refactored and simplified the encrypt method. still getting Mozilla decrypt error.

Appears fixed Crypto-Key header
Updates and a remaining authentication error to the push service at Mozilla
18 changed files with 9909 additions and 9722 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
 *~
 node_modules
 build
+web_push
+data
--- a/5
+++ b/5
@ -1,7 +1,10 @@
 FROM node:18.17.1-alpine3.17

+RUN mkdir -p /usr/src/app/data
 WORKDIR /usr/src/app

+RUN apk add bash
+
 COPY package*.json ./
 COPY tsconfig.json ./
 COPY .eslintrc.json ./
@ -11,8 +14,6 @@ RUN npm install

 RUN npm run build

-COPY . .
-
 EXPOSE 3000

 CMD [ "npm", "start" ]
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker build . -t endorser-push-server:1.0 --no-cache
--- a/crypto_playpen/header.bin
+++ b/crypto_playpen/header.bin
--- a/crypto_playpen/message.txt
+++ b/crypto_playpen/message.txt
@ -0,0 +1 @@
+hello!
--- a/crypto_playpen/privatekey.pem
+++ b/crypto_playpen/privatekey.pem
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOjRzTX6T5FkhmOscZZdGp1b1PuOgk2p/YoJ7abFaJPPoAoGCCqGSM49
+AwEHoUQDQgAEQazvs+7/4y9drkN8RZCB3ZCFVhMZQLtcJmgeY5x9+RXqYE18VHJs
+qagywecu9JLckZFFcraOX2hsifyEPQgCYw==
+-----END EC PRIVATE KEY-----
--- a/crypto_playpen/public_key.bin
+++ b/crypto_playpen/public_key.bin
@ -0,0 +1 @@
+A¬ï³îÿã/]®C|E��Ý�…V@»\&hcœ}ùê`M|Trl©¨2Áç.ô’Ü‘‘Er¶Ž_hl‰ü„=c
--- a/crypto_playpen/public_key.der
+++ b/crypto_playpen/public_key.der
--- a/crypto_playpen/publickey.pem
+++ b/crypto_playpen/publickey.pem
@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----                                         
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQazvs+7/4y9drkN8RZCB3ZCFVhMZ
+QLtcJmgeY5x9+RXqYE18VHJsqagywecu9JLckZFFcraOX2hsifyEPQgCYw==
+-----END PUBLIC KEY-----
--- a/crypto_playpen/signature.bin
+++ b/crypto_playpen/signature.bin
--- a/keys.md
+++ b/keys.md
@ -0,0 +1,74 @@
+
+# NOTES on working with Cryptographic Keys
+
+Since the VAPID key pair was created using cyprto.createECDH we could reconstitute our public key
+using only the private key:
+```
+    const curveName = 'prime256v1';
+    const ecdh = crypto.createECDH(curveName);
+    const privateKeyBuffer = Buffer.from(privateKey, 'base64');
+    ecdh.setPrivateKey(privateKeyBuffer);
+    const rawPublicKeyBuffer = ecdh.getPublicKey();
+    
+```
+
+Unfortunately, crypto module creates only "raw" keys.  And when working with jsonwebtoken.sign method
+we must have a PEM or something with ASN metadata.  So, we create PEMs using eckeys-util module:
+
+```
+    const pems = ecKeyUtils.generatePem({curveName, privateKey: ecdh.getPrivateKey(), publicKey: rawPublicKeyBuffer });
+
+    console.log("privateKey: ", pems.privateKey);
+    console.log();
+    console.log("publicKey: ", pems.publicKey);
+
+    const jwtToken = jwt.sign(jwtInfo, pems.privateKey, { algorithm: 'ES256' });
+```
+
+
+I trie here to create my own ASN1 metadata but this seems doomed due to ignorance of what were the required
+components:
+```
+    const asn1Header = Buffer.from('3059301306072a8648ce3d020106082a8648ce3d030107034200', 'hex');
+    const derPublicKeyBuffer = Buffer.concat([asn1Header, rawPublicKeyBuffer]);
+    const base64DerPublicKey = derPublicKeyBuffer.toString('base64');
+    console.log("base64DerPublicKey: ", base64DerPublicKey)
+```
+Such an approach creates a DER key pair. An alternative to that method is:
+```
+    const ders = ecKeyUtils.generateDer({curveName, privateKey: ecdh.getPrivateKey(), publicKey: rawPublicKeyBuffer });
