SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

remove key/hash logging and debug output from EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details

Browse Source
This commit is contained in:
lockbitchat
2025-10-30 14:55:46 -04:00
parent c7b16157fc
commit 77ed4b3e4f
8 changed files with 51 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files
assets/tailwind.css
+1 -1
View File
File diff suppressed because one or more lines are too long
dist/app-boot.js
Vendored
+5 -142
View File
@@ -1225,9 +1225,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
} }
static async verifyReplayProtection(securityManager) { static async verifyReplayProtection(securityManager) {
try { try {
console.log("\u{1F50D} verifyReplayProtection debug:");
console.log(" - securityManager.replayProtection:", securityManager.replayProtection);
console.log(" - securityManager keys:", Object.keys(securityManager));
if (!securityManager.replayProtection) { if (!securityManager.replayProtection) {
return { passed: false, details: "Replay protection not enabled" }; return { passed: false, details: "Replay protection not enabled" };
} }
@@ -1238,8 +1235,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
} }
static async verifyDTLSFingerprint(securityManager) { static async verifyDTLSFingerprint(securityManager) {
try { try {
console.log("\u{1F50D} verifyDTLSFingerprint debug:");
console.log(" - securityManager.dtlsFingerprint:", securityManager.dtlsFingerprint);
if (!securityManager.dtlsFingerprint) { if (!securityManager.dtlsFingerprint) {
return { passed: false, details: "DTLS fingerprint not available" }; return { passed: false, details: "DTLS fingerprint not available" };
} }
@@ -1250,8 +1245,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
} }
static async verifySASVerification(securityManager) { static async verifySASVerification(securityManager) {
try { try {
console.log("\u{1F50D} verifySASVerification debug:");
console.log(" - securityManager.sasCode:", securityManager.sasCode);
if (!securityManager.sasCode) { if (!securityManager.sasCode) {
return { passed: false, details: "SAS code not available" }; return { passed: false, details: "SAS code not available" };
} }
@@ -1262,8 +1255,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
} }
static async verifyTrafficObfuscation(securityManager) { static async verifyTrafficObfuscation(securityManager) {
try { try {
console.log("\u{1F50D} verifyTrafficObfuscation debug:");
console.log(" - securityManager.trafficObfuscation:", securityManager.trafficObfuscation);
if (!securityManager.trafficObfuscation) { if (!securityManager.trafficObfuscation) {
return { passed: false, details: "Traffic obfuscation not enabled" }; return { passed: false, details: "Traffic obfuscation not enabled" };
} }
@@ -1593,13 +1584,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security // Non-extractable for enhanced security
["deriveKey"] ["deriveKey"]
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDH key pair generated successfully (P-384)", {
curve: "P-384",
extractable: false
});
return keyPair; return keyPair;
} catch (p384Error) { } catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 generation failed, trying P-256", { error: p384Error.message }); _EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 generation failed, switching curve", { error: p384Error.message });
const keyPair = await crypto.subtle.generateKey( const keyPair = await crypto.subtle.generateKey(
{ {
name: "ECDH", name: "ECDH",
@@ -1609,10 +1596,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security // Non-extractable for enhanced security
["deriveKey"] ["deriveKey"]
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDH key pair generated successfully (P-256 fallback)", {
curve: "P-256",
extractable: false
});
return keyPair; return keyPair;
} }
} catch (error) { } catch (error) {
@@ -1633,13 +1616,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security // Non-extractable for enhanced security
["sign", "verify"] ["sign", "verify"]
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDSA key pair generated successfully (P-384)", {
curve: "P-384",
extractable: false
});
return keyPair; return keyPair;
} catch (p384Error) { } catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 generation failed, trying P-256", { error: p384Error.message }); _EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 generation failed, switching curve", { error: p384Error.message });
const keyPair = await crypto.subtle.generateKey( const keyPair = await crypto.subtle.generateKey(
{ {
name: "ECDSA", name: "ECDSA",
@@ -1649,10 +1628,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable for enhanced security // Non-extractable for enhanced security
["sign", "verify"] ["sign", "verify"]
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "ECDSA key pair generated successfully (P-256 fallback)", {
curve: "P-256",
extractable: false
});
return keyPair; return keyPair;
} }
} catch (error) { } catch (error) {
@@ -1695,18 +1670,10 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Verify ECDSA signature (P-384 or P-256) // Verify ECDSA signature (P-384 or P-256)
static async verifySignature(publicKey, signature, data) { static async verifySignature(publicKey, signature, data) {
try { try {
console.log("DEBUG: verifySignature called with:", {
publicKey,
signature,
data
});
const encoder = new TextEncoder(); const encoder = new TextEncoder();
const dataBuffer = typeof data === "string" ? encoder.encode(data) : data; const dataBuffer = typeof data === "string" ? encoder.encode(data) : data;
const signatureBuffer = new Uint8Array(signature); const signatureBuffer = new Uint8Array(signature);
console.log("DEBUG: verifySignature dataBuffer:", dataBuffer);
console.log("DEBUG: verifySignature signatureBuffer:", signatureBuffer);
try { try {
console.log("DEBUG: Trying SHA-384 verification...");
const isValid = await crypto.subtle.verify( const isValid = await crypto.subtle.verify(
{ {
name: "ECDSA", name: "ECDSA",
