From 5784ab000fd5d9ddb38594a96a592f640c32a5ac Mon Sep 17 00:00:00 2001 From: Patrick Griffin <58729+firien@users.noreply.github.com> Date: Wed, 1 Feb 2023 18:39:41 -0500 Subject: [PATCH] use native hkdf --- lib/web_push.rb | 1 - lib/web_push/encryption.rb | 7 ++++--- spec/web_push/encryption_spec.rb | 6 +++--- web-push.gemspec | 1 - 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/web_push.rb b/lib/web_push.rb index 6f7992f..80ccaf6 100644 --- a/lib/web_push.rb +++ b/lib/web_push.rb @@ -2,7 +2,6 @@ require 'openssl' require 'base64' -require 'hkdf' require 'jwt' require 'uri' require 'net/http' diff --git a/lib/web_push/encryption.rb b/lib/web_push/encryption.rb index 4fe1dea..b6b7b45 100644 --- a/lib/web_push/encryption.rb +++ b/lib/web_push/encryption.rb @@ -8,6 +8,7 @@ def encrypt(message, p256dh, auth) assert_arguments(message, p256dh, auth) group_name = 'prime256v1' + hash = 'SHA256' salt = Random.new.bytes(16) server = OpenSSL::PKey::EC.generate(group_name) @@ -25,11 +26,11 @@ def encrypt(message, p256dh, auth) content_encryption_key_info = "Content-Encoding: aes128gcm\0" nonce_info = "Content-Encoding: nonce\0" - prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).read(32) + prk = OpenSSL::KDF.hkdf(shared_secret, salt: client_auth_token, info: info, hash: hash, length: 32) - content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).read(16) + content_encryption_key = OpenSSL::KDF.hkdf(prk, salt: salt, info: content_encryption_key_info, hash: hash, length: 16) - nonce = HKDF.new(prk, salt: salt, info: nonce_info).read(12) + nonce = OpenSSL::KDF.hkdf(prk, salt: salt, info: nonce_info, hash: hash, length: 12) ciphertext = encrypt_payload(message, content_encryption_key, nonce) diff --git a/spec/web_push/encryption_spec.rb b/spec/web_push/encryption_spec.rb index 3aed2ac..8f0c76d 100644 --- a/spec/web_push/encryption_spec.rb +++ b/spec/web_push/encryption_spec.rb @@ -65,10 +65,10 @@ def decrypt payload content_encryption_key_info = "Content-Encoding: aes128gcm\0" nonce_info = "Content-Encoding: nonce\0" - prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).read(32) + prk = OpenSSL::KDF.hkdf(shared_secret, salt: client_auth_token, info: info, hash: 'SHA256', length: 32) - content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).read(16) - nonce = HKDF.new(prk, salt: salt, info: nonce_info).read(12) + content_encryption_key = OpenSSL::KDF.hkdf(prk, salt: salt, info: content_encryption_key_info, hash: 'SHA256', length: 16) + nonce = OpenSSL::KDF.hkdf(prk, salt: salt, info: nonce_info, hash: 'SHA256', length: 12) decrypt_ciphertext(ciphertext, content_encryption_key, nonce) end diff --git a/web-push.gemspec b/web-push.gemspec index 4f8e21d..678cf51 100644 --- a/web-push.gemspec +++ b/web-push.gemspec @@ -14,7 +14,6 @@ Gem::Specification.new do |spec| spec.required_ruby_version = '>= 3.0' - spec.add_dependency 'hkdf', '~> 1.0' spec.add_dependency 'jwt', '~> 2.0' spec.add_dependency 'openssl', '~> 3.0'