+    console.log("privateKey: ", ders.privateKey);
+    console.log("publicKey: ", ders.publicKey);
+```
+
+... using eckeys-util again ... but I'm not 100% sure if these have all the necessary ASN1 metadata AND
+the DER key will produce this error ...
+
+```
+Error: secretOrPrivateKey must be an asymmetric key when using ES256
+    at module.exports [as sign] (/usr/src/app/node_modules/jsonwebtoken/sign.js:124:22)
+
+```
+... when used in the sign method.  So, apparently, sign does not like the DER binary format but it is
+fine with PEM.
+
+## When sending a notification request to the Mozilla endpoint it does not like the Crypto-Key header:
+
+```
+{
+  "code":400,
+  "errno":110,
+  "error":"Bad Request",
+  "message":"Invalid aes128gcm Crypto-Key header",
+  "more_info":"http://autopush.readthedocs.io/en/latest/http.html#error-codes"
+}
+
+```
+
+fcm.google.com push server:
+
+```
+authorization header had invalid format. authorization header should have the following format: t=jwtToken; k=base64(publicApplicationServerKey)
+
+403
+```
--- a/package-lock.json
+++ b/package-lock.json
@ -9,7 +9,9 @@
            "version": "0.0.0",
            "license": "Apache-2.0",
            "dependencies": {
+                "base64url": "^3.0.1",
                "body-parser": "^1.20.2",
+                "eckey-utils": "^0.7.13",
                "elliptic": "^6.5.4",
                "express": "^4.18.2",
                "http_ece": "^1.1.0",
@ -2586,6 +2588,14 @@
                }
            ]
        },
+        "node_modules/base64url": {
+            "version": "3.0.1",
+            "resolved": "https://registry.npmjs.org/base64url/-/base64url-3.0.1.tgz",
+            "integrity": "sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A==",
+            "engines": {
+                "node": ">=6.0.0"
+            }
+        },
        "node_modules/bn.js": {
            "version": "4.12.0",
            "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
@ -3590,6 +3600,11 @@
                "safe-buffer": "^5.0.1"
            }
        },
+        "node_modules/eckey-utils": {
+            "version": "0.7.13",
+            "resolved": "https://registry.npmjs.org/eckey-utils/-/eckey-utils-0.7.13.tgz",
+            "integrity": "sha512-medLrbDAa4beQTwcoh2FwRti1d+2b86Op7LtBSaAFNmIRh1MSORt2YwEmAYgp6wf8QEROwJNAoVoC9Rg2Wgbfw=="
+        },
        "node_modules/ee-first": {
            "version": "1.1.1",
            "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
--- a/package.json
+++ b/package.json
@ -41,6 +41,7 @@
    "license": "Apache-2.0",
    "dependencies": {
        "body-parser": "^1.20.2",
+        "eckey-utils": "^0.7.13",
        "elliptic": "^6.5.4",
        "express": "^4.18.2",
        "http_ece": "^1.1.0",
--- a/BIN
+++ b/BIN
--- a/src/db.ts
+++ b/src/db.ts
@ -15,7 +15,7 @@ class DBService {
  private constructor() {
    this.dataSource = new DataSource({
      type: "sqlite",
-      database: "push_server",
+      database: "/usr/src/app/data/push_server",  
      entities: [VapidKeys, Subscription],
      synchronize: true
    });
@ -86,11 +86,9 @@ class DBService {


  async getVapidKeys(): Promise<VapidKeys[]> {
-    console.log(__filename, "getVapidKeys", this.isReady);
    let result = [ new VapidKeys() ];
    if ( this.isReady ) {
      result = await this.dataSource.manager.find(VapidKeys);
-      console.log(__filename, "results of find: ", result);
      
