SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

remove key/hash logging and debug output from EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details

Browse Source
This commit is contained in:
lockbitchat
2025-10-30 14:55:46 -04:00
parent c7b16157fc
commit 77ed4b3e4f
8 changed files with 51 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/tailwind.css
+1 -1
View File
File diff suppressed because one or more lines are too long
dist/app-boot.js
Vendored
+5 -142
View File
@@ -1225,9 +1225,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
}
static async verifyReplayProtection(securityManager) {
try {
console.log("\u{1F50D} verifyReplayProtection debug:");
console.log(" - securityManager.replayProtection:", securityManager.replayProtection);
console.log(" - securityManager keys:", Object.keys(securityManager));
if (!securityManager.replayProtection) {
return { passed: false, details: "Replay protection not enabled" };
}
@@ -1238,8 +1235,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
}
static async verifyDTLSFingerprint(securityManager) {
try {
console.log("\u{1F50D} verifyDTLSFingerprint debug:");
console.log(" - securityManager.dtlsFingerprint:", securityManager.dtlsFingerprint);
if (!securityManager.dtlsFingerprint) {
return { passed: false, details: "DTLS fingerprint not available" };
}
@@ -1250,8 +1245,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
}
static async verifySASVerification(securityManager) {
try {
console.log("\u{1F50D} verifySASVerification debug:");
console.log(" - securityManager.sasCode:", securityManager.sasCode);
if (!securityManager.sasCode) {
return { passed: false, details: "SAS code not available" };
}
@@ -1262,8 +1255,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
}
static async verifyTrafficObfuscation(securityManager) {
try {
console.log("\u{1F50D} verifyTrafficObfuscation debug:");
console.log(" - securityManager.trafficObfuscation:", securityManager.trafficObfuscation);
if (!securityManager.trafficObfuscation) {
return { passed: false, details: "Traffic obfuscation not enabled" };
}
@@ -1593,13 +1584,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security
["deriveKey"]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDH key pair generated successfully (P-384)", {
curve: "P-384",
extractable: false
});
return keyPair;
} catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 generation failed, trying P-256", { error: p384Error.message });
_EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 generation failed, switching curve", { error: p384Error.message });
const keyPair = await crypto.subtle.generateKey(
{
name: "ECDH",
@@ -1609,10 +1596,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security
["deriveKey"]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDH key pair generated successfully (P-256 fallback)", {
curve: "P-256",
extractable: false
});
return keyPair;
}
} catch (error) {
@@ -1633,13 +1616,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security
["sign", "verify"]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDSA key pair generated successfully (P-384)", {
curve: "P-384",
extractable: false
});
return keyPair;
} catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 generation failed, trying P-256", { error: p384Error.message });
_EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 generation failed, switching curve", { error: p384Error.message });
const keyPair = await crypto.subtle.generateKey(
{
name: "ECDSA",
@@ -1649,10 +1628,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security
["sign", "verify"]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDSA key pair generated successfully (P-256 fallback)", {
curve: "P-256",
extractable: false
});
return keyPair;
}
} catch (error) {
@@ -1695,18 +1670,10 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Verify ECDSA signature (P-384 or P-256)
static async verifySignature(publicKey, signature, data) {
try {
console.log("DEBUG: verifySignature called with:", {
publicKey,
signature,
data
});
const encoder = new TextEncoder();
const dataBuffer = typeof data === "string" ? encoder.encode(data) : data;
const signatureBuffer = new Uint8Array(signature);
console.log("DEBUG: verifySignature dataBuffer:", dataBuffer);
console.log("DEBUG: verifySignature signatureBuffer:", signatureBuffer);
try {