@@ -1716,16 +1683,8 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
signatureBuffer, signatureBuffer,
dataBuffer dataBuffer
); );
console.log("DEBUG: SHA-384 verification result:", isValid);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signature verification completed (SHA-384)", {
isValid,
dataSize: dataBuffer.length
});
return isValid; return isValid;
} catch (sha384Error) { } catch (sha384Error) {
console.log("DEBUG: SHA-384 verification failed, trying SHA-256:", sha384Error);
_EnhancedSecureCryptoUtils.secureLog.log("warn", "SHA-384 verification failed, trying SHA-256", { error: sha384Error.message });
console.log("DEBUG: Trying SHA-256 verification...");
const isValid = await crypto.subtle.verify( const isValid = await crypto.subtle.verify(
{ {
name: "ECDSA", name: "ECDSA",
@@ -1735,11 +1694,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
signatureBuffer, signatureBuffer,
dataBuffer dataBuffer
); );
console.log("DEBUG: SHA-256 verification result:", isValid);
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signature verification completed (SHA-256 fallback)", {
isValid,
dataSize: dataBuffer.length
});
return isValid; return isValid;
} }
} catch (error) { } catch (error) {
@@ -1812,10 +1766,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
if (!validCurves[curveOidString]) { if (!validCurves[curveOidString]) {
throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`); throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`);
} }
_EnhancedSecureCryptoUtils.secureLog.log("info", "EC key curve validated", {
curve: validCurves[curveOidString],
oid: curveOidString
});
} }
const publicKeyBitString = asn1.children[1]; const publicKeyBitString = asn1.children[1];
if (publicKeyBitString.tag !== 3) { if (publicKeyBitString.tag !== 3) {
@@ -1859,13 +1809,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
throw new Error(`Key import validation failed: ${importError.message}`); throw new Error(`Key import validation failed: ${importError.message}`);
} }
} }
_EnhancedSecureCryptoUtils.secureLog.log("info", "Key structure validation passed", {
keyLen: keyBytes.length,
algorithm: expectedAlgorithm,
asn1Valid: true,
oidValid: true,
importValid: true
});
return true; return true;
} catch (err) { } catch (err) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Key structure validation failed", { _EnhancedSecureCryptoUtils.secureLog.log("error", "Key structure validation failed", {
@@ -1979,11 +1922,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
...keyPackage, ...keyPackage,
signature signature
}; };
_EnhancedSecureCryptoUtils.secureLog.log("info", "Public key exported with signature", {
keyType,
keySize: keyData.length,
signed: true
});
return signedPackage; return signedPackage;
} catch (error) { } catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Public key export failed", { _EnhancedSecureCryptoUtils.secureLog.log("error", "Public key export failed", {
@@ -1996,11 +1934,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Import and verify signed public key // Import and verify signed public key
static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = "ECDH") { static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = "ECDH") {
try { try {
console.log("DEBUG: importSignedPublicKey called with:", {
signedPackage,
verifyingKey,
expectedKeyType
});
if (!signedPackage || typeof signedPackage !== "object") { if (!signedPackage || typeof signedPackage !== "object") {
throw new Error("Invalid signed package format"); throw new Error("Invalid signed package format");
} }
@@ -2018,11 +1951,7 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, keyType); await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, keyType);
const packageCopy = { keyType, keyData, timestamp, version }; const packageCopy = { keyType, keyData, timestamp, version };
const packageString = JSON.stringify(packageCopy); const packageString = JSON.stringify(packageCopy);
console.log("DEBUG: Web version package string for verification:", packageString);
console.log("DEBUG: Web version signature to verify:", signature);
console.log("DEBUG: Web version verifying key:", verifyingKey);
const isValidSignature = await _EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString); const isValidSignature = await _EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString);
console.log("DEBUG: Web version signature verification result:", isValidSignature);
if (!isValidSignature) { if (!isValidSignature) {
throw new Error("Invalid signature on key package - possible MITM attack"); throw new Error("Invalid signature on key package - possible MITM attack");
} }
@@ -2038,16 +1967,9 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable // Non-extractable
keyUsages keyUsages
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signed public key imported successfully (P-384)", {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1e3) + "s"
});
return publicKey; return publicKey;
} catch (p384Error) { } catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 import failed, trying P-256", { _EnhancedSecureCryptoUtils.secureLog.log("warn", "Elliptic curve P-384 import failed, switching curve", { error: p384Error.message });
error: p384Error.message
});
const algorithm = keyType === "ECDH" ? { name: "ECDH", namedCurve: "P-256" } : { name: "ECDSA", namedCurve: "P-256" }; const algorithm = keyType === "ECDH" ? { name: "ECDH", namedCurve: "P-256" } : { name: "ECDSA", namedCurve: "P-256" };
const keyUsages = keyType === "ECDH" ? [] : ["verify"]; const keyUsages = keyType === "ECDH" ? [] : ["verify"];
const publicKey = await crypto.subtle.importKey( const publicKey = await crypto.subtle.importKey(
@@ -2058,11 +1980,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable // Non-extractable
keyUsages keyUsages
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "Signed public key imported successfully (P-256 fallback)", {
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1e3) + "s"
});
return publicKey; return publicKey;
} }
} catch (error) { } catch (error) {
@@ -2079,7 +1996,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const exported = await crypto.subtle.exportKey("spki", publicKey); const exported = await crypto.subtle.exportKey("spki", publicKey);
const keyData = Array.from(new Uint8Array(exported)); const keyData = Array.from(new Uint8Array(exported));
await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, "ECDH"); await _EnhancedSecureCryptoUtils.validateKeyStructure(keyData, "ECDH");
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key exported", { keySize: keyData.length });
return keyData; return keyData;
} catch (error) { } catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Legacy public key export failed", { error: error.message }); _EnhancedSecureCryptoUtils.secureLog.log("error", "Legacy public key export failed", { error: error.message });
@@ -2103,7 +2019,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable // Non-extractable
[] []
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key imported (P-384)", { keySize: keyData.length });
return publicKey; return publicKey;
} catch (p384Error) { } catch (p384Error) {
_EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 import failed, trying P-256", { error: p384Error.message }); _EnhancedSecureCryptoUtils.secureLog.log("warn", "P-384 import failed, trying P-256", { error: p384Error.message });
@@ -2118,7 +2033,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Non-extractable // Non-extractable
[] []
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "Legacy public key imported (P-256 fallback)", { keySize: keyData.length });
return publicKey; return publicKey;
} }
} catch (error) { } catch (error) {
@@ -2176,16 +2090,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
throw new Error("CRITICAL SECURITY ERROR: Invalid key signature detected. This indicates a possible MITM attack attempt. Key import rejected."); throw new Error("CRITICAL SECURITY ERROR: Invalid key signature detected. This indicates a possible MITM attack attempt. Key import rejected.");
} }
const keyFingerprint = await _EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData); const keyFingerprint = await _EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData);
_EnhancedSecureCryptoUtils.secureLog.log("info", "SECURE: Signature verification passed for signed package", {
keyType: signedPackage.keyType,
keySize: signedPackage.keyData.length,
timestamp: signedPackage.timestamp,
version: signedPackage.version,
signatureVerified: true,
securityLevel: "HIGH",
keyFingerprint: keyFingerprint.substring(0, 8)
// Only log first 8 chars for security
});
const keyBytes = new Uint8Array(signedPackage.keyData); const keyBytes = new Uint8Array(signedPackage.keyData);
const keyType = signedPackage.keyType || "ECDH"; const keyType = signedPackage.keyType || "ECDH";
try { try {
@@ -2237,15 +2141,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
// Enhanced key derivation with metadata protection and 64-byte salt // Enhanced key derivation with metadata protection and 64-byte salt
static async deriveSharedKeys(privateKey, publicKey, salt) { static async deriveSharedKeys(privateKey, publicKey, salt) {
try { try {
_EnhancedSecureCryptoUtils.secureLog.log("info", "Starting key derivation", {
privateKeyType: typeof privateKey,
publicKeyType: typeof publicKey,
saltLength: salt?.length,
privateKeyAlgorithm: privateKey?.algorithm?.name,
publicKeyAlgorithm: publicKey?.algorithm?.name,
privateKeyUsages: privateKey?.usages,
publicKeyUsages: publicKey?.usages
});
if (!(privateKey instanceof CryptoKey)) { if (!(privateKey instanceof CryptoKey)) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Private key is not a CryptoKey", { _EnhancedSecureCryptoUtils.secureLog.log("error", "Private key is not a CryptoKey", {
privateKeyType: typeof privateKey, privateKeyType: typeof privateKey,
@@ -2267,7 +2162,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const encoder = new TextEncoder(); const encoder = new TextEncoder();
let rawSharedSecret; let rawSharedSecret;
try { try {
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 1: Starting ECDH derivation");
const rawKeyMaterial = await crypto.subtle.deriveKey( const rawKeyMaterial = await crypto.subtle.deriveKey(
{ {
name: "ECDH", name: "ECDH",
@@ -2293,14 +2187,12 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
false, false,
["deriveKey"] ["deriveKey"]
); );
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 1: ECDH derivation successful");
} catch (error) { } catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "ECDH derivation failed", { _EnhancedSecureCryptoUtils.secureLog.log("error", "ECDH derivation failed", {
error: error.message error: error.message
}); });
throw error; throw error;
} }
_EnhancedSecureCryptoUtils.secureLog.log("info", "Step 2: Starting HKDF key derivation");
let messageKey; let messageKey;
messageKey = await crypto.subtle.deriveKey( messageKey = await crypto.subtle.deriveKey(
{ {
@@ -2416,17 +2308,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
}); });
throw new Error("The derived metadata key is not a valid CryptoKey."); throw new Error("The derived metadata key is not a valid CryptoKey.");
} }
_EnhancedSecureCryptoUtils.secureLog.log("info", "Enhanced shared keys derived successfully with proper HKDF separation", {
saltSize: salt.length,
hasMessageKey: true,
hasMacKey: true,
hasPfsKey: true,
hasMetadataKey: true,
nonExtractable: true,
version: "4.0",
allKeysValid: true,
hkdfProperlyImplemented: true
});
return { return {
messageKey, messageKey,
// Renamed from encryptionKey for clarity // Renamed from encryptionKey for clarity
@@ -2798,10 +2679,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
const hashBuffer = await crypto.subtle.digest("SHA-256", keyBytes); const hashBuffer = await crypto.subtle.digest("SHA-256", keyBytes);
const hashArray = Array.from(new Uint8Array(hashBuffer)); const hashArray = Array.from(new Uint8Array(hashBuffer));
const fingerprint = hashArray.map((b) => b.toString(16).padStart(2, "0")).join(""); const fingerprint = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
_EnhancedSecureCryptoUtils.secureLog.log("info", "Key fingerprint calculated", {
keySize: keyData.length,
fingerprintLength: fingerprint.length
});
return fingerprint; return fingerprint;
} catch (error) { } catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Key fingerprint calculation failed", { error: error.message }); _EnhancedSecureCryptoUtils.secureLog.log("error", "Key fingerprint calculation failed", { error: error.message });
@@ -4662,7 +4539,7 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
SYSTEM_MESSAGE: "SYSTEM_MESSAGE_FILTERED" SYSTEM_MESSAGE: "SYSTEM_MESSAGE_FILTERED"
}; };
// Static debug flag instead of this._debugMode // Static debug flag instead of this._debugMode
static DEBUG_MODE = true; static DEBUG_MODE = false;
// Set to true during development, false in production // Set to true during development, false in production
constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) { constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) {
this._isProductionMode = this._detectProductionMode(); this._isProductionMode = this._detectProductionMode();
@@ -7428,15 +7305,12 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
if (normalizedReceived !== normalizedExpected) { if (normalizedReceived !== normalizedExpected) {
this._secureLog("error", "DTLS fingerprint mismatch - possible MITM attack", { this._secureLog("error", "DTLS fingerprint mismatch - possible MITM attack", {
context, context,
receivedHash: await this._createSafeLogHash(normalizedReceived, "dtls_fingerprint"),
expectedHash: await this._createSafeLogHash(normalizedExpected, "dtls_fingerprint"),
timestamp: Date.now() timestamp: Date.now()
}); });
throw new Error(`DTLS fingerprint mismatch - possible MITM attack in ${context}`); throw new Error(`DTLS fingerprint mismatch - possible MITM attack in ${context}`);
} }
this._secureLog("info", "DTLS fingerprint validation successful", { this._secureLog("info", "DTLS fingerprint validation successful", {
context, context,
fingerprintHash: await this._createSafeLogHash(normalizedReceived, "dtls_fingerprint"),
timestamp: Date.now() timestamp: Date.now()
}); });
return true; return true;
@@ -7653,7 +7527,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
sessionId sessionId
}); });
this._secureLog("info", "\u2705 Ephemeral ECDH keys generated for PFS", { this._secureLog("info", "\u2705 Ephemeral ECDH keys generated for PFS", {
sessionIdHash: await this._createSafeLogHash(sessionId, "session_id"),
timestamp: Date.now() timestamp: Date.now()
}); });
return ephemeralKeyPair; return ephemeralKeyPair;
@@ -8429,7 +8302,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
result.set(uniqueIV, 0); result.set(uniqueIV, 0);
result.set(new Uint8Array(encrypted), _EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE); result.set(new Uint8Array(encrypted), _EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE);
this._secureLog("debug", "\u2705 Nested encryption applied with secure IV", { this._secureLog("debug", "\u2705 Nested encryption applied with secure IV", {
ivHash: await this._createSafeLogHash(uniqueIV, "nestedEncryption"),
ivSize: uniqueIV.length, ivSize: uniqueIV.length,
dataSize: data.byteLength, dataSize: data.byteLength,
encryptedSize: encrypted.byteLength encryptedSize: encrypted.byteLength
@@ -10847,8 +10719,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
} }
this._secureLog("debug", "Ephemeral ECDH keys generated and validated for PFS", { this._secureLog("debug", "Ephemeral ECDH keys generated and validated for PFS", {
operationId, operationId,
privateKeyHash: await this._createSafeLogHash(ecdhKeyPair.privateKey, "ecdh_private"),
publicKeyHash: await this._createSafeLogHash(ecdhKeyPair.publicKey, "ecdh_public"),
privateKeyType: ecdhKeyPair.privateKey.algorithm?.name, privateKeyType: ecdhKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdhKeyPair.publicKey.algorithm?.name, publicKeyType: ecdhKeyPair.publicKey.algorithm?.name,
isEphemeral: true isEphemeral: true
@@ -10870,8 +10740,6 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
} }
this._secureLog("debug", "ECDSA keys generated and validated", { this._secureLog("debug", "ECDSA keys generated and validated", {
operationId, operationId,
privateKeyHash: await this._createSafeLogHash(ecdsaKeyPair.privateKey, "ecdsa_private"),
publicKeyHash: await this._createSafeLogHash(ecdsaKeyPair.publicKey, "ecdsa_public"),
privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name, privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name
}); });
@@ -12637,10 +12505,7 @@ var EnhancedSecureWebRTCManager = class _EnhancedSecureWebRTCManager {
throw new Error("Missing required fields in response data \u2013 possible MITM attack"); throw new Error("Missing required fields in response data \u2013 possible MITM attack");
} }
if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) { if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) {
window.EnhancedSecureCryptoUtils.secureLog.log("error", "Session ID mismatch detected - possible MITM attack", { window.EnhancedSecureCryptoUtils.secureLog.log("error", "Session ID mismatch detected - possible MITM attack", {});
expectedSessionIdHash: await this._createSafeLogHash(this.sessionId, "session_id"),
receivedSessionIdHash: await this._createSafeLogHash(answerData.sessionId, "session_id")
});
throw new Error("Session ID mismatch \u2013 possible MITM attack"); throw new Error("Session ID mismatch \u2013 possible MITM attack");
} }
const answerAge = Date.now() - answerData.timestamp; const answerAge = Date.now() - answerData.timestamp;
@@ -13980,7 +13845,6 @@ var SecureKeyStorage = class {
return null; return null;
} catch (error) { } catch (error) {
this._secureLog("error", "Failed to retrieve key", { this._secureLog("error", "Failed to retrieve key", {
keyIdHash: await this._createSafeLogHash(keyId, "key_id"),
errorType: error?.constructor?.name || "Unknown" errorType: error?.constructor?.name || "Unknown"
}); });
return null; return null;
@@ -14127,7 +13991,6 @@ var SecureKeyStorage = class {
return true; return true;
} catch (error) { } catch (error) {
this._secureLog("error", "Failed to delete key", { this._secureLog("error", "Failed to delete key", {
keyIdHash: await this._createSafeLogHash(keyId, "key_id"),
errorType: error?.constructor?.name || "Unknown" errorType: error?.constructor?.name || "Unknown"
}); });
return false; return false;
dist/app-boot.js.map
Vendored
+2 -2
View File
File diff suppressed because one or more lines are too long
dist/app.js
Vendored
+1 -1
View File
@@ -1688,7 +1688,7 @@ var EnhancedSecureP2PChat = () => {
} catch (error) { } catch (error) {
} }
} }
handleMessage(" SecureBit.chat Enhanced Security Edition v4.4.18 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.", "system"); handleMessage(" SecureBit.chat Enhanced Security Edition v4.4.99 - ECDH + DTLS + SAS initialized. Ready to establish a secure connection with ECDH key exchange, DTLS fingerprint verification, and SAS authentication to prevent MITM attacks.", "system");
const handleBeforeUnload = (event) => { const handleBeforeUnload = (event) => {
if (event.type === "beforeunload" && !isTabSwitching) { if (event.type === "beforeunload" && !isTabSwitching) {
if (webrtcManagerRef2.current && webrtcManagerRef2.current.isConnected()) { if (webrtcManagerRef2.current && webrtcManagerRef2.current.isConnected()) {
dist/app.js.map
Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
src/crypto/EnhancedSecureCryptoUtils.js
+39 -125
View File
@@ -620,9 +620,7 @@ class EnhancedSecureCryptoUtils {
static async verifyReplayProtection(securityManager) { static async verifyReplayProtection(securityManager) {
try { try {
console.log('🔍 verifyReplayProtection debug:'); // Debug logs removed to prevent leaking runtime state
console.log(' - securityManager.replayProtection:', securityManager.replayProtection);
console.log(' - securityManager keys:', Object.keys(securityManager));
// Check if replay protection is enabled // Check if replay protection is enabled
if (!securityManager.replayProtection) { if (!securityManager.replayProtection) {
@@ -637,8 +635,7 @@ class EnhancedSecureCryptoUtils {
static async verifyDTLSFingerprint(securityManager) { static async verifyDTLSFingerprint(securityManager) {
try { try {
console.log('🔍 verifyDTLSFingerprint debug:'); // Debug logs removed
console.log(' - securityManager.dtlsFingerprint:', securityManager.dtlsFingerprint);
// Check if DTLS fingerprint is available // Check if DTLS fingerprint is available
if (!securityManager.dtlsFingerprint) { if (!securityManager.dtlsFingerprint) {
@@ -653,8 +650,7 @@ class EnhancedSecureCryptoUtils {
static async verifySASVerification(securityManager) { static async verifySASVerification(securityManager) {
try { try {
console.log('🔍 verifySASVerification debug:'); // Debug logs removed
console.log(' - securityManager.sasCode:', securityManager.sasCode);
// Check if SAS code is available // Check if SAS code is available
if (!securityManager.sasCode) { if (!securityManager.sasCode) {
@@ -669,8 +665,7 @@ class EnhancedSecureCryptoUtils {
static async verifyTrafficObfuscation(securityManager) { static async verifyTrafficObfuscation(securityManager) {
try { try {
console.log('🔍 verifyTrafficObfuscation debug:'); // Debug logs removed
console.log(' - securityManager.trafficObfuscation:', securityManager.trafficObfuscation);
// Check if traffic obfuscation is enabled // Check if traffic obfuscation is enabled
if (!securityManager.trafficObfuscation) { if (!securityManager.trafficObfuscation) {
@@ -1097,14 +1092,11 @@ class EnhancedSecureCryptoUtils {
['deriveKey'] ['deriveKey']
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDH key pair generated successfully (P-384)', { // Removed key generation info logging to avoid exposing key-related metadata
curve: 'P-384',
extractable: false
});
return keyPair; return keyPair;
} catch (p384Error) { } catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 generation failed, trying P-256', { error: p384Error.message }); EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 generation failed, switching curve', { error: p384Error.message });
// Fallback to P-256 // Fallback to P-256
const keyPair = await crypto.subtle.generateKey( const keyPair = await crypto.subtle.generateKey(
@@ -1116,10 +1108,7 @@ class EnhancedSecureCryptoUtils {
['deriveKey'] ['deriveKey']
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDH key pair generated successfully (P-256 fallback)', { // Removed key generation info logging to avoid exposing key-related metadata
curve: 'P-256',
extractable: false
});
return keyPair; return keyPair;
} }
@@ -1143,14 +1132,11 @@ class EnhancedSecureCryptoUtils {
['sign', 'verify'] ['sign', 'verify']
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDSA key pair generated successfully (P-384)', { // Removed key generation info logging to avoid exposing key-related metadata
curve: 'P-384',
extractable: false
});
return keyPair; return keyPair;
} catch (p384Error) { } catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 generation failed, trying P-256', { error: p384Error.message }); EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 generation failed, switching curve', { error: p384Error.message });
// Fallback to P-256 // Fallback to P-256
const keyPair = await crypto.subtle.generateKey( const keyPair = await crypto.subtle.generateKey(
@@ -1162,10 +1148,7 @@ class EnhancedSecureCryptoUtils {
['sign', 'verify'] ['sign', 'verify']
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'ECDSA key pair generated successfully (P-256 fallback)', { // Removed key generation info logging to avoid exposing key-related metadata
curve: 'P-256',
extractable: false
});
return keyPair; return keyPair;
} }
@@ -1216,22 +1199,17 @@ class EnhancedSecureCryptoUtils {
// Verify ECDSA signature (P-384 or P-256) // Verify ECDSA signature (P-384 or P-256)
static async verifySignature(publicKey, signature, data) { static async verifySignature(publicKey, signature, data) {
try { try {
console.log('DEBUG: verifySignature called with:', { // Debug logs removed
publicKey: publicKey,
signature: signature,
data: data
});
const encoder = new TextEncoder(); const encoder = new TextEncoder();
const dataBuffer = typeof data === 'string' ? encoder.encode(data) : data; const dataBuffer = typeof data === 'string' ? encoder.encode(data) : data;
const signatureBuffer = new Uint8Array(signature); const signatureBuffer = new Uint8Array(signature);
console.log('DEBUG: verifySignature dataBuffer:', dataBuffer); // Debug logs removed
console.log('DEBUG: verifySignature signatureBuffer:', signatureBuffer);
// Try SHA-384 first, fallback to SHA-256 // Try SHA-384 first, fallback to SHA-256
try { try {
console.log('DEBUG: Trying SHA-384 verification...'); // Debug logs removed
const isValid = await crypto.subtle.verify( const isValid = await crypto.subtle.verify(
{ {
name: 'ECDSA', name: 'ECDSA',
@@ -1242,19 +1220,16 @@ class EnhancedSecureCryptoUtils {
dataBuffer dataBuffer
); );
console.log('DEBUG: SHA-384 verification result:', isValid); // Debug logs removed
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signature verification completed (SHA-384)', { // Removed signature verification info logging
isValid,
dataSize: dataBuffer.length
});
return isValid; return isValid;
} catch (sha384Error) { } catch (sha384Error) {
console.log('DEBUG: SHA-384 verification failed, trying SHA-256:', sha384Error); // Debug logs removed
EnhancedSecureCryptoUtils.secureLog.log('warn', 'SHA-384 verification failed, trying SHA-256', { error: sha384Error.message }); // Removed signature verification transition logging
console.log('DEBUG: Trying SHA-256 verification...'); // Debug logs removed
const isValid = await crypto.subtle.verify( const isValid = await crypto.subtle.verify(
{ {
name: 'ECDSA', name: 'ECDSA',
@@ -1265,12 +1240,9 @@ class EnhancedSecureCryptoUtils {
dataBuffer dataBuffer
); );
console.log('DEBUG: SHA-256 verification result:', isValid); // Debug logs removed
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signature verification completed (SHA-256 fallback)', { // Removed signature verification info logging
isValid,
dataSize: dataBuffer.length
});
return isValid; return isValid;
} }
@@ -1366,10 +1338,7 @@ class EnhancedSecureCryptoUtils {
throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`); throw new Error(`Invalid or unsupported curve OID: ${curveOidString}`);
} }
EnhancedSecureCryptoUtils.secureLog.log('info', 'EC key curve validated', { // Removed curve validation info logging
curve: validCurves[curveOidString],
oid: curveOidString
});
} }
// Validate public key BIT STRING // Validate public key BIT STRING
@@ -1432,13 +1401,7 @@ class EnhancedSecureCryptoUtils {
} }
} }
EnhancedSecureCryptoUtils.secureLog.log('info', 'Key structure validation passed', { // Removed key structure validation info logging
keyLen: keyBytes.length,
algorithm: expectedAlgorithm,
asn1Valid: true,
oidValid: true,
importValid: true
});
return true; return true;
} catch (err) { } catch (err) {
@@ -1592,11 +1555,7 @@ class EnhancedSecureCryptoUtils {
signature signature
}; };
EnhancedSecureCryptoUtils.secureLog.log('info', 'Public key exported with signature', { // Removed public key export with signature info logging
keyType,
keySize: keyData.length,
signed: true
});
return signedPackage; return signedPackage;
} catch (error) { } catch (error) {
@@ -1611,11 +1570,7 @@ class EnhancedSecureCryptoUtils {
// Import and verify signed public key // Import and verify signed public key
static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = 'ECDH') { static async importSignedPublicKey(signedPackage, verifyingKey, expectedKeyType = 'ECDH') {
try { try {
console.log('DEBUG: importSignedPublicKey called with:', { // Debug logs removed
signedPackage: signedPackage,
verifyingKey: verifyingKey,
expectedKeyType: expectedKeyType
});
// Validate package structure // Validate package structure
if (!signedPackage || typeof signedPackage !== 'object') { if (!signedPackage || typeof signedPackage !== 'object') {
@@ -1643,11 +1598,9 @@ class EnhancedSecureCryptoUtils {
// Verify signature // Verify signature
const packageCopy = { keyType, keyData, timestamp, version }; const packageCopy = { keyType, keyData, timestamp, version };
const packageString = JSON.stringify(packageCopy); const packageString = JSON.stringify(packageCopy);
console.log('DEBUG: Web version package string for verification:', packageString); // Debug logs removed
console.log('DEBUG: Web version signature to verify:', signature);
console.log('DEBUG: Web version verifying key:', verifyingKey);
const isValidSignature = await EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString); const isValidSignature = await EnhancedSecureCryptoUtils.verifySignature(verifyingKey, signature, packageString);
console.log('DEBUG: Web version signature verification result:', isValidSignature); // Debug logs removed
if (!isValidSignature) { if (!isValidSignature) {
throw new Error('Invalid signature on key package - possible MITM attack'); throw new Error('Invalid signature on key package - possible MITM attack');
@@ -1672,18 +1625,12 @@ class EnhancedSecureCryptoUtils {
keyUsages keyUsages
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signed public key imported successfully (P-384)', { // Removed public key import info logging
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1000) + 's'
});
return publicKey; return publicKey;
} catch (p384Error) { } catch (p384Error) {
// Fallback to P-256 // Fallback to P-256
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 import failed, trying P-256', { EnhancedSecureCryptoUtils.secureLog.log('warn', 'Elliptic curve P-384 import failed, switching curve', { error: p384Error.message });
error: p384Error.message
});
const algorithm = keyType === 'ECDH' ? const algorithm = keyType === 'ECDH' ?
{ name: 'ECDH', namedCurve: 'P-256' } { name: 'ECDH', namedCurve: 'P-256' }
@@ -1699,11 +1646,7 @@ class EnhancedSecureCryptoUtils {
keyUsages keyUsages
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'Signed public key imported successfully (P-256 fallback)', { // Removed public key import info logging
keyType,
signatureValid: true,
keyAge: Math.round(keyAge / 1000) + 's'
});
return publicKey; return publicKey;
} }
@@ -1724,7 +1667,7 @@ class EnhancedSecureCryptoUtils {
await EnhancedSecureCryptoUtils.validateKeyStructure(keyData, 'ECDH'); await EnhancedSecureCryptoUtils.validateKeyStructure(keyData, 'ECDH');
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key exported', { keySize: keyData.length }); // Removed legacy public key export info logging
return keyData; return keyData;
} catch (error) { } catch (error) {
EnhancedSecureCryptoUtils.secureLog.log('error', 'Legacy public key export failed', { error: error.message }); EnhancedSecureCryptoUtils.secureLog.log('error', 'Legacy public key export failed', { error: error.message });
@@ -1752,7 +1695,7 @@ class EnhancedSecureCryptoUtils {
[] []
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key imported (P-384)', { keySize: keyData.length }); // Removed legacy public key import info logging
return publicKey; return publicKey;
} catch (p384Error) { } catch (p384Error) {
EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 import failed, trying P-256', { error: p384Error.message }); EnhancedSecureCryptoUtils.secureLog.log('warn', 'P-384 import failed, trying P-256', { error: p384Error.message });
@@ -1769,7 +1712,7 @@ class EnhancedSecureCryptoUtils {
[] []
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'Legacy public key imported (P-256 fallback)', { keySize: keyData.length }); // Removed legacy public key import info logging
return publicKey; return publicKey;
} }
} catch (error) { } catch (error) {
@@ -1850,15 +1793,7 @@ class EnhancedSecureCryptoUtils {
const keyFingerprint = await EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData); const keyFingerprint = await EnhancedSecureCryptoUtils.calculateKeyFingerprint(signedPackage.keyData);
// Log successful verification with security details // Log successful verification with security details
EnhancedSecureCryptoUtils.secureLog.log('info', 'SECURE: Signature verification passed for signed package', { // Removed signature verification pass details to avoid key-related logging
keyType: signedPackage.keyType,
keySize: signedPackage.keyData.length,
timestamp: signedPackage.timestamp,
version: signedPackage.version,
signatureVerified: true,
securityLevel: 'HIGH',
keyFingerprint: keyFingerprint.substring(0, 8) // Only log first 8 chars for security
});
// Import the public key with fallback // Import the public key with fallback
const keyBytes = new Uint8Array(signedPackage.keyData); const keyBytes = new Uint8Array(signedPackage.keyData);
@@ -1921,15 +1856,7 @@ class EnhancedSecureCryptoUtils {
// Enhanced key derivation with metadata protection and 64-byte salt // Enhanced key derivation with metadata protection and 64-byte salt
static async deriveSharedKeys(privateKey, publicKey, salt) { static async deriveSharedKeys(privateKey, publicKey, salt) {
try { try {
EnhancedSecureCryptoUtils.secureLog.log('info', 'Starting key derivation', { // Removed detailed key derivation logging
privateKeyType: typeof privateKey,
publicKeyType: typeof publicKey,
saltLength: salt?.length,
privateKeyAlgorithm: privateKey?.algorithm?.name,
publicKeyAlgorithm: publicKey?.algorithm?.name,
privateKeyUsages: privateKey?.usages,
publicKeyUsages: publicKey?.usages
});
// Validate input parameters are CryptoKey instances // Validate input parameters are CryptoKey instances
if (!(privateKey instanceof CryptoKey)) { if (!(privateKey instanceof CryptoKey)) {
@@ -1959,7 +1886,7 @@ class EnhancedSecureCryptoUtils {
// Step 1: Derive raw ECDH shared secret using pure ECDH // Step 1: Derive raw ECDH shared secret using pure ECDH
let rawSharedSecret; let rawSharedSecret;
try { try {
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 1: Starting ECDH derivation'); // Removed detailed key derivation logging
// Use pure ECDH to derive raw key material // Use pure ECDH to derive raw key material
const rawKeyMaterial = await crypto.subtle.deriveKey( const rawKeyMaterial = await crypto.subtle.deriveKey(
@@ -1991,7 +1918,7 @@ class EnhancedSecureCryptoUtils {
['deriveKey'] ['deriveKey']
); );
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 1: ECDH derivation successful'); // Removed detailed key derivation logging
} catch (error) { } catch (error) {
EnhancedSecureCryptoUtils.secureLog.log('error', 'ECDH derivation failed', { EnhancedSecureCryptoUtils.secureLog.log('error', 'ECDH derivation failed', {
error: error.message error: error.message
@@ -2000,7 +1927,7 @@ class EnhancedSecureCryptoUtils {
} }
// Step 2: Use HKDF to derive specific keys directly // Step 2: Use HKDF to derive specific keys directly
EnhancedSecureCryptoUtils.secureLog.log('info', 'Step 2: Starting HKDF key derivation'); // Removed detailed key derivation logging
// Step 3: Derive specific keys using HKDF with unique info parameters // Step 3: Derive specific keys using HKDF with unique info parameters
// Each key uses unique info parameter for proper separation // Each key uses unique info parameter for proper separation
@@ -2132,17 +2059,7 @@ class EnhancedSecureCryptoUtils {
throw new Error('The derived metadata key is not a valid CryptoKey.'); throw new Error('The derived metadata key is not a valid CryptoKey.');
} }
EnhancedSecureCryptoUtils.secureLog.log('info', 'Enhanced shared keys derived successfully with proper HKDF separation', { // Removed detailed key derivation success logging
saltSize: salt.length,
hasMessageKey: true,
hasMacKey: true,
hasPfsKey: true,
hasMetadataKey: true,
nonExtractable: true,
version: '4.0',
allKeysValid: true,
hkdfProperlyImplemented: true
});
return { return {
messageKey, // Renamed from encryptionKey for clarity messageKey, // Renamed from encryptionKey for clarity
@@ -2608,10 +2525,7 @@ class EnhancedSecureCryptoUtils {
// Convert to hexadecimal string // Convert to hexadecimal string
const fingerprint = hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); const fingerprint = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
EnhancedSecureCryptoUtils.secureLog.log('info', 'Key fingerprint calculated', { // Removed key fingerprint logging
keySize: keyData.length,
fingerprintLength: fingerprint.length
});
return fingerprint; return fingerprint;
} catch (error) { } catch (error) {
src/network/EnhancedSecureWebRTCManager.js
+2 -16
View File
@@ -101,7 +101,7 @@ class EnhancedSecureWebRTCManager {
}; };
// Static debug flag instead of this._debugMode // Static debug flag instead of this._debugMode
static DEBUG_MODE = true; // Set to true during development, false in production static DEBUG_MODE = false; // Set to true during development, false in production
constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) { constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) {
@@ -3548,8 +3548,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
if (normalizedReceived !== normalizedExpected) { if (normalizedReceived !== normalizedExpected) {
this._secureLog('error', 'DTLS fingerprint mismatch - possible MITM attack', { this._secureLog('error', 'DTLS fingerprint mismatch - possible MITM attack', {
context: context, context: context,
receivedHash: await this._createSafeLogHash(normalizedReceived, 'dtls_fingerprint'),
expectedHash: await this._createSafeLogHash(normalizedExpected, 'dtls_fingerprint'),
timestamp: Date.now() timestamp: Date.now()
}); });
@@ -3558,7 +3556,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
this._secureLog('info', 'DTLS fingerprint validation successful', { this._secureLog('info', 'DTLS fingerprint validation successful', {
context: context, context: context,
fingerprintHash: await this._createSafeLogHash(normalizedReceived, 'dtls_fingerprint'),
timestamp: Date.now() timestamp: Date.now()
}); });
@@ -3829,7 +3826,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
}); });
this._secureLog('info', '✅ Ephemeral ECDH keys generated for PFS', { this._secureLog('info', '✅ Ephemeral ECDH keys generated for PFS', {
sessionIdHash: await this._createSafeLogHash(sessionId, 'session_id'),
timestamp: Date.now() timestamp: Date.now()
}); });
@@ -4789,7 +4785,6 @@ this._secureLog('info', '🔒 Enhanced Mutex system fully initialized and valida
result.set(new Uint8Array(encrypted), EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE); result.set(new Uint8Array(encrypted), EnhancedSecureWebRTCManager.SIZES.NESTED_ENCRYPTION_IV_SIZE);
this._secureLog('debug', '✅ Nested encryption applied with secure IV', { this._secureLog('debug', '✅ Nested encryption applied with secure IV', {
ivHash: await this._createSafeLogHash(uniqueIV, 'nestedEncryption'),
ivSize: uniqueIV.length, ivSize: uniqueIV.length,
dataSize: data.byteLength, dataSize: data.byteLength,
encryptedSize: encrypted.byteLength encryptedSize: encrypted.byteLength
@@ -8019,8 +8014,6 @@ async processMessage(data) {
this._secureLog('debug', 'Ephemeral ECDH keys generated and validated for PFS', { this._secureLog('debug', 'Ephemeral ECDH keys generated and validated for PFS', {
operationId: operationId, operationId: operationId,
privateKeyHash: await this._createSafeLogHash(ecdhKeyPair.privateKey, 'ecdh_private'),
publicKeyHash: await this._createSafeLogHash(ecdhKeyPair.publicKey, 'ecdh_public'),
privateKeyType: ecdhKeyPair.privateKey.algorithm?.name, privateKeyType: ecdhKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdhKeyPair.publicKey.algorithm?.name, publicKeyType: ecdhKeyPair.publicKey.algorithm?.name,
isEphemeral: true isEphemeral: true
@@ -8050,8 +8043,6 @@ async processMessage(data) {
this._secureLog('debug', 'ECDSA keys generated and validated', { this._secureLog('debug', 'ECDSA keys generated and validated', {
operationId: operationId, operationId: operationId,
privateKeyHash: await this._createSafeLogHash(ecdsaKeyPair.privateKey, 'ecdsa_private'),
publicKeyHash: await this._createSafeLogHash(ecdsaKeyPair.publicKey, 'ecdsa_public'),
privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name, privateKeyType: ecdsaKeyPair.privateKey.algorithm?.name,
publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name publicKeyType: ecdsaKeyPair.publicKey.algorithm?.name
}); });
@@ -10451,10 +10442,7 @@ async processMessage(data) {
// MITM Protection: Verify session ID if present (for enhanced security) // MITM Protection: Verify session ID if present (for enhanced security)
if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) { if (answerData.sessionId && this.sessionId && answerData.sessionId !== this.sessionId) {
window.EnhancedSecureCryptoUtils.secureLog.log('error', 'Session ID mismatch detected - possible MITM attack', { window.EnhancedSecureCryptoUtils.secureLog.log('error', 'Session ID mismatch detected - possible MITM attack', {});
expectedSessionIdHash: await this._createSafeLogHash(this.sessionId, 'session_id'),
receivedSessionIdHash: await this._createSafeLogHash(answerData.sessionId, 'session_id')
});
throw new Error('Session ID mismatch possible MITM attack'); throw new Error('Session ID mismatch possible MITM attack');
} }
@@ -12189,7 +12177,6 @@ class SecureKeyStorage {
} catch (error) { } catch (error) {
this._secureLog('error', 'Failed to retrieve key', { this._secureLog('error', 'Failed to retrieve key', {
keyIdHash: await this._createSafeLogHash(keyId, 'key_id'),
errorType: error?.constructor?.name || 'Unknown' errorType: error?.constructor?.name || 'Unknown'
}); });
return null; return null;
@@ -12383,7 +12370,6 @@ class SecureKeyStorage {
} catch (error) { } catch (error) {
this._secureLog('error', 'Failed to delete key', { this._secureLog('error', 'Failed to delete key', {
keyIdHash: await this._createSafeLogHash(keyId, 'key_id'),
errorType: error?.constructor?.name || 'Unknown' errorType: error?.constructor?.name || 'Unknown'
}); });
return false; return false;
test.txt
View File