From ef0fb48f1f8fe4492f78e2bd0f5d0dc7019f0694 Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Fri, 5 Apr 2019 16:03:58 -0400
Subject: [PATCH] blind private keys

---
 libi2pd/Ed25519.cpp  | 18 ++++++++++++++++++
 libi2pd/Ed25519.h    |  1 +
 libi2pd/Identity.cpp | 38 ++++++++++++++++++++++++-------------
 libi2pd/Identity.h   |  1 +
 libi2pd/LeaseSet.cpp | 45 +++++++++++++++++++++++++++++++++++++++++---
 libi2pd/LeaseSet.h   |  4 ++++
 6 files changed, 91 insertions(+), 16 deletions(-)

diff --git a/libi2pd/Ed25519.cpp b/libi2pd/Ed25519.cpp
index 87c7d6db..1096b3b7 100644
--- a/libi2pd/Ed25519.cpp
+++ b/libi2pd/Ed25519.cpp
@@ -544,6 +544,24 @@ namespace crypto
 		BN_CTX_free (ctx);
 	}
 
+	void Ed25519::BlindPrivateKey (const uint8_t * priv, const uint8_t * seed, uint8_t * blindedPriv, uint8_t * blindedPub)
+	{
+		BN_CTX * ctx = BN_CTX_new ();
+		// calculate alpha = seed mod l
+		BIGNUM * alpha = DecodeBN<64> (seed); // seed is in Little Endian 
+		BN_mod (alpha, alpha, l, ctx); // % l
+		BIGNUM * p = DecodeBN<32> (priv); // priv is in Little Endian 
+		BN_add (alpha, alpha, p); // alpha = alpha + priv
+		// a' = BLIND_PRIVKEY(a, alpha) = (a + alpha) mod L	
+		BN_mod (alpha, alpha, l, ctx); // % l
+		EncodeBN (alpha, blindedPriv, 32);
+		// A' = DERIVE_PUBLIC(a') 	
+		auto A1 = MulB (blindedPriv, ctx);
+		EncodePublicKey (A1, blindedPub, ctx); 
+		BN_free (alpha); BN_free (p);
+		BN_CTX_free (ctx);
+	}
+
 	void Ed25519::ExpandPrivateKey (const uint8_t * key, uint8_t * expandedKey)
 	{
 		SHA512 (key, EDDSA25519_PRIVATE_KEY_LENGTH, expandedKey);
diff --git a/libi2pd/Ed25519.h b/libi2pd/Ed25519.h
index eb08faeb..84501b03 100644
--- a/libi2pd/Ed25519.h
+++ b/libi2pd/Ed25519.h
@@ -81,6 +81,7 @@ namespace crypto
 			void ScalarMulB (const  uint8_t * e, uint8_t * buf, BN_CTX * ctx) const;
 #endif
 			void BlindPublicKey (const uint8_t * pub, const uint8_t * seed, uint8_t * blinded); // for encrypted LeaseSet2, pub - 32, seed - 64, blinded - 32
+			void BlindPrivateKey (const uint8_t * priv, const uint8_t * seed, uint8_t * blindedPriv, uint8_t * blindedPub); // for encrypted LeaseSet2, pub - 32, seed - 64, blinded - 32
 
 			bool Verify (const EDDSAPoint& publicKey, const uint8_t * digest, const uint8_t * signature) const;
 			void Sign (const uint8_t * expandedPrivateKey, const uint8_t * publicKeyEncoded, const uint8_t * buf, size_t len, uint8_t * signature) const;
diff --git a/libi2pd/Identity.cpp b/libi2pd/Identity.cpp
index 759c2ab3..f088d3f2 100644
--- a/libi2pd/Identity.cpp
+++ b/libi2pd/Identity.cpp
@@ -591,41 +591,53 @@ namespace data
 	
 	void PrivateKeys::CreateSigner (SigningKeyType keyType) const
 	{
-		if (m_Signer) return;
+		if (m_Signer) return;	
+		if (keyType == SIGNING_KEY_TYPE_DSA_SHA1)
+			m_Signer.reset (new i2p::crypto::DSASigner (m_SigningPrivateKey, m_Public->GetStandardIdentity ().signingKey));
+		else if (keyType == SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519 && !IsOfflineSignature ())
+			m_Signer.reset (new i2p::crypto::EDDSA25519Signer (m_SigningPrivateKey, m_Public->GetStandardIdentity ().certificate - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH)); // TODO: remove public key check
+		else
+		{
+			// public key is not required
+			auto signer = CreateSigner (keyType, m_SigningPrivateKey);
+			if (signer) m_Signer.reset (signer);
+		}	
+	}
+
+	i2p::crypto::Signer * PrivateKeys::CreateSigner (SigningKeyType keyType, const uint8_t * priv)
+	{
 		switch (keyType)
 		{
-			case SIGNING_KEY_TYPE_DSA_SHA1:
-				m_Signer.reset (new i2p::crypto::DSASigner (m_SigningPrivateKey, m_Public->GetStandardIdentity ().signingKey));
-			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
-				m_Signer.reset (new i2p::crypto::ECDSAP256Signer (m_SigningPrivateKey));
+				return new i2p::crypto::ECDSAP256Signer (priv);
 			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
-				m_Signer.reset (new i2p::crypto::ECDSAP384Signer (m_SigningPrivateKey));
+				return new i2p::crypto::ECDSAP384Signer (priv);
 			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
-				m_Signer.reset (new i2p::crypto::ECDSAP521Signer (m_SigningPrivateKey));
+				return new i2p::crypto::ECDSAP521Signer (priv);
 			break;
 			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
 			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
 			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
-				LogPrint (eLogError, "Identity: RSA signing key type ", (int)m_Public->GetSigningKeyType (), " is not supported");
+				LogPrint (eLogError, "Identity: RSA signing key type ", (int)keyType, " is not supported");
 			break;
 			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
-				m_Signer.reset (new i2p::crypto::EDDSA25519Signer (m_SigningPrivateKey, IsOfflineSignature () ? nullptr: m_Public->GetStandardIdentity ().certificate - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH)); // TODO: remove public key check
+				return new i2p::crypto::EDDSA25519Signer (priv, nullptr);
 			break;
 			case SIGNING_KEY_TYPE_GOSTR3410_CRYPTO_PRO_A_GOSTR3411_256:
-				m_Signer.reset (new i2p::crypto::GOSTR3410_256_Signer (i2p::crypto::eGOSTR3410CryptoProA, m_SigningPrivateKey));
+				return new i2p::crypto::GOSTR3410_256_Signer (i2p::crypto::eGOSTR3410CryptoProA, priv);
 			break;
 			case SIGNING_KEY_TYPE_GOSTR3410_TC26_A_512_GOSTR3411_512:
-				m_Signer.reset (new i2p::crypto::GOSTR3410_512_Signer (i2p::crypto::eGOSTR3410TC26A512, m_SigningPrivateKey));
+				return new i2p::crypto::GOSTR3410_512_Signer (i2p::crypto::eGOSTR3410TC26A512, priv);
 			break;
 			case SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519:
-				m_Signer.reset (new i2p::crypto::RedDSA25519Signer (m_SigningPrivateKey)); 
+				return new i2p::crypto::RedDSA25519Signer (priv); 
 			break;	
 			default:
-				LogPrint (eLogError, "Identity: Signing key type ", (int)m_Public->GetSigningKeyType (), " is not supported");
+				LogPrint (eLogError, "Identity: Signing key type ", (int)keyType, " is not supported");
 		}
+		return nullptr;
 	}
 
 	size_t PrivateKeys::GetSignatureLen () const
diff --git a/libi2pd/Identity.h b/libi2pd/Identity.h
index 7e3c95dd..72fd14c5 100644
--- a/libi2pd/Identity.h
+++ b/libi2pd/Identity.h
@@ -163,6 +163,7 @@ namespace data
 			static PrivateKeys CreateRandomKeys (SigningKeyType type = SIGNING_KEY_TYPE_DSA_SHA1, CryptoKeyType cryptoType = CRYPTO_KEY_TYPE_ELGAMAL);
 			static void GenerateSigningKeyPair (SigningKeyType type, uint8_t * priv, uint8_t * pub); 
 			static void GenerateCryptoKeyPair (CryptoKeyType type, uint8_t * priv, uint8_t * pub); // priv and pub are 256 bytes long
+			static i2p::crypto::Signer * CreateSigner (SigningKeyType keyType, const uint8_t * priv);
 
 			// offline keys
 			PrivateKeys CreateOfflineKeys (SigningKeyType type, uint32_t expires) const; 
diff --git a/libi2pd/LeaseSet.cpp b/libi2pd/LeaseSet.cpp
index db376eb4..968b51c0 100644
--- a/libi2pd/LeaseSet.cpp
+++ b/libi2pd/LeaseSet.cpp
@@ -333,16 +333,29 @@ namespace data
 		H ("subcredential", { {credential, 32}, {blinded, len} }, subcredential);
 	}
 
-	void BlindedPublicKey::GetBlindedKey (const char * date, uint8_t * blindedKey) const
+	void BlindedPublicKey::GenerateAlpha (const char * date, uint8_t * seed) const
 	{
-		int16_t stA = htobe16 (GetSigType ()), stA1 = htobe16 (GetBlindedSigType ());
-		uint8_t salt[32], seed[64];
+		uint16_t stA = htobe16 (GetSigType ()), stA1 = htobe16 (GetBlindedSigType ());
+		uint8_t salt[32];
 		//seed = HKDF(H("I2PGenerateAlpha", keydata), datestring || secret, "i2pblinding1", 64)	
 		H ("I2PGenerateAlpha", { {GetPublicKey (), GetPublicKeyLen ()}, {(const uint8_t *)&stA, 2}, {(const uint8_t *)&stA1, 2} }, salt);
 		i2p::crypto::HKDF (salt, (const uint8_t *)date, 8, "i2pblinding1", seed);
+	}
+
+	void BlindedPublicKey::GetBlindedKey (const char * date, uint8_t * blindedKey) const
+	{
+		uint8_t seed[64];	
+		GenerateAlpha (date, seed);	
 		i2p::crypto::GetEd25519 ()->BlindPublicKey (GetPublicKey (), seed, blindedKey);
 	}
 