    } else {
      console.log(__filename, "Database is not ready");
--- a/src/main.ts
+++ b/src/main.ts
@ -14,7 +14,7 @@ import { dirname, join } from 'path';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);

-export interface Subscription {
+export interface BrowserSubscription {
  endpoint: string;
  keys: {
    p256dh: string;
@ -27,15 +27,13 @@ class Server {
  private port: number;
  private worker?: Worker;
  private subscriptionService: SubscriptionService = SubscriptionService.getInstance();
-  private notificationService: NotificationService;
+  private notificationService: NotificationService = NotificationService.getInstance();
   dbService: DBService = DBService.getInstance();
   vapidService: VapidService = VapidService.getInstance();
-  private message: Message;

  constructor(port: number) {
    this.app = express();
    this.port = port;
-    this.notificationService = new NotificationService();

    this.setupRoutes();
    this.startWorker();
@ -44,32 +42,41 @@ class Server {


  private setupRoutes(): void {
-    this.app.post('/subscribe', async (req: Request, res: Response) => {
-      const subscription = req.body as Subscription;
+    this.app.use(express.json())
+    this.app.post('/web-push/subscribe', async (req: Request, res: Response) => {
+      const subscription = req.body as BrowserSubscription;
+      const message = { "title": "You are subscribed." } as Message;
      await this.subscriptionService.addSubscription(subscription);
+      await this.notificationService.sendNotification(subscription, message);
      res.status(201).send();
    });
    
-    this.app.post('/unsubscribe', async (req: Request, res: Response) => {
-      const subscription = req.body as Subscription;
+    this.app.post('/web-push/unsubscribe', async (req: Request, res: Response) => {
+      const subscription = req.body as BrowserSubscription;
      console.log(subscription);

      res.status(501).send();
    });

-    this.app.post('/mute', async (req: Request, res: Response) => {
-      const subscription = req.body as Subscription;
+    this.app.post('/web-push/mute', async (req: Request, res: Response) => {
+      const subscription = req.body as BrowserSubscription;
      console.log(subscription);

      res.status(501).send();
    });

-    this.app.get('/vapid', async (_: Request, res: Response) => {
+    this.app.get('/web-push/vapid', async (_: Request, res: Response) => {
      const vapidkeys: VapidKeys[] = await this.vapidService.getVapidKeys();
      const vapidkey = vapidkeys[0];

      res.send({"vapidKey": vapidkey['publicKey']});
    });
+
+    this.app.use((req, _, next) => {
+      console.log("Raw body:", req.body);
+      next();
+    });
+
  }


@ -80,8 +87,7 @@ class Server {

    this.worker.on('message', (message) => {
      console.log(message);
-      this.message = { "title": "Check TimeSafari"} as Message;
-      this.notificationService.broadcast(this.message);
+
    });

    this.worker.on('error', (error) => {
@ -95,6 +101,7 @@ class Server {
    });
  }

+
  private setupWorkerListeners(): void {
    if (this.worker) {
      this.worker.on('message', (message) => {
@ -107,6 +114,7 @@ class Server {
    }
  }

+
  public start(): void {
    this.app.listen(this.port, () => {
      console.log(`Server is running on http://localhost:${this.port}`);
@ -116,7 +124,6 @@ class Server {



-
 // Initialize and start the server

 const server = new Server(3000);
@ -128,6 +135,7 @@ const executeAsyncFunction = async () => {
  }
 };

+
 setTimeout(() => {
  executeAsyncFunction().catch(error => {
    // Handle any errors here
--- a/src/notificationService.ts
+++ b/src/notificationService.ts
@ -1,10 +1,9 @@
-import SubscriptionService from './subscriptionService.js';
 import VapidService from './vapidService.js';
 import { VapidKeys } from './VapidKeys.js';
+import { IncomingMessage } from 'http';
 import * as https from 'https';
 import * as http_ece from 'http_ece';
 import crypto from 'crypto';
-import { Subscription } from "./Subscription.js"

 export interface Message {
    title: string;
@ -12,61 +11,78 @@ export interface Message {
    [key: string]: any;
 }

-export class NotificationService {

-    private subscriptionService: SubscriptionService = SubscriptionService.getInstance();
+export interface BrowserSubscription {
+  endpoint: string;
+  keys: {
+    p256dh: string;
+    auth: string;
+  };
+}
+
+interface MyIncomingMessage extends IncomingMessage {
+  errno?: number;
+}
+
+export class NotificationService {
+    private static instance: NotificationService;
    private vapidService: VapidService = VapidService.getInstance();

    constructor() {
    }
    
-    private generateSalt(length = 16): Buffer {
-        return crypto.randomBytes(length);
+    public static getInstance(): NotificationService {
+      if (!NotificationService.instance) {
+        NotificationService.instance = new NotificationService();
+      }
+      return NotificationService.instance;
    }

-    async broadcast(message: Message): Promise<void> {
-        const subscriptions = await this.subscriptionService.fetchSubscriptions();
      
-        for (const subscription of subscriptions) {
+    async sendNotification(subscription: BrowserSubscription, message: Message) {
        await this.pushToEndpoint(subscription, message);
    }
-    }

-    async sendNotification(subscription: Subscription, message: Message) {
-        await this.pushToEndpoint(subscription, message);
-    }

-    private async pushToEndpoint(subscription: Subscription, message: Message): Promise<void> {
-        const payload = JSON.stringify(message);
+    private async pushToEndpoint(subscription: BrowserSubscription, message: Message): Promise<void> {
+        const payloadString = JSON.stringify(message);
+	const payloadBuffer = Buffer.from(payloadString, 'utf-8');
+        const vapidKeys: VapidKeys[] = await this.vapidService.getVapidKeys();
+	const vapidkey: VapidKeys = vapidKeys[0];

-        const encrypted = this.encrypt(subscription.keys_p256dh, subscription.keys_auth, payload);
+        const encrypted = await this.encrypt(subscription.keys.p256dh, subscription.keys.auth, payloadBuffer);
        const endpoint = subscription.endpoint;

-        const vapidHeaders = await this.vapidService.createVapidAuthHeader(endpoint, 12 * 60 * 60, 'mailto:example@example.com');
+        const vapidHeaders = await this.vapidService.createVapidAuthHeader(endpoint, 12 * 60 * 60, 'mailto:example@example.com', vapidkey);

        const parsedUrl = new URL(subscription.endpoint);
        const options: https.RequestOptions = {
            method: 'POST',
            hostname: parsedUrl.hostname,
            path: parsedUrl.pathname,
-            port: parsedUrl.port,
-            headers: {
-                ...vapidHeaders,
-                'TTL': '60',
-                'Content-Encoding': 'aes128gcm',
-                'Content-Type': 'application/octet-stream',
-                'Content-Length': encrypted.length
-            },
+            port: 443,
+            headers: { ...vapidHeaders, 'TTL': '60', 'Content-Encoding': 'aes128gcm', 'Content-Type': 'application/octet-stream', 'Content-Length': encrypted.length },
        };

        return new Promise<void>((resolve, reject) => {
-            const req = https.request(options, (res) => {
+            const req = https.request(options, (res: MyIncomingMessage) => {
+            let body = ''; 
+
+            console.log('Headers:', res.headers);
+
+            res.on('data', chunk => { body += chunk; });
+
+            res.on('end', () => {
+              console.log('Body:', body);
+	      console.log(res.statusCode);
+
              if (res.statusCode! >= 200 && res.statusCode! < 300) {
                resolve();
              } else {
-                    reject(new Error(`Failed to send push notification. Status code: ${res.statusCode}`));
+                reject(new Error(`Failed to send push notification. Status code: ${res.statusCode}, Body: ${body}`));
              }
            });
+          });

          req.on('error', (error) => {
            reject(new Error(`Failed to send push notification. Error: ${error.message}`));
@ -77,18 +93,23 @@ export class NotificationService {
        });
    }

-    private encrypt(publicKey: string, auth: string, payload: string): Buffer {
-        http_ece.keys = {
-            'p256dh': publicKey,
-            'auth': auth
-        };

-        const vapidKeys: VapidKeys = this.vapidService.getVapidKeys()[0];
+    private async encrypt( p256dh: string, auth: string, payload: Buffer): Promise<Buffer> {
+      try {
+        const ecdh = crypto.createECDH('prime256v1');
+	ecdh.generateKeys();
+	const publicKeyBuffer: Buffer = Buffer.from(p256dh, 'base64');
+	
        return http_ece.encrypt(payload, {
-            'salt': this.generateSalt(),
-            'dh': vapidKeys.publicKey,
-            'keyid': 'p256dh',
-            'contentEncoding': 'aes128gcm'
+            'version': 'aes128gcm',
+	    'privateKey': ecdh,
+            'dh': publicKeyBuffer,
+            'authSecret': Buffer.from(auth)
        });
+	
+      } catch (error) {
+        console.error('Error encrypting payload:', error);
+        throw error;
+      }
    }
 }
--- a/src/vapidService.ts
+++ b/src/vapidService.ts
@ -1,4 +1,4 @@
-
+import ecKeyUtils from "eckey-utils";
 import { VapidKeys } from './VapidKeys.js';
 import jwt from 'jsonwebtoken';
 import crypto from 'crypto';
@ -16,7 +16,6 @@ class VapidService {
  private static instance: VapidService;
  private dbService: DBService = DBService.getInstance();

-
  private constructor() {
  }

@ -53,17 +52,6 @@ class VapidService {
    return result;
  }

-/*
-  private async addVapidKeys(vapidkeys: VapidKeyData): Promise<VapidKeys> {
-    let result = new VapidKeys();
-    const keys = await this.getVapidKeys();
-    
-    if (keys.length == 1 && typeof(keys[0].publicKey) == "undefined" ) {
-      result = await this.dbService.saveVapidKeys(vapidkeys.publicKey, vapidkeys.privateKey);
-    }
-    return result;
-  }
-*/

  async getVapidKeys(): Promise<VapidKeys[]> {
    let result = await this.dbService.getVapidKeys();
@ -71,21 +59,86 @@ class VapidService {
  }


-  async createVapidAuthHeader(endpoint: string, expiration: number, subject: string): Promise<{ 'Authorization': string, 'Crypto-Key': string }> {
-    const { publicKey, privateKey } = await this.getVapidKeys()[0];
+  private isP256Key(publicKeyBuffer) {
+    if (publicKeyBuffer.length === 65 && publicKeyBuffer[0] === 0x04) {
+      return true;
+    }
+
+    if (publicKeyBuffer.length === 33 && (publicKeyBuffer[0] === 0x02 || publicKeyBuffer[0] === 0x03)) {
+      return true;
+    }
+    return false;
+  }
+
+
+  async createVapidAuthHeader(endpoint: string, expiration: number, subject: string, appKeys: VapidKeys): Promise<{ 'Authorization': string, 'Crypto-Key': string }> {
+    const { publicKey, privateKey } = appKeys;
+
+    console.log(publicKey);
    