console.log("DEBUG: Trying SHA-384 verification...");
const isValid = await crypto.subtle.verify(
{
name: "ECDSA",
@@ -1716,16 +1683,8 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
signatureBuffer,
dataBuffer
);
console.log("DEBUG: SHA-384 verification result:", isValid);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signature verification completed (SHA-384)", {
isValid,
dataSize: dataBuffer.length
});
return isValid;
} catch (sha384Error) {
console.log("DEBUG: SHA-384 verification failed, trying SHA-256:", sha384Error);
_EnhancedSecureCryptoUtils.secureLog.log("warn", "SHA-384 verification failed, trying SHA-256", { error: sha384Error.message });
console.log("DEBUG: Trying SHA-256 verification...");
const isValid = await crypto.subtle.verify(
{
name: "ECDSA",
@@ -1735,11 +1694,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
signatureBuffer,
dataBuffer
);
console.log("DEBUG: SHA-256 verification result:", isValid);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signature verification completed (SHA-256 fallback)", {
isValid,
dataSize: dataBuffer.length
});
return isValid;
}
} catch (error) {
@@ -1812,10 +1766,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
if (!validCurves[curveOidString]) {
throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`);
}
_EnhancedSecureCryptoUtils.secureLog.log("info", "EC key curve validated", {
curve: validCurves[curveOidString],
oid: curveOidString
});
}
const publicKeyBitString = asn1.children[1];
if (publicKeyBitString.tag !== 3) {
@@ -1859,13 +1809,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
throw new Error(`Key import validation failed: ${importError.message}`);
}
}
_EnhancedSecureCryptoUtils.secureLog.log("info", "Key structure validation passed", {
keyLen: keyBytes.length,
algorithm: expectedAlgorithm,
asn1Valid: true,
oidValid: true,
importValid: true
});
return true;
} catch (err) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Key structure validation failed", {
@@ -1979,11 +1922,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
...keyPackage,
signature
};
_EnhancedSecureCryptoUtils.secureLog.log("info", "Public key exported with signature", {
keyType,
keySize: keyData.length,
signed: true
});
return signedPackage;
} catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Public key export failed", {
@@ -1996,11 +1934,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Import and verify signed public key
static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = "ECDH") {
try {
console.log("DEBUG: importSignedPublicKey called with:", {
signedPackage,
verifyingKey,
expectedKeyType
});
if (!signedPackage || typeof signedPackage !== "object") {
throw new Error("Invalid signed package format");
}
@@ -2018,11 +1951,7 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, keyType);
const packageCopy = { keyType, keyData, timestamp, version };
const packageString = JSON.stringify(packageCopy);
console.log("DEBUG: Web version package string for verification:", packageString);
console.log("DEBUG: Web version signature to verify:", signature);
console.log("DEBUG: Web version verifying key:", verifyingKey);
const isValidSignature = await _EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString);
console.log("DEBUG: Web version signature verification result:", isValidSignature);
if (!isValidSignature) {
throw new Error("Invalid signature on key package - possible MITM attack");
}
@@ -2038,16 +1967,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable
keyUsages
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signed public key imported successfully (P-384)", {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1e3) + "s"
});
return publicKey;
} catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 import failed, trying P-256", {
error: p384Error.message
});
_EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 import failed, switching curve", { error: p384Error.message });
const algorithm = keyType === "ECDH" ? { name: "ECDH", namedCurve: "P-256" } : { name: "ECDSA", namedCurve: "P-256" };
const keyUsages = keyType === "ECDH" ? [] : ["verify"];
const publicKey = await crypto.subtle.importKey(
@@ -2058,11 +1980,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable
keyUsages