+	void BlindedPublicKey::BlindPrivateKey (const uint8_t * priv, const char * date, uint8_t * blindedPriv, uint8_t * blindedPub) const
+	{
+		uint8_t seed[64];	
+		GenerateAlpha (date, seed);	
+		i2p::crypto::GetEd25519 ()->BlindPrivateKey (priv, seed, blindedPriv, blindedPub);
+	}
+
 	void BlindedPublicKey::H (const std::string& p, const std::vector<std::pair<const uint8_t *, size_t> >& bufs, uint8_t * hash) const 
 	{
 		SHA256_CTX ctx;
@@ -839,5 +852,31 @@ namespace data
 		memcpy (m_Buffer + 1, buf, len);
 		m_Buffer[0] = storeType;
 	}
+
+	LocalLeaseSet2::LocalLeaseSet2 (std::shared_ptr<const LeaseSet2> ls, const i2p::data::PrivateKeys& keys, i2p::data::SigningKeyType blindedKeyType):
+		LocalLeaseSet (ls->GetIdentity (), nullptr, 0)
+	{
+		m_BufferLen = ls->GetBufferLen (); // TODO 
+		m_Buffer = new uint8_t[m_BufferLen + 1]; 
+		m_Buffer[0] = NETDB_STORE_TYPE_ENCRYPTED_LEASESET2;
+		BlindedPublicKey blindedKey (ls->GetIdentity ());
+		char date[9];
+		i2p::util::GetCurrentDate (date);
+		uint8_t blindedPriv[32], blindedPub[32];
+		blindedKey.BlindPrivateKey (keys.GetSigningPrivateKey (), date, blindedPriv, blindedPub);
+		std::unique_ptr<i2p::crypto::Signer> blindedSigner (i2p::data::PrivateKeys::CreateSigner (blindedKeyType, blindedPriv));
+		auto offset = 1;
+		htobe16buf (m_Buffer + offset, blindedKeyType); offset += 2; // Blinded Public Key Sig Type
+		memcpy (m_Buffer + offset, blindedPub, 32); offset += 32; // Blinded Public Key
+		auto timestamp = i2p::util::GetSecondsSinceEpoch ();
+		htobe32buf (m_Buffer + offset, timestamp); offset += 4; // published timestamp (seconds)
+		auto expirationTime = ls->GetExpirationTime (); 
+		SetExpirationTime (expirationTime);
+		auto expires = expirationTime/1000LL - timestamp;	
+		htobe16buf (m_Buffer + offset, expires > 0 ? expires : 0); // expires
+		uint16_t flags = 0;
+		htobe16buf (m_Buffer + offset, flags); offset += 2; // flags	
+		// TODO:
+	}
 }
 }
diff --git a/libi2pd/LeaseSet.h b/libi2pd/LeaseSet.h
index 00892be8..44ed0b71 100644
--- a/libi2pd/LeaseSet.h
+++ b/libi2pd/LeaseSet.h
@@ -143,11 +143,13 @@ namespace data
 
 			void GetSubcredential (const uint8_t * blinded, size_t len, uint8_t * subcredential) const; // 32 bytes
 			void GetBlindedKey (const char * date, uint8_t * blindedKey) const; // blinded key 32 bytes, date is 8 chars "YYYYMMDD" 
+			void BlindPrivateKey (const uint8_t * priv, const char * date, uint8_t * blindedPriv, uint8_t * blindedPub) const; // blinded key 32 bytes, date is 8 chars "YYYYMMDD" 
 			i2p::data::IdentHash GetStoreHash () const;
 
 		private:
 
 			void GetCredential (uint8_t * credential) const; // 32 bytes
+			void GenerateAlpha (const char * date, uint8_t * seed) const; // 64 bytes, date is 8 chars "YYYYMMDD" 
 			void H (const std::string& p, const std::vector<std::pair<const uint8_t *, size_t> >& bufs, uint8_t * hash) const;
 
 		private:
@@ -250,6 +252,8 @@ namespace data
 				uint16_t keyType, uint16_t keyLen, const uint8_t * encryptionPublicKey, 
 				std::vector<std::shared_ptr<i2p::tunnel::InboundTunnel> > tunnels);
 			LocalLeaseSet2 (uint8_t storeType, std::shared_ptr<const IdentityEx> identity, const uint8_t * buf, size_t len);	
+			LocalLeaseSet2 (std::shared_ptr<const LeaseSet2> ls, const i2p::data::PrivateKeys& keys, i2p::data::SigningKeyType blindedKeyType = i2p::data::SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519); // encrypted
+		
 			virtual ~LocalLeaseSet2 () { delete[] m_Buffer; };
 			
 			uint8_t * GetBuffer () const { return m_Buffer + 1; };