    const jwtInfo = {
      aud: new URL(endpoint).origin,
      exp: Math.floor((Date.now() / 1000) + expiration),
      sub: subject
    };
+    console.log(jwtInfo);
+    const curveName = 'prime256v1';
+    const ecdh = crypto.createECDH(curveName);
+    const privateKeyBuffer = Buffer.from(privateKey, 'base64');
+    ecdh.setPrivateKey(privateKeyBuffer);
+
+    const rawPublicKeyBuffer = ecdh.getPublicKey();
+    const asn1Header = Buffer.from('3059301306072a8648ce3d020106082a8648ce3d030107034200', 'hex');
+    const derPublicKeyBuffer = Buffer.concat([asn1Header, rawPublicKeyBuffer]);
+    const base64DerPublicKey = derPublicKeyBuffer.toString('base64');
+
+    console.log("base64DerPublicKey: ", base64DerPublicKey)
+
+    const pems = ecKeyUtils.generatePem({curveName, privateKey: ecdh.getPrivateKey(), publicKey: rawPublicKeyBuffer });

-    const jwtToken = jwt.sign(jwtInfo, privateKey, { algorithm: 'ES256' });
+    console.log("privateKey: ", pems.privateKey);
+    console.log();
+    console.log("publicKey: ", pems.publicKey);

-    return {
+    const ders = ecKeyUtils.generateDer({curveName, privateKey: ecdh.getPrivateKey(), publicKey: rawPublicKeyBuffer });
+    console.log("privateKey: ", ders.privateKey);
+    console.log("publicKey: ", ders.publicKey);
+    
+    const jwtToken = jwt.sign(jwtInfo, pems.privateKey, { algorithm: 'ES256' });
+
+    try {
+      const decoded = Buffer.from(base64DerPublicKey, 'base64').toString('utf-8');
+      console.log('Valid Base64 Encoded:', decoded);
+
+      console.log('isP256Key:', this.isP256Key(Buffer.from(base64DerPublicKey, 'base64')) );
+      
+    } catch (error) {
+      console.log('Invalid Base64 Encoding');
+      
+    }
+
+    try {
+      const decodedKey = Buffer.from(base64DerPublicKey, 'base64');
+      console.log('Decoded Key Length:', decodedKey.length);
+      if (decodedKey.length !== 65) {
+        console.log('Invalid Key Length');
+	
+      } else {
+        console.log('Key Length is Valid');
+	
+      }
+      
+    } catch (err) {
+     console.log('Invalid Base64-URL Encoding');
+     
+    }
+
+    const result = {
      'Authorization': `vapid t=${jwtToken}, k=${publicKey}`,
-      'Crypto-Key': publicKey
+      'Crypto-Key': "p256ecdsa="+ders.publicKey.toString('base64')
    };
+    console.log(result);
+    return result;
  }
 }
Author	SHA1	Message	Date
Matthew Raymer	608b826d4e	refactored and simplified the encrypt method. still getting Mozilla decrypt error.	1 year ago
Matthew Raymer	2125a0c32b	Appears fixed Crypto-Key header	1 year ago
Matthew Raymer	5570c0e3dd	Updates and a remaining authentication error to the push service at Mozilla	1 year ago
Matthew Raymer	d3dd048efd	BROKEN: got a little further now building JWT	1 year ago
Matthew Raymer	9075ea8c91	Debugged encrypt before sending notification	1 year ago
Matthew Raymer	4a12fc92b5	Fixes for configuration; some debugging code	1 year ago
Matthew Raymer	fdbf0e3b9c	Fix path	1 year ago
Matthew Raymer	bcb636c150	Updates with Dockerfile and tweaks for db persistence	1 year ago
Matthew Raymer	160c0ceff7	Make a local master	1 year ago
			`@ -0,0 +1 @@`
			A¬ï³îÿã/]®C\|E��Ý�…V@»\&hcœ}ùê`M\|Trl©¨2Áç.ô’Ü‘‘Er¶Ž_hl‰ü„=c