body
try
{
$encryptedKey = Cryptography::encryptContent($this->encryptionKey, $this->serverPublicKey);
$encryptedKey = Cryptography::encryptShared($this->clientTransportEncryptionKey, $this->privateSharedSecret);
$signature = Cryptography::signMessage($this->clientTransportEncryptionKey, $this->clientSigningKeyPair->getPrivateKey());
}
catch (CryptographyException $e)
{
throw new RpcException('Failed to encrypt DHE exchange data', 0, $e);
throw new RpcException('Failed to encrypt DHE exchange data', StandardError::CRYPTOGRAPHIC_ERROR->value, $e);
}
$ch = curl_init();
@ -186,6 +286,7 @@
curl_setopt($ch, CURLOPT_HTTPHEADER, [
StandardHeaders::REQUEST_TYPE->value . ': ' . RequestType::DHE_EXCHANGE->value,
StandardHeaders::SESSION_UUID->value . ': ' . $this->sessionUuid,
StandardHeaders::SIGNATURE->value . ': ' . $signature
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $encryptedKey);
@ -194,17 +295,28 @@
if($response === false)
{
curl_close($ch);
throw new RpcException('Failed to send DHE exchange, no response received');
throw new RpcException('Failed to send DHE exchange, no response received', StandardError::CRYPTOGRAPHIC_ERROR->value);
}
$responseCode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
if($responseCode !== 204)
if($responseCode !== 200)
{
curl_close($ch);
throw new RpcException('Failed to send DHE exchange, server responded with ' . $responseCode . ': ' . $response);
throw new RpcException('Failed to send DHE exchange, server responded with ' . $responseCode . ': ' . $response, StandardError::CRYPTOGRAPHIC_ERROR->value);
}
curl_close($ch);
try
{
$this->serverTransportEncryptionKey = Cryptography::decryptShared($response, $this->privateSharedSecret);
}
catch(CryptographyException $e)
{
throw new RpcException('Failed to decrypt DHE exchange data', 0, $e);
}
finally
{
curl_close($ch);
}
}
/**
@ -218,8 +330,16 @@
{
try
{
$encryptedData = Cryptography::encryptTransport($jsonData, $this->encryptionKey);
$signature = Cryptography::signContent($jsonData, $this->keyPair->getPrivateKey(), true);
$encryptedData = Cryptography::encryptMessage(
message: $jsonData,
encryptionKey: $this->serverTransportEncryptionKey,
algorithm: $this->serverInformation->getTransportEncryptionAlgorithm()
);
$signature = Cryptography::signMessage(
message: $jsonData,
privateKey: $this->clientSigningKeyPair->getPrivateKey(),
);
}
catch (CryptographyException $e)
{
@ -289,7 +409,11 @@
try
{
$decryptedResponse = Cryptography::decryptTransport($responseString, $this->encryptionKey);
$decryptedResponse = Cryptography::decryptMessage(
encryptedMessage: $responseString,
encryptionKey: $this->clientTransportEncryptionKey,
algorithm: $this->serverInformation->getTransportEncryptionAlgorithm()
);
}
catch (CryptographyException $e)
{
@ -298,7 +422,7 @@
if (!$this->bypassSignatureVerification)
{
$signature = $headers['signature'][0] ?? null;
$signature = $headers[strtolower(StandardHeaders::SIGNATURE->value)][0] ?? null;
if ($signature === null)
{
throw new RpcException('The server did not provide a signature for the response');
@ -306,7 +430,11 @@
try
{
if (!Cryptography::verifyContent($decryptedResponse, $signature, $this->serverPublicKey, true))
if(!Cryptography::verifyMessage(
message: $decryptedResponse,
signature: $signature,
publicKey: $this->serverPublicSigningKey,
))
{
throw new RpcException('Failed to verify the response signature');
}
@ -333,6 +461,59 @@
}
}
/**
* Retrieves server information by making an RPC request.
*
* @return ServerInformation The parsed server information received in the response.
* @throws RpcException If the request fails, no response is received, or the server returns an error status code or invalid data.
*/
public function getServerInformation(): ServerInformation
{
$ch = curl_init();
// Basic session details
$headers = [
StandardHeaders::REQUEST_TYPE->value . ': ' . RequestType::INFO->value,
StandardHeaders::CLIENT_NAME->value . ': ' . self::CLIENT_NAME,
StandardHeaders::CLIENT_VERSION->value . ': ' . self::CLIENT_VERSION,
];
curl_setopt($ch, CURLOPT_URL, $this->rpcEndpoint);
curl_setopt($ch, CURLOPT_HTTPGET, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
if($response === false)
{
curl_close($ch);
throw new RpcException(sprintf('Failed to get server information at %s, no response received', $this->rpcEndpoint));
}
$responseCode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
if($responseCode !== 200)
{
curl_close($ch);
if(empty($response))
{
throw new RpcException(sprintf('Failed to get server information at %s, server responded with ' . $responseCode, $this->rpcEndpoint));
}
throw new RpcException(sprintf('Failed to get server information at %s, server responded with ' . $responseCode . ': ' . $response, $this->rpcEndpoint));
}
if(empty($response))
{
curl_close($ch);
throw new RpcException(sprintf('Failed to get server information at %s, server returned an empty response', $this->rpcEndpoint));
}
curl_close($ch);
return ServerInformation::fromArray(json_decode($response, true));
}
/**
* Sends an RPC request and retrieves the corresponding RPC response.
*
@ -395,12 +576,19 @@
{
return new ExportedSession([
'peer_address' => $this->peerAddress->getAddress(),
'private_key' => $this->keyPair->getPrivateKey(),
'public_key' => $this->keyPair->getPublicKey(),
'encryption_key' => $this->encryptionKey,
'server_public_key' => $this->serverPublicKey,
'rpc_endpoint' => $this->rpcEndpoint,
'session_uuid' => $this->sessionUuid
'session_uuid' => $this->sessionUuid,
'transport_encryption_algorithm' => $this->serverInformation->getTransportEncryptionAlgorithm(),
'server_keypair_expires' => $this->serverInformation->getServerKeypairExpires(),
'server_public_signing_key' => $this->serverPublicSigningKey,
'server_public_encryption_key' => $this->serverPublicEncryptionKey,
'client_public_signing_key' => $this->clientSigningKeyPair->getPublicKey(),
'client_private_signing_key' => $this->clientSigningKeyPair->getPrivateKey(),
'client_public_encryption_key' => $this->clientEncryptionKeyPair->getPublicKey(),
'client_private_encryption_key' => $this->clientEncryptionKeyPair->getPrivateKey(),
'private_shared_secret' => $this->privateSharedSecret,
'client_transport_encryption_key' => $this->clientTransportEncryptionKey,
'server_transport_encryption_key' => $this->serverTransportEncryptionKey
]);
}
}