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signed public key imported successfully (P-256 fallback)", {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1e3) + "s"
});
return publicKey;
}
} catch (error) {
@@ -2079,7 +1996,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const exported = await crypto.subtle.exportKey("spki", publicKey);
const keyData = Array.from(new Uint8Array(exported));
await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, "ECDH");
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key exported", { keySize: keyData.length });
return keyData;
} catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Legacy public key export failed", { error: error.message });
@@ -2103,7 +2019,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable
[]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key imported (P-384)", { keySize: keyData.length });
return publicKey;
} catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 import failed, trying P-256", { error: p384Error.message });
@@ -2118,7 +2033,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable
[]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key imported (P-256 fallback)", { keySize: keyData.length });
return publicKey;
}
} catch (error) {
@@ -2176,16 +2090,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
throw new Error("CRITICAL SECURITY ERROR: Invalid key signature detected. This indicates a possible MITM attack attempt. Key import rejected.");
}
const keyFingerprint = await _EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData);
_EnhancedSecureCryptoUtils.secureLog.log("info", "SECURE: Signature verification passed for signed package", {
keyType: signedPackage.keyType,
keySize: signedPackage.keyData.length,
timestamp: signedPackage.timestamp,
version: signedPackage.version,
signatureVerified: true,
securityLevel: "HIGH",
keyFingerprint: keyFingerprint.substring(0, 8)
// Only log first 8 chars for security
});
const keyBytes = new Uint8Array(signedPackage.keyData);
const keyType = signedPackage.keyType || "ECDH";
try {
@@ -2237,15 +2141,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Enhanced key derivation with metadata protection and 64-byte salt
static async deriveSharedKeys(privateKey, publicKey, salt) {
try {
_EnhancedSecureCryptoUtils.secureLog.log("info", "Starting key derivation", {
privateKeyType: typeof privateKey,
publicKeyType: typeof publicKey,
saltLength: salt?.length,
privateKeyAlgorithm: privateKey?.algorithm?.name,
publicKeyAlgorithm: publicKey?.algorithm?.name,
privateKeyUsages: privateKey?.usages,
publicKeyUsages: publicKey?.usages
});
if (!(privateKey instanceof CryptoKey)) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Private key is not a CryptoKey", {
privateKeyType: typeof privateKey,
@@ -2267,7 +2162,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const encoder = new TextEncoder();
let rawSharedSecret;
try {
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 1: Starting ECDH derivation");
const rawKeyMaterial = await crypto.subtle.deriveKey(
{
name: "ECDH",
@@ -2293,14 +2187,12 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
false,
["deriveKey"]
);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 1: ECDH derivation successful");
} catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "ECDH derivation failed", {
error: error.message
});
throw error;
}
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 2: Starting HKDF key derivation");
let messageKey;
messageKey = await crypto.subtle.deriveKey(
{
@@ -2416,17 +2308,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
});
throw new Error("The derived metadata key is not a valid CryptoKey.");
}
_EnhancedSecureCryptoUtils.secureLog.log("info", "Enhanced shared keys derived successfully with proper HKDF separation", {
saltSize: salt.length,
hasMessageKey: true,
hasMacKey: true,
hasPfsKey: true,
hasMetadataKey: true,
nonExtractable: true,
version: "4.0",
allKeysValid: true,
hkdfProperlyImplemented: true
});
return {
messageKey,
// Renamed from encryptionKey for clarity
@@ -2798,10 +2679,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const hashBuffer = await crypto.subtle.digest("SHA-256", keyBytes);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const fingerprint = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
_EnhancedSecureCryptoUtils.secureLog.log("info", "Key fingerprint calculated", {
keySize: keyData.length,
fingerprintLength: fingerprint.length
});
return fingerprint;
} catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Key fingerprint calculation failed", { error: error.message });
@@ -4662,7 +4539,7 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
SYSTEM_MESSAGE: "SYSTEM_MESSAGE_FILTERED"
};
// Static debug flag instead of this._debugMode
static DEBUG_MODE = true;
static DEBUG_MODE = false;
// Set to true during development, false in production
constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) {
this._isProductionMode = this._detectProductionMode();
@@ -7428,15 +7305,12 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
if (normalizedReceived !== normalizedExpected) {
this._secureLog("error", "DTLS fingerprint mismatch - possible MITM attack", {
context,
receivedHash: await this._createSafeLogHash(normalizedReceived, "dtls_fingerprint"),
expectedHash: await this._createSafeLogHash(normalizedExpected, "dtls_fingerprint"),
timestamp: Date.now()
});
throw new Error(`DTLS fingerprint mismatch - possible MITM attack in ${context}`);
}
this._secureLog("info", "DTLS fingerprint validation successful", {
context,
fingerprintHash: await this._createSafeLogHash(normalizedReceived, "dtls_fingerprint"),
timestamp: Date.now()
});
return true;
@@ -7653,7 +7527,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
sessionId
});
this._secureLog("info", "\u2705 Ephemeral ECDH keys generated for PFS", {
sessionIdHash: await this._createSafeLogHash(sessionId, "session_id"),
timestamp: Date.now()
});
return ephemeralKeyPair;
@@ -8429,7 +8302,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
result.set(uniqueIV, 0);
result.set(new Uint8Array(encrypted), _EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE);
this._secureLog("debug", "\u2705 Nested encryption applied with secure IV", {
ivHash: await this._createSafeLogHash(uniqueIV, "nestedEncryption"),
ivSize: uniqueIV.length,
dataSize: data.byteLength,
encryptedSize: encrypted.byteLength
@@ -10847,8 +10719,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
}
this._secureLog("debug", "Ephemeral ECDH keys generated and validated for PFS", {
operationId,
privateKeyHash: await this._createSafeLogHash(ecdhKeyPair.privateKey, "ecdh_private"),
publicKeyHash: await this._createSafeLogHash(ecdhKeyPair.publicKey, "ecdh_public"),
privateKeyType: ecdhKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdhKeyPair.publicKey.algorithm?.name,
isEphemeral: true
@@ -10870,8 +10740,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
}
this._secureLog("debug", "ECDSA keys generated and validated", {
operationId,
privateKeyHash: await this._createSafeLogHash(ecdsaKeyPair.privateKey, "ecdsa_private"),
publicKeyHash: await this._createSafeLogHash(ecdsaKeyPair.publicKey, "ecdsa_public"),
privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name
});
@@ -12637,10 +12505,7 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
throw new Error("Missing required fields in response data \u2013 possible MITM attack");
}
if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) {
window.EnhancedSecureCryptoUtils.secureLog.log("error", "Session ID mismatch detected - possible MITM attack", {
expectedSessionIdHash: await this._createSafeLogHash(this.sessionId, "session_id"),
receivedSessionIdHash: await this._createSafeLogHash(answerData.sessionId, "session_id")
});
window.EnhancedSecureCryptoUtils.secureLog.log("error", "Session ID mismatch detected - possible MITM attack", {});
throw new Error("Session ID mismatch \u2013 possible MITM attack");
}
const answerAge = Date.now() - answerData.timestamp;
@@ -13980,7 +13845,6 @@ var SecureKeyStorage = class {
return null;
} catch (error) {
this._secureLog("error", "Failed to retrieve key", {
keyIdHash: await this._createSafeLogHash(keyId, "key_id"),
errorType: error?.constructor?.name || "Unknown"
});
return null;
@@ -14127,7 +13991,6 @@ var SecureKeyStorage = class {
return true;
} catch (error) {
this._secureLog("error", "Failed to delete key", {
keyIdHash: await this._createSafeLogHash(keyId, "key_id"),
errorType: error?.constructor?.name || "Unknown"
});
return false;
dist/app-boot.js.map
Vendored
+2 -2
View File
File diff suppressed because one or more lines are too long
dist/app.js
Vendored
+1 -1
View File
@@ -1688,7 +1688,7 @@ var EnhancedSecureP2PChat = () => {
} catch (error) {
}
}
handleMessage(" SecureBit.chat Enhanced Security Edition v4.4.18 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.", "system");
handleMessage(" SecureBit.chat Enhanced Security Edition v4.4.99 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.", "system");
const handleBeforeUnload = (event) => {
if (event.type === "beforeunload" && !isTabSwitching) {
if (webrtcManagerRef2.current && webrtcManagerRef2.current.isConnected()) {
dist/app.js.map
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
src/crypto/EnhancedSecureCryptoUtils.js
+39 -125
View File
@@ -620,9 +620,7 @@ class EnhancedSecureCryptoUtils {
static async verifyReplayProtection(securityManager) {
try {
console.log('🔍 verifyReplayProtection debug:');
console.log(' - securityManager.replayProtection:', securityManager.replayProtection);
console.log(' - securityManager keys:', Object.keys(securityManager));
// Debug logs removed to prevent leaking runtime state
// Check if replay protection is enabled
if (!securityManager.replayProtection) {
@@ -637,8 +635,7 @@ class EnhancedSecureCryptoUtils {
static async verifyDTLSFingerprint(securityManager) {
try {
console.log('🔍 verifyDTLSFingerprint debug:');
console.log(' - securityManager.dtlsFingerprint:', securityManager.dtlsFingerprint);
// Debug logs removed
// Check if DTLS fingerprint is available
if (!securityManager.dtlsFingerprint) {
@@ -653,8 +650,7 @@ class EnhancedSecureCryptoUtils {
static async verifySASVerification(securityManager) {
try {
console.log('🔍 verifySASVerification debug:');
console.log(' - securityManager.sasCode:', securityManager.sasCode);
// Debug logs removed
// Check if SAS code is available
if (!securityManager.sasCode) {
@@ -669,8 +665,7 @@ class EnhancedSecureCryptoUtils {
static async verifyTrafficObfuscation(securityManager) {
try {
console.log('🔍 verifyTrafficObfuscation debug:');
console.log(' - securityManager.trafficObfuscation:', securityManager.trafficObfuscation);
// Debug logs removed
// Check if traffic obfuscation is enabled
if (!securityManager.trafficObfuscation) {
@@ -1097,14 +1092,11 @@ class EnhancedSecureCryptoUtils {
['deriveKey']
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDH key pair generated successfully (P-384)', {
curve: 'P-384',
extractable: false
});
// Removed key generation info logging to avoid exposing key-related metadata
return keyPair;
} catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 generation failed, trying P-256', { error: p384Error.message });
EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 generation failed, switching curve', { error: p384Error.message });
// Fallback to P-256
const keyPair = await crypto.subtle.generateKey(
@@ -1116,10 +1108,7 @@ class EnhancedSecureCryptoUtils {
['deriveKey']
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDH key pair generated successfully (P-256 fallback)', {
curve: 'P-256',
extractable: false
});
// Removed key generation info logging to avoid exposing key-related metadata
return keyPair;
}
@@ -1143,14 +1132,11 @@ class EnhancedSecureCryptoUtils {
['sign', 'verify']
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDSA key pair generated successfully (P-384)', {
curve: 'P-384',
extractable: false
});
// Removed key generation info logging to avoid exposing key-related metadata
return keyPair;
} catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 generation failed, trying P-256', { error: p384Error.message });
EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 generation failed, switching curve', { error: p384Error.message });
// Fallback to P-256
const keyPair = await crypto.subtle.generateKey(
@@ -1162,10 +1148,7 @@ class EnhancedSecureCryptoUtils {
['sign', 'verify']
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDSA key pair generated successfully (P-256 fallback)', {
curve: 'P-256',
extractable: false
});
// Removed key generation info logging to avoid exposing key-related metadata
return keyPair;
}
@@ -1216,22 +1199,17 @@ class EnhancedSecureCryptoUtils {
// Verify ECDSA signature (P-384 or P-256)
static async verifySignature(publicKey, signature, data) {
try {
console.log('DEBUG: verifySignature called with:', {
publicKey: publicKey,
signature: signature,
data: data
});
// Debug logs removed
const encoder = new TextEncoder();
const dataBuffer = typeof data === 'string' ? encoder.encode(data) : data;
