matrix-js-sdk
Version:
Matrix Client-Server SDK for Javascript
1,361 lines (1,064 loc) • 134 kB
JavaScript
"use strict";
var _interopRequireWildcard = require("@babel/runtime/helpers/interopRequireWildcard");
var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.isCryptoAvailable = isCryptoAvailable;
exports.Crypto = Crypto;
exports.fixBackupKey = fixBackupKey;
exports.verificationMethods = void 0;
var _anotherJson = _interopRequireDefault(require("another-json"));
var _events = require("events");
var _ReEmitter = require("../ReEmitter");
var _logger = require("../logger");
var utils = _interopRequireWildcard(require("../utils"));
var _OlmDevice = require("./OlmDevice");
var olmlib = _interopRequireWildcard(require("./olmlib"));
var _DeviceList = require("./DeviceList");
var _deviceinfo = require("./deviceinfo");
var algorithms = _interopRequireWildcard(require("./algorithms"));
var _CrossSigning = require("./CrossSigning");
var _EncryptionSetup = require("./EncryptionSetup");
var _SecretStorage = require("./SecretStorage");
var _OutgoingRoomKeyRequestManager = require("./OutgoingRoomKeyRequestManager");
var _indexeddbCryptoStore = require("./store/indexeddb-crypto-store");
var _QRCode = require("./verification/QRCode");
var _SAS = require("./verification/SAS");
var _key_passphrase = require("./key_passphrase");
var _recoverykey = require("./recoverykey");
var _VerificationRequest = require("./verification/request/VerificationRequest");
var _InRoomChannel = require("./verification/request/InRoomChannel");
var _ToDeviceChannel = require("./verification/request/ToDeviceChannel");
var _IllegalMethod = require("./verification/IllegalMethod");
var _errors = require("../errors");
var _aes = require("./aes");
var _dehydration = require("./dehydration");
/*
Copyright 2016 OpenMarket Ltd
Copyright 2017 Vector Creations Ltd
Copyright 2018-2019 New Vector Ltd
Copyright 2019-2020 The Matrix.org Foundation C.I.C.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
/**
* @module crypto
*/
const DeviceVerification = _deviceinfo.DeviceInfo.DeviceVerification;
const defaultVerificationMethods = {
[_QRCode.ReciprocateQRCode.NAME]: _QRCode.ReciprocateQRCode,
[_SAS.SAS.NAME]: _SAS.SAS,
// These two can't be used for actual verification, but we do
// need to be able to define them here for the verification flows
// to start.
[_QRCode.SHOW_QR_CODE_METHOD]: _IllegalMethod.IllegalMethod,
[_QRCode.SCAN_QR_CODE_METHOD]: _IllegalMethod.IllegalMethod
};
/**
* verification method names
*/
const verificationMethods = {
RECIPROCATE_QR_CODE: _QRCode.ReciprocateQRCode.NAME,
SAS: _SAS.SAS.NAME
};
exports.verificationMethods = verificationMethods;
function isCryptoAvailable() {
return Boolean(global.Olm);
}
const MIN_FORCE_SESSION_INTERVAL_MS = 60 * 60 * 1000;
const KEY_BACKUP_KEYS_PER_REQUEST = 200;
/**
* Cryptography bits
*
* This module is internal to the js-sdk; the public API is via MatrixClient.
*
* @constructor
* @alias module:crypto
*
* @internal
*
* @param {module:base-apis~MatrixBaseApis} baseApis base matrix api interface
*
* @param {module:store/session/webstorage~WebStorageSessionStore} sessionStore
* Store to be used for end-to-end crypto session data
*
* @param {string} userId The user ID for the local user
*
* @param {string} deviceId The identifier for this device.
*
* @param {Object} clientStore the MatrixClient data store.
*
* @param {module:crypto/store/base~CryptoStore} cryptoStore
* storage for the crypto layer.
*
* @param {RoomList} roomList An initialised RoomList object
*
* @param {Array} verificationMethods Array of verification methods to use.
* Each element can either be a string from MatrixClient.verificationMethods
* or a class that implements a verification method.
*/
function Crypto(baseApis, sessionStore, userId, deviceId, clientStore, cryptoStore, roomList, verificationMethods) {
this._onDeviceListUserCrossSigningUpdated = this._onDeviceListUserCrossSigningUpdated.bind(this);
this._trustCrossSignedDevices = true;
this._reEmitter = new _ReEmitter.ReEmitter(this);
this._baseApis = baseApis;
this._sessionStore = sessionStore;
this._userId = userId;
this._deviceId = deviceId;
this._clientStore = clientStore;
this._cryptoStore = cryptoStore;
this._roomList = roomList;
if (verificationMethods) {
this._verificationMethods = new Map();
for (const method of verificationMethods) {
if (typeof method === "string") {
if (defaultVerificationMethods[method]) {
this._verificationMethods.set(method, defaultVerificationMethods[method]);
}
} else if (method.NAME) {
this._verificationMethods.set(method.NAME, method);
} else {
_logger.logger.warn(`Excluding unknown verification method ${method}`);
}
}
} else {
this._verificationMethods = defaultVerificationMethods;
} // track whether this device's megolm keys are being backed up incrementally
// to the server or not.
// XXX: this should probably have a single source of truth from OlmAccount
this.backupInfo = null; // The info dict from /room_keys/version
this.backupKey = null; // The encryption key object
this._checkedForBackup = false; // Have we checked the server for a backup we can use?
this._sendingBackups = false; // Are we currently sending backups?
this._olmDevice = new _OlmDevice.OlmDevice(cryptoStore);
this._deviceList = new _DeviceList.DeviceList(baseApis, cryptoStore, this._olmDevice); // XXX: This isn't removed at any point, but then none of the event listeners
// this class sets seem to be removed at any point... :/
this._deviceList.on('userCrossSigningUpdated', this._onDeviceListUserCrossSigningUpdated);
this._reEmitter.reEmit(this._deviceList, ["crypto.devicesUpdated", "crypto.willUpdateDevices"]); // the last time we did a check for the number of one-time-keys on the
// server.
this._lastOneTimeKeyCheck = null;
this._oneTimeKeyCheckInProgress = false; // EncryptionAlgorithm instance for each room
this._roomEncryptors = {}; // map from algorithm to DecryptionAlgorithm instance, for each room
this._roomDecryptors = {};
this._supportedAlgorithms = utils.keys(algorithms.DECRYPTION_CLASSES);
this._deviceKeys = {};
this._globalBlacklistUnverifiedDevices = false;
this._globalErrorOnUnknownDevices = true;
this._outgoingRoomKeyRequestManager = new _OutgoingRoomKeyRequestManager.OutgoingRoomKeyRequestManager(baseApis, this._deviceId, this._cryptoStore); // list of IncomingRoomKeyRequests/IncomingRoomKeyRequestCancellations
// we received in the current sync.
this._receivedRoomKeyRequests = [];
this._receivedRoomKeyRequestCancellations = []; // true if we are currently processing received room key requests
this._processingRoomKeyRequests = false; // controls whether device tracking is delayed
// until calling encryptEvent or trackRoomDevices,
// or done immediately upon enabling room encryption.
this._lazyLoadMembers = false; // in case _lazyLoadMembers is true,
// track if an initial tracking of all the room members
// has happened for a given room. This is delayed
// to avoid loading room members as long as possible.
this._roomDeviceTrackingState = {}; // The timestamp of the last time we forced establishment
// of a new session for each device, in milliseconds.
// {
// userId: {
// deviceId: 1234567890000,
// },
// }
this._lastNewSessionForced = {};
this._toDeviceVerificationRequests = new _ToDeviceChannel.ToDeviceRequests();
this._inRoomVerificationRequests = new _InRoomChannel.InRoomRequests(); // This flag will be unset whilst the client processes a sync response
// so that we don't start requesting keys until we've actually finished
// processing the response.
this._sendKeyRequestsImmediately = false;
const cryptoCallbacks = this._baseApis._cryptoCallbacks || {};
const cacheCallbacks = (0, _CrossSigning.createCryptoStoreCacheCallbacks)(cryptoStore, this._olmDevice);
this._crossSigningInfo = new _CrossSigning.CrossSigningInfo(userId, cryptoCallbacks, cacheCallbacks);
this._secretStorage = new _SecretStorage.SecretStorage(baseApis, cryptoCallbacks);
this._dehydrationManager = new _dehydration.DehydrationManager(this); // Assuming no app-supplied callback, default to getting from SSSS.
if (!cryptoCallbacks.getCrossSigningKey && cryptoCallbacks.getSecretStorageKey) {
cryptoCallbacks.getCrossSigningKey = async type => {
return _CrossSigning.CrossSigningInfo.getFromSecretStorage(type, this._secretStorage);
};
}
}
utils.inherits(Crypto, _events.EventEmitter);
/**
* Initialise the crypto module so that it is ready for use
*
* Returns a promise which resolves once the crypto module is ready for use.
*
* @param {Object} opts keyword arguments.
* @param {string} opts.exportedOlmDevice (Optional) data from exported device
* that must be re-created.
*/
Crypto.prototype.init = async function (opts) {
const {
exportedOlmDevice,
pickleKey
} = opts || {};
_logger.logger.log("Crypto: initialising Olm...");
await global.Olm.init();
_logger.logger.log(exportedOlmDevice ? "Crypto: initialising Olm device from exported device..." : "Crypto: initialising Olm device...");
await this._olmDevice.init({
fromExportedDevice: exportedOlmDevice,
pickleKey
});
_logger.logger.log("Crypto: loading device list...");
await this._deviceList.load(); // build our device keys: these will later be uploaded
this._deviceKeys["ed25519:" + this._deviceId] = this._olmDevice.deviceEd25519Key;
this._deviceKeys["curve25519:" + this._deviceId] = this._olmDevice.deviceCurve25519Key;
_logger.logger.log("Crypto: fetching own devices...");
let myDevices = this._deviceList.getRawStoredDevicesForUser(this._userId);
if (!myDevices) {
myDevices = {};
}
if (!myDevices[this._deviceId]) {
// add our own deviceinfo to the cryptoStore
_logger.logger.log("Crypto: adding this device to the store...");
const deviceInfo = {
keys: this._deviceKeys,
algorithms: this._supportedAlgorithms,
verified: DeviceVerification.VERIFIED,
known: true
};
myDevices[this._deviceId] = deviceInfo;
this._deviceList.storeDevicesForUser(this._userId, myDevices);
this._deviceList.saveIfDirty();
}
await this._cryptoStore.doTxn('readonly', [_indexeddbCryptoStore.IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
this._cryptoStore.getCrossSigningKeys(txn, keys => {
// can be an empty object after resetting cross-signing keys, see _storeTrustedSelfKeys
if (keys && Object.keys(keys).length !== 0) {
_logger.logger.log("Loaded cross-signing public keys from crypto store");
this._crossSigningInfo.setKeys(keys);
}
});
}); // make sure we are keeping track of our own devices
// (this is important for key backups & things)
this._deviceList.startTrackingDeviceList(this._userId);
_logger.logger.log("Crypto: checking for key backup...");
this._checkAndStartKeyBackup();
};
/**
* Whether to trust a others users signatures of their devices.
* If false, devices will only be considered 'verified' if we have
* verified that device individually (effectively disabling cross-signing).
*
* Default: true
*
* @return {bool} True if trusting cross-signed devices
*/
Crypto.prototype.getCryptoTrustCrossSignedDevices = function () {
return this._trustCrossSignedDevices;
};
/**
* See getCryptoTrustCrossSignedDevices
* This may be set before initCrypto() is called to ensure no races occur.
*
* @param {bool} val True to trust cross-signed devices
*/
Crypto.prototype.setCryptoTrustCrossSignedDevices = function (val) {
this._trustCrossSignedDevices = val;
for (const userId of this._deviceList.getKnownUserIds()) {
const devices = this._deviceList.getRawStoredDevicesForUser(userId);
for (const deviceId of Object.keys(devices)) {
const deviceTrust = this.checkDeviceTrust(userId, deviceId); // If the device is locally verified then isVerified() is always true,
// so this will only have caused the value to change if the device is
// cross-signing verified but not locally verified
if (!deviceTrust.isLocallyVerified() && deviceTrust.isCrossSigningVerified()) {
const deviceObj = this._deviceList.getStoredDevice(userId, deviceId);
this.emit("deviceVerificationChanged", userId, deviceId, deviceObj);
}
}
}
};
/**
* Create a recovery key from a user-supplied passphrase.
*
* @param {string} password Passphrase string that can be entered by the user
* when restoring the backup as an alternative to entering the recovery key.
* Optional.
* @returns {Promise<Object>} Object with public key metadata, encoded private
* recovery key which should be disposed of after displaying to the user,
* and raw private key to avoid round tripping if needed.
*/
Crypto.prototype.createRecoveryKeyFromPassphrase = async function (password) {
const decryption = new global.Olm.PkDecryption();
try {
const keyInfo = {};
if (password) {
const derivation = await (0, _key_passphrase.keyFromPassphrase)(password);
keyInfo.passphrase = {
algorithm: "m.pbkdf2",
iterations: derivation.iterations,
salt: derivation.salt
};
keyInfo.pubkey = decryption.init_with_private_key(derivation.key);
} else {
keyInfo.pubkey = decryption.generate_key();
}
const privateKey = decryption.get_private_key();
const encodedPrivateKey = (0, _recoverykey.encodeRecoveryKey)(privateKey);
return {
keyInfo,
encodedPrivateKey,
privateKey
};
} finally {
if (decryption) decryption.free();
}
};
/**
* Checks whether cross signing:
* - is enabled on this account and trusted by this device
* - has private keys either cached locally or stored in secret storage
*
* If this function returns false, bootstrapCrossSigning() can be used
* to fix things such that it returns true. That is to say, after
* bootstrapCrossSigning() completes successfully, this function should
* return true.
*
* The cross-signing API is currently UNSTABLE and may change without notice.
*
* @return {bool} True if cross-signing is ready to be used on this device
*/
Crypto.prototype.isCrossSigningReady = async function () {
const publicKeysOnDevice = this._crossSigningInfo.getId();
const privateKeysExistSomewhere = (await this._crossSigningInfo.isStoredInKeyCache()) || (await this._crossSigningInfo.isStoredInSecretStorage(this._secretStorage));
return !!(publicKeysOnDevice && privateKeysExistSomewhere);
};
/**
* Checks whether secret storage:
* - is enabled on this account
* - is storing cross-signing private keys
* - is storing session backup key (if enabled)
*
* If this function returns false, bootstrapSecretStorage() can be used
* to fix things such that it returns true. That is to say, after
* bootstrapSecretStorage() completes successfully, this function should
* return true.
*
* The Secure Secret Storage API is currently UNSTABLE and may change without notice.
*
* @return {bool} True if secret storage is ready to be used on this device
*/
Crypto.prototype.isSecretStorageReady = async function () {
const secretStorageKeyInAccount = await this._secretStorage.hasKey();
const privateKeysInStorage = await this._crossSigningInfo.isStoredInSecretStorage(this._secretStorage);
const sessionBackupInStorage = !this._baseApis.getKeyBackupEnabled() || this._baseApis.isKeyBackupKeyStored();
return !!(secretStorageKeyInAccount && privateKeysInStorage && sessionBackupInStorage);
};
/**
* Bootstrap cross-signing by creating keys if needed. If everything is already
* set up, then no changes are made, so this is safe to run to ensure
* cross-signing is ready for use.
*
* This function:
* - creates new cross-signing keys if they are not found locally cached nor in
* secret storage (if it has been setup)
*
* The cross-signing API is currently UNSTABLE and may change without notice.
*
* @param {function} opts.authUploadDeviceSigningKeys Function
* called to await an interactive auth flow when uploading device signing keys.
* @param {bool} [opts.setupNewCrossSigning] Optional. Reset even if keys
* already exist.
* Args:
* {function} A function that makes the request requiring auth. Receives the
* auth data as an object. Can be called multiple times, first with an empty
* authDict, to obtain the flows.
*/
Crypto.prototype.bootstrapCrossSigning = async function ({
authUploadDeviceSigningKeys,
setupNewCrossSigning
} = {}) {
_logger.logger.log("Bootstrapping cross-signing");
const delegateCryptoCallbacks = this._baseApis._cryptoCallbacks;
const builder = new _EncryptionSetup.EncryptionSetupBuilder(this._baseApis.store.accountData, delegateCryptoCallbacks);
const crossSigningInfo = new _CrossSigning.CrossSigningInfo(this._userId, builder.crossSigningCallbacks, builder.crossSigningCallbacks); // Reset the cross-signing keys
const resetCrossSigning = async () => {
crossSigningInfo.resetKeys(); // Sign master key with device key
await this._signObject(crossSigningInfo.keys.master); // Store auth flow helper function, as we need to call it when uploading
// to ensure we handle auth errors properly.
builder.addCrossSigningKeys(authUploadDeviceSigningKeys, crossSigningInfo.keys); // Cross-sign own device
const device = this._deviceList.getStoredDevice(this._userId, this._deviceId);
const deviceSignature = await crossSigningInfo.signDevice(this._userId, device);
builder.addKeySignature(this._userId, this._deviceId, deviceSignature); // Sign message key backup with cross-signing master key
if (this.backupInfo) {
await crossSigningInfo.signObject(this.backupInfo.auth_data, "master");
builder.addSessionBackup(this.backupInfo);
}
};
const publicKeysOnDevice = this._crossSigningInfo.getId();
const privateKeysInCache = await this._crossSigningInfo.isStoredInKeyCache();
const privateKeysInStorage = await this._crossSigningInfo.isStoredInSecretStorage(this._secretStorage);
const privateKeysExistSomewhere = privateKeysInCache || privateKeysInStorage; // Log all relevant state for easier parsing of debug logs.
_logger.logger.log({
setupNewCrossSigning,
publicKeysOnDevice,
privateKeysInCache,
privateKeysInStorage,
privateKeysExistSomewhere
});
if (!privateKeysExistSomewhere || setupNewCrossSigning) {
_logger.logger.log("Cross-signing private keys not found locally or in secret storage, " + "creating new keys"); // If a user has multiple devices, it important to only call bootstrap
// as part of some UI flow (and not silently during startup), as they
// may have setup cross-signing on a platform which has not saved keys
// to secret storage, and this would reset them. In such a case, you
// should prompt the user to verify any existing devices first (and
// request private keys from those devices) before calling bootstrap.
await resetCrossSigning();
} else if (publicKeysOnDevice && privateKeysInCache) {
_logger.logger.log("Cross-signing public keys trusted and private keys found locally");
} else if (privateKeysInStorage) {
_logger.logger.log("Cross-signing private keys not found locally, but they are available " + "in secret storage, reading storage and caching locally");
await this.checkOwnCrossSigningTrust();
} // Assuming no app-supplied callback, default to storing new private keys in
// secret storage if it exists. If it does not, it is assumed this will be
// done as part of setting up secret storage later.
const crossSigningPrivateKeys = builder.crossSigningCallbacks.privateKeys;
if (crossSigningPrivateKeys.size && !this._baseApis._cryptoCallbacks.saveCrossSigningKeys) {
const secretStorage = new _SecretStorage.SecretStorage(builder.accountDataClientAdapter, builder.ssssCryptoCallbacks);
if (await secretStorage.hasKey()) {
_logger.logger.log("Storing new cross-signing private keys in secret storage"); // This is writing to in-memory account data in
// builder.accountDataClientAdapter so won't fail
await _CrossSigning.CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
}
}
const operation = builder.buildOperation();
await operation.apply(this); // This persists private keys and public keys as trusted,
// only do this if apply succeeded for now as retry isn't in place yet
await builder.persist(this);
_logger.logger.log("Cross-signing ready");
};
/**
* Bootstrap Secure Secret Storage if needed by creating a default key. If everything is
* already set up, then no changes are made, so this is safe to run to ensure secret
* storage is ready for use.
*
* This function
* - creates a new Secure Secret Storage key if no default key exists
* - if a key backup exists, it is migrated to store the key in the Secret
* Storage
* - creates a backup if none exists, and one is requested
* - migrates Secure Secret Storage to use the latest algorithm, if an outdated
* algorithm is found
*
* The Secure Secret Storage API is currently UNSTABLE and may change without notice.
*
* @param {function} [opts.createSecretStorageKey] Optional. Function
* called to await a secret storage key creation flow.
* Returns:
* {Promise<Object>} Object with public key metadata, encoded private
* recovery key which should be disposed of after displaying to the user,
* and raw private key to avoid round tripping if needed.
* @param {object} [opts.keyBackupInfo] The current key backup object. If passed,
* the passphrase and recovery key from this backup will be used.
* @param {bool} [opts.setupNewKeyBackup] If true, a new key backup version will be
* created and the private key stored in the new SSSS store. Ignored if keyBackupInfo
* is supplied.
* @param {bool} [opts.setupNewSecretStorage] Optional. Reset even if keys already exist.
* @param {func} [opts.getKeyBackupPassphrase] Optional. Function called to get the user's
* current key backup passphrase. Should return a promise that resolves with a Buffer
* containing the key, or rejects if the key cannot be obtained.
* Returns:
* {Promise} A promise which resolves to key creation data for
* SecretStorage#addKey: an object with `passphrase` and/or `pubkey` fields.
*/
Crypto.prototype.bootstrapSecretStorage = async function ({
createSecretStorageKey = async () => ({}),
keyBackupInfo,
setupNewKeyBackup,
setupNewSecretStorage,
getKeyBackupPassphrase
} = {}) {
_logger.logger.log("Bootstrapping Secure Secret Storage");
const delegateCryptoCallbacks = this._baseApis._cryptoCallbacks;
const builder = new _EncryptionSetup.EncryptionSetupBuilder(this._baseApis.store.accountData, delegateCryptoCallbacks);
const secretStorage = new _SecretStorage.SecretStorage(builder.accountDataClientAdapter, builder.ssssCryptoCallbacks); // the ID of the new SSSS key, if we create one
let newKeyId = null; // create a new SSSS key and set it as default
const createSSSS = async (opts, privateKey) => {
opts = opts || {};
if (privateKey) {
opts.key = privateKey;
}
const keyId = await secretStorage.addKey(_SecretStorage.SECRET_STORAGE_ALGORITHM_V1_AES, opts);
if (privateKey) {
// make the private key available to encrypt 4S secrets
builder.ssssCryptoCallbacks.addPrivateKey(keyId, privateKey);
}
await secretStorage.setDefaultKeyId(keyId);
return keyId;
};
const ensureCanCheckPassphrase = async (keyId, keyInfo) => {
if (!keyInfo.mac) {
const key = await this._baseApis._cryptoCallbacks.getSecretStorageKey({
keys: {
[keyId]: keyInfo
}
}, "");
if (key) {
const keyData = key[1];
builder.ssssCryptoCallbacks.addPrivateKey(keyId, keyData);
const {
iv,
mac
} = await _SecretStorage.SecretStorage._calculateKeyCheck(keyData);
keyInfo.iv = iv;
keyInfo.mac = mac;
await builder.setAccountData(`m.secret_storage.key.${keyId}`, keyInfo);
}
}
};
const oldSSSSKey = await this.getSecretStorageKey();
const [oldKeyId, oldKeyInfo] = oldSSSSKey || [null, null];
const storageExists = !setupNewSecretStorage && oldKeyInfo && oldKeyInfo.algorithm === _SecretStorage.SECRET_STORAGE_ALGORITHM_V1_AES; // Log all relevant state for easier parsing of debug logs.
_logger.logger.log({
keyBackupInfo,
setupNewKeyBackup,
setupNewSecretStorage,
storageExists,
oldKeyInfo
});
if (!storageExists && !keyBackupInfo) {
// either we don't have anything, or we've been asked to restart
// from scratch
_logger.logger.log("Secret storage does not exist, creating new storage key"); // if we already have a usable default SSSS key and aren't resetting
// SSSS just use it. otherwise, create a new one
// Note: we leave the old SSSS key in place: there could be other
// secrets using it, in theory. We could move them to the new key but a)
// that would mean we'd need to prompt for the old passphrase, and b)
// it's not clear that would be the right thing to do anyway.
const {
keyInfo,
privateKey
} = await createSecretStorageKey();
newKeyId = await createSSSS(keyInfo, privateKey);
} else if (!storageExists && keyBackupInfo) {
// we have an existing backup, but no SSSS
_logger.logger.log("Secret storage does not exist, using key backup key"); // if we have the backup key already cached, use it; otherwise use the
// callback to prompt for the key
const backupKey = (await this.getSessionBackupPrivateKey()) || (await getKeyBackupPassphrase()); // create a new SSSS key and use the backup key as the new SSSS key
const opts = {};
if (keyBackupInfo.auth_data.private_key_salt && keyBackupInfo.auth_data.private_key_iterations) {
opts.passphrase = {
algorithm: "m.pbkdf2",
iterations: keyBackupInfo.auth_data.private_key_iterations,
salt: keyBackupInfo.auth_data.private_key_salt,
bits: 256
};
}
newKeyId = await createSSSS(opts, backupKey); // store the backup key in secret storage
await secretStorage.store("m.megolm_backup.v1", olmlib.encodeBase64(backupKey), [newKeyId]); // The backup is trusted because the user provided the private key.
// Sign the backup with the cross-signing key so the key backup can
// be trusted via cross-signing.
if (this._crossSigningInfo.getId() && this._crossSigningInfo.isStoredInKeyCache("master")) {
_logger.logger.log("Adding cross-signing signature to key backup");
await this._crossSigningInfo.signObject(keyBackupInfo.auth_data, "master");
} else {
_logger.logger.warn("Cross-signing keys not available, skipping signature on key backup");
}
builder.addSessionBackup(keyBackupInfo);
} else {
// 4S is already set up
_logger.logger.log("Secret storage exists");
if (oldKeyInfo && oldKeyInfo.algorithm === _SecretStorage.SECRET_STORAGE_ALGORITHM_V1_AES) {
// make sure that the default key has the information needed to
// check the passphrase
await ensureCanCheckPassphrase(oldKeyId, oldKeyInfo);
}
} // If we have cross-signing private keys cached, store them in secret
// storage if they are not there already.
if (!this._baseApis._cryptoCallbacks.saveCrossSigningKeys && (await this.isCrossSigningReady()) && (newKeyId || !(await this._crossSigningInfo.isStoredInSecretStorage(secretStorage)))) {
_logger.logger.log("Copying cross-signing private keys from cache to secret storage");
const crossSigningPrivateKeys = await this._crossSigningInfo.getCrossSigningKeysFromCache(); // This is writing to in-memory account data in
// builder.accountDataClientAdapter so won't fail
await _CrossSigning.CrossSigningInfo.storeInSecretStorage(crossSigningPrivateKeys, secretStorage);
}
if (setupNewKeyBackup && !keyBackupInfo) {
_logger.logger.log("Creating new message key backup version");
const info = await this._baseApis.prepareKeyBackupVersion(null
/* random key */
, // don't write to secret storage, as it will write to this._secretStorage.
// Here, we want to capture all the side-effects of bootstrapping,
// and want to write to the local secretStorage object
{
secureSecretStorage: false
}); // write the key ourselves to 4S
const privateKey = (0, _recoverykey.decodeRecoveryKey)(info.recovery_key);
await secretStorage.store("m.megolm_backup.v1", olmlib.encodeBase64(privateKey)); // create keyBackupInfo object to add to builder
const data = {
algorithm: info.algorithm,
auth_data: info.auth_data
};
if (this._crossSigningInfo.getId() && this._crossSigningInfo.isStoredInKeyCache("master")) {
// sign with cross-sign master key
_logger.logger.log("Adding cross-signing signature to key backup");
await this._crossSigningInfo.signObject(data.auth_data, "master");
} else {
_logger.logger.warn("Cross-signing keys not available, skipping signature on key backup");
} // sign with the device fingerprint
await this._signObject(data.auth_data);
builder.addSessionBackup(data);
} // Cache the session backup key
const sessionBackupKey = await secretStorage.get('m.megolm_backup.v1');
if (sessionBackupKey) {
_logger.logger.info("Got session backup key from secret storage: caching"); // fix up the backup key if it's in the wrong format, and replace
// in secret storage
const fixedBackupKey = fixBackupKey(sessionBackupKey);
if (fixedBackupKey) {
await secretStorage.store("m.megolm_backup.v1", fixedBackupKey, [newKeyId || oldKeyId]);
}
const decodedBackupKey = new Uint8Array(olmlib.decodeBase64(fixedBackupKey || sessionBackupKey));
await builder.addSessionBackupPrivateKeyToCache(decodedBackupKey);
}
const operation = builder.buildOperation();
await operation.apply(this); // this persists private keys and public keys as trusted,
// only do this if apply succeeded for now as retry isn't in place yet
await builder.persist(this);
_logger.logger.log("Secure Secret Storage ready");
};
/**
* Fix up the backup key, that may be in the wrong format due to a bug in a
* migration step. Some backup keys were stored as a comma-separated list of
* integers, rather than a base64-encoded byte array. If this function is
* passed a string that looks like a list of integers rather than a base64
* string, it will attempt to convert it to the right format.
*
* @param {string} key the key to check
* @returns {null | string} If the key is in the wrong format, then the fixed
* key will be returned. Otherwise null will be returned.
*
*/
function fixBackupKey(key) {
if (typeof key !== "string" || key.indexOf(",") < 0) {
return null;
}
const fixedKey = Uint8Array.from(key.split(","), x => parseInt(x));
return olmlib.encodeBase64(fixedKey);
}
Crypto.prototype.addSecretStorageