Webpush crypto refac

JohannHoepfner · JohannHoepfner · commit f986ab9c3dd3 · 2026-04-02T22:57:25.000+02:00
diff --git a/Backend/Altafraner.AfraApp/Otium/Services/EnrollmentService.cs b/Backend/Altafraner.AfraApp/Otium/Services/EnrollmentService.cs
@@ -12,7 +12,6 @@
 using Altafraner.AfraApp.User.Domain.DTO;
 using Altafraner.AfraApp.User.Domain.Models;
 using Altafraner.AfraApp.User.Services;
-using Altafraner.Backbone.EmailSchedulingModule;
 using Altafraner.Backbone.Utils;
 using Microsoft.EntityFrameworkCore;
 using Models_OtiumEinschreibung = Altafraner.AfraApp.Otium.Domain.Models.OtiumEinschreibung;
diff --git a/Backend/Altafraner.Backbone.WebNotification/Services/WebPushSender.cs b/Backend/Altafraner.Backbone.WebNotification/Services/WebPushSender.cs
@@ -2,6 +2,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
+using System.Buffers.Text;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -25,9 +26,9 @@ internal sealed class WebPushSender<TPerson> where TPerson : class, IWebNotifica
 
     private readonly string _subject = string.Empty;
     private readonly string _publicKeyBase64Url = string.Empty; // original URL-safe base64 (65 bytes)
-    private readonly byte[] _publicKeyX = [];                   // 32-byte X coordinate
-    private readonly byte[] _publicKeyY = [];                   // 32-byte Y coordinate
-    private readonly byte[] _privateKeyD = [];                  // 32-byte private scalar
+
+    private readonly ECDsa _ecdsa = null!;
+    private readonly ECParameters _ecParams;
 
     /// <summary>
     ///     Constructs a new <see cref="WebPushSender{TPerson}" />.
@@ -52,8 +53,8 @@ public WebPushSender(
         byte[] privKeyBytes;
         try
         {
-            pubKeyBytes = Base64UrlDecode(cfg.PublicKey);
-            privKeyBytes = Base64UrlDecode(cfg.PrivateKey);
+            pubKeyBytes = Base64Url.DecodeFromUtf8(Encoding.UTF8.GetBytes(cfg.PublicKey));
+            privKeyBytes = Base64Url.DecodeFromUtf8(Encoding.UTF8.GetBytes(cfg.PrivateKey));
         }
         catch (FormatException ex)
         {
@@ -69,9 +70,23 @@ public WebPushSender(
                 "VAPID:PrivateKey must be a 32-byte P-256 private scalar (base64url-encoded).");
 
         _publicKeyBase64Url = cfg.PublicKey;
-        _publicKeyX = pubKeyBytes[1..33];
-        _publicKeyY = pubKeyBytes[33..65];
-        _privateKeyD = privKeyBytes;
+        var publicKeyX = pubKeyBytes[1..33];
+        var publicKeyY = pubKeyBytes[33..65];
+        var privateKeyD = privKeyBytes;
+
+        _ecdsa = ECDsa.Create(new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint { X = publicKeyX, Y = publicKeyY },
+            D = privateKeyD,
+        });
+        _ecParams = new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint { X = publicKeyX, Y = publicKeyY },
+            D = privateKeyD,
+        };
+
         _subject = cfg.Subject ?? string.Empty;
         IsEnabled = true;
     }
@@ -91,8 +106,8 @@ public async Task SendAsync(Uri endpoint, string p256dhBase64Url, string authBas
         if (!IsEnabled)
             return;
 
-        var uaPublicKey = Base64UrlDecode(p256dhBase64Url);
-        var authSecret = Base64UrlDecode(authBase64Url);
+        var uaPublicKey = Base64Url.DecodeFromUtf8(Encoding.UTF8.GetBytes(p256dhBase64Url));
+        var authSecret = Base64Url.DecodeFromUtf8(Encoding.UTF8.GetBytes(authBase64Url));
 
         var body = EncryptPayload(Encoding.UTF8.GetBytes(jsonPayload), uaPublicKey, authSecret);
 
@@ -130,26 +145,19 @@ public async Task SendAsync(Uri endpoint, string p256dhBase64Url, string authBas
 
     private string CreateVapidJwt(string audience)
     {
-        var header = Base64UrlEncode("""{"typ":"JWT","alg":"ES256"}"""u8.ToArray());
+        var header = Base64Url.EncodeToString("""{"typ":"JWT","alg":"ES256"}"""u8.ToArray());
         var exp = DateTimeOffset.UtcNow.AddHours(12).ToUnixTimeSeconds();
-        var payload = Base64UrlEncode(
+        var payload = Base64Url.EncodeToString(
             Encoding.UTF8.GetBytes(
                 JsonSerializer.Serialize(new { aud = audience, exp, sub = _subject })));
 
-        var signingInput = Encoding.ASCII.GetBytes($"{header}.{payload}");
-        var ecParams = new ECParameters
-        {
-            Curve = ECCurve.NamedCurves.nistP256,
-            Q = new ECPoint { X = _publicKeyX, Y = _publicKeyY },
-            D = _privateKeyD,
-        };
-        using var ecdsa = ECDsa.Create(ecParams);
+        var signingInput = Encoding.UTF8.GetBytes($"{header}.{payload}");
 
-        var signature = ecdsa.SignData(
+        var signature = _ecdsa.SignData(
             signingInput, HashAlgorithmName.SHA256,
             DSASignatureFormat.IeeeP1363FixedFieldConcatenation);
 
-        return $"{header}.{payload}.{Base64UrlEncode(signature)}";
+        return $"{header}.{payload}.{Base64Url.EncodeToString(signature)}";
     }
 
     private static byte[] EncryptPayload(byte[] plaintext, byte[] uaPublicKey, byte[] authSecret)
@@ -228,21 +236,4 @@ private static string GetAudience(Uri uri)
     {
         return $"{uri.Scheme}://{uri.Authority}";
     }
-
-    internal static byte[] Base64UrlDecode(string value)
-    {
-        try
-        {
-            var padding = (4 - value.Length % 4) % 4;
-            var base64 = value.Replace('-', '+').Replace('_', '/') + new string('=', padding);
-            return Convert.FromBase64String(base64);
-        }
-        catch (FormatException ex)
-        {
-            throw new FormatException($"The value '{value}' is not valid URL-safe base64.", ex);
-        }
-    }
-
-    internal static string Base64UrlEncode(byte[] data)
-        => Convert.ToBase64String(data).TrimEnd('=').Replace('+', '-').Replace('/', '_');
 }