const signatureBuffer = new Uint8Array(signature);
console.log('DEBUG: verifySignature dataBuffer:', dataBuffer);
console.log('DEBUG: verifySignature signatureBuffer:', signatureBuffer);
// Debug logs removed
// Try SHA-384 first, fallback to SHA-256
try {
console.log('DEBUG: Trying SHA-384 verification...');
// Debug logs removed
const isValid = await crypto.subtle.verify(
{
name: 'ECDSA',
@@ -1242,19 +1220,16 @@ class EnhancedSecureCryptoUtils {
dataBuffer
);
console.log('DEBUG: SHA-384 verification result:', isValid);
// Debug logs removed
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signature verification completed (SHA-384)', {
isValid,
dataSize: dataBuffer.length
});
// Removed signature verification info logging
return isValid;
} catch (sha384Error) {
console.log('DEBUG: SHA-384 verification failed, trying SHA-256:', sha384Error);
EnhancedSecureCryptoUtils.secureLog.log('warn', 'SHA-384 verification failed, trying SHA-256', { error: sha384Error.message });
// Debug logs removed
// Removed signature verification transition logging
console.log('DEBUG: Trying SHA-256 verification...');
// Debug logs removed
const isValid = await crypto.subtle.verify(
{
name: 'ECDSA',
@@ -1265,12 +1240,9 @@ class EnhancedSecureCryptoUtils {
dataBuffer
);
console.log('DEBUG: SHA-256 verification result:', isValid);
// Debug logs removed
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signature verification completed (SHA-256 fallback)', {
isValid,
dataSize: dataBuffer.length
});
// Removed signature verification info logging
return isValid;
}
@@ -1366,10 +1338,7 @@ class EnhancedSecureCryptoUtils {
throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`);
}
EnhancedSecureCryptoUtils.secureLog.log('info', 'EC key curve validated', {
curve: validCurves[curveOidString],
oid: curveOidString
});
// Removed curve validation info logging
}
// Validate public key BIT STRING
@@ -1432,13 +1401,7 @@ class EnhancedSecureCryptoUtils {
}
}
EnhancedSecureCryptoUtils.secureLog.log('info', 'Key structure validation passed', {
keyLen: keyBytes.length,
algorithm: expectedAlgorithm,
asn1Valid: true,
oidValid: true,
importValid: true
});
// Removed key structure validation info logging
return true;
} catch (err) {
@@ -1592,11 +1555,7 @@ class EnhancedSecureCryptoUtils {
signature
};
EnhancedSecureCryptoUtils.secureLog.log('info', 'Public key exported with signature', {
keyType,
keySize: keyData.length,
signed: true
});
// Removed public key export with signature info logging
return signedPackage;
} catch (error) {
@@ -1611,11 +1570,7 @@ class EnhancedSecureCryptoUtils {
// Import and verify signed public key
static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = 'ECDH') {
try {
console.log('DEBUG: importSignedPublicKey called with:', {
signedPackage: signedPackage,
verifyingKey: verifyingKey,
expectedKeyType: expectedKeyType
});
// Debug logs removed
// Validate package structure
if (!signedPackage || typeof signedPackage !== 'object') {
@@ -1643,11 +1598,9 @@ class EnhancedSecureCryptoUtils {
// Verify signature
const packageCopy = { keyType, keyData, timestamp, version };
const packageString = JSON.stringify(packageCopy);
console.log('DEBUG: Web version package string for verification:', packageString);
console.log('DEBUG: Web version signature to verify:', signature);
console.log('DEBUG: Web version verifying key:', verifyingKey);
// Debug logs removed
const isValidSignature = await EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString);
console.log('DEBUG: Web version signature verification result:', isValidSignature);
// Debug logs removed
if (!isValidSignature) {
throw new Error('Invalid signature on key package - possible MITM attack');
@@ -1672,18 +1625,12 @@ class EnhancedSecureCryptoUtils {
keyUsages
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signed public key imported successfully (P-384)', {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1000) + 's'
});
// Removed public key import info logging
return publicKey;
} catch (p384Error) {
// Fallback to P-256
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 import failed, trying P-256', {
error: p384Error.message
});
EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 import failed, switching curve', { error: p384Error.message });
const algorithm = keyType === 'ECDH' ?
{ name: 'ECDH', namedCurve: 'P-256' }
@@ -1699,11 +1646,7 @@ class EnhancedSecureCryptoUtils {
keyUsages
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signed public key imported successfully (P-256 fallback)', {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1000) + 's'
});
// Removed public key import info logging
return publicKey;
}
@@ -1724,7 +1667,7 @@ class EnhancedSecureCryptoUtils {
await EnhancedSecureCryptoUtils.validateKeyStructure(keyData, 'ECDH');
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key exported', { keySize: keyData.length });
// Removed legacy public key export info logging
return keyData;
} catch (error) {
EnhancedSecureCryptoUtils.secureLog.log('error', 'Legacy public key export failed', { error: error.message });
@@ -1752,7 +1695,7 @@ class EnhancedSecureCryptoUtils {
[]
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key imported (P-384)', { keySize: keyData.length });
// Removed legacy public key import info logging
return publicKey;
} catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 import failed, trying P-256', { error: p384Error.message });
@@ -1769,7 +1712,7 @@ class EnhancedSecureCryptoUtils {
[]
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key imported (P-256 fallback)', { keySize: keyData.length });
// Removed legacy public key import info logging
return publicKey;
}
} catch (error) {
@@ -1850,15 +1793,7 @@ class EnhancedSecureCryptoUtils {
const keyFingerprint = await EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData);
// Log successful verification with security details
EnhancedSecureCryptoUtils.secureLog.log('info', 'SECURE: Signature verification passed for signed package', {
keyType: signedPackage.keyType,
keySize: signedPackage.keyData.length,
timestamp: signedPackage.timestamp,
version: signedPackage.version,
signatureVerified: true,
securityLevel: 'HIGH',
keyFingerprint: keyFingerprint.substring(0, 8) // Only log first 8 chars for security
});
// Removed signature verification pass details to avoid key-related logging
// Import the public key with fallback
const keyBytes = new Uint8Array(signedPackage.keyData);
@@ -1921,15 +1856,7 @@ class EnhancedSecureCryptoUtils {
// Enhanced key derivation with metadata protection and 64-byte salt
static async deriveSharedKeys(privateKey, publicKey, salt) {
try {
EnhancedSecureCryptoUtils.secureLog.log('info', 'Starting key derivation', {
privateKeyType: typeof privateKey,
publicKeyType: typeof publicKey,
saltLength: salt?.length,
privateKeyAlgorithm: privateKey?.algorithm?.name,
publicKeyAlgorithm: publicKey?.algorithm?.name,
privateKeyUsages: privateKey?.usages,
publicKeyUsages: publicKey?.usages
});
// Removed detailed key derivation logging
// Validate input parameters are CryptoKey instances
if (!(privateKey instanceof CryptoKey)) {
@@ -1959,7 +1886,7 @@ class EnhancedSecureCryptoUtils {
// Step 1: Derive raw ECDH shared secret using pure ECDH
let rawSharedSecret;
try {
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 1: Starting ECDH derivation');
// Removed detailed key derivation logging
// Use pure ECDH to derive raw key material
const rawKeyMaterial = await crypto.subtle.deriveKey(
@@ -1991,7 +1918,7 @@ class EnhancedSecureCryptoUtils {
['deriveKey']
);
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 1: ECDH derivation successful');
// Removed detailed key derivation logging
} catch (error) {
EnhancedSecureCryptoUtils.secureLog.log('error', 'ECDH derivation failed', {
error: error.message
@@ -2000,7 +1927,7 @@ class EnhancedSecureCryptoUtils {
}
// Step 2: Use HKDF to derive specific keys directly
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 2: Starting HKDF key derivation');
// Removed detailed key derivation logging
// Step 3: Derive specific keys using HKDF with unique info parameters
// Each key uses unique info parameter for proper separation
@@ -2132,17 +2059,7 @@ class EnhancedSecureCryptoUtils {
throw new Error('The derived metadata key is not a valid CryptoKey.');
}
EnhancedSecureCryptoUtils.secureLog.log('info', 'Enhanced shared keys derived successfully with proper HKDF separation', {
saltSize: salt.length,
hasMessageKey: true,
hasMacKey: true,
hasPfsKey: true,
hasMetadataKey: true,
nonExtractable: true,
version: '4.0',
allKeysValid: true,
hkdfProperlyImplemented: true
});
// Removed detailed key derivation success logging
return {
messageKey, // Renamed from encryptionKey for clarity
@@ -2608,10 +2525,7 @@ class EnhancedSecureCryptoUtils {
// Convert to hexadecimal string
const fingerprint = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
EnhancedSecureCryptoUtils.secureLog.log('info', 'Key fingerprint calculated', {
keySize: keyData.length,
fingerprintLength: fingerprint.length
});
// Removed key fingerprint logging
return fingerprint;
} catch (error) {
src/network/EnhancedSecureWebRTCManager.js
+2 -16
View File
@@ -101,7 +101,7 @@ class EnhancedSecureWebRTCManager {
};
// Static debug flag instead of this._debugMode
static DEBUG_MODE = true; // Set to true during development, false in production
static DEBUG_MODE = false; // Set to true during development, false in production
constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) {
@@ -3548,8 +3548,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
if (normalizedReceived !== normalizedExpected) {
this._secureLog('error', 'DTLS fingerprint mismatch - possible MITM attack', {
context: context,
receivedHash: await this._createSafeLogHash(normalizedReceived, 'dtls_fingerprint'),
expectedHash: await this._createSafeLogHash(normalizedExpected, 'dtls_fingerprint'),
timestamp: Date.now()
});
@@ -3558,7 +3556,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
this._secureLog('info', 'DTLS fingerprint validation successful', {
context: context,
fingerprintHash: await this._createSafeLogHash(normalizedReceived, 'dtls_fingerprint'),
timestamp: Date.now()
});
@@ -3829,7 +3826,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
});
this._secureLog('info', '✅ Ephemeral ECDH keys generated for PFS', {
sessionIdHash: await this._createSafeLogHash(sessionId, 'session_id'),
timestamp: Date.now()
});
@@ -4789,7 +4785,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
result.set(new Uint8Array(encrypted), EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE);
this._secureLog('debug', '✅ Nested encryption applied with secure IV', {
ivHash: await this._createSafeLogHash(uniqueIV, 'nestedEncryption'),
ivSize: uniqueIV.length,
dataSize: data.byteLength,
encryptedSize: encrypted.byteLength
@@ -8019,8 +8014,6 @@ async processMessage(data) {
this._secureLog('debug', 'Ephemeral ECDH keys generated and validated for PFS', {
operationId: operationId,
privateKeyHash: await this._createSafeLogHash(ecdhKeyPair.privateKey, 'ecdh_private'),
publicKeyHash: await this._createSafeLogHash(ecdhKeyPair.publicKey, 'ecdh_public'),
privateKeyType: ecdhKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdhKeyPair.publicKey.algorithm?.name,
isEphemeral: true
@@ -8050,8 +8043,6 @@ async processMessage(data) {
this._secureLog('debug', 'ECDSA keys generated and validated', {
operationId: operationId,
privateKeyHash: await this._createSafeLogHash(ecdsaKeyPair.privateKey, 'ecdsa_private'),
publicKeyHash: await this._createSafeLogHash(ecdsaKeyPair.publicKey, 'ecdsa_public'),
privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name
});
@@ -10451,10 +10442,7 @@ async processMessage(data) {
// MITM Protection: Verify session ID if present (for enhanced security)
if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) {
window.EnhancedSecureCryptoUtils.secureLog.log('error', 'Session ID mismatch detected - possible MITM attack', {
expectedSessionIdHash: await this._createSafeLogHash(this.sessionId, 'session_id'),
receivedSessionIdHash: await this._createSafeLogHash(answerData.sessionId, 'session_id')
});
window.EnhancedSecureCryptoUtils.secureLog.log('error', 'Session ID mismatch detected - possible MITM attack', {});
throw new Error('Session ID mismatch possible MITM attack');
}
@@ -12189,7 +12177,6 @@ class SecureKeyStorage {
} catch (error) {
this._secureLog('error', 'Failed to retrieve key', {
keyIdHash: await this._createSafeLogHash(keyId, 'key_id'),
errorType: error?.constructor?.name || 'Unknown'
});
return null;
@@ -12383,7 +12370,6 @@ class SecureKeyStorage {
} catch (error) {
this._secureLog('error', 'Failed to delete key', {
keyIdHash: await this._createSafeLogHash(keyId, 'key_id'),
errorType: error?.constructor?.name || 'Unknown'
});
return false;
test.txt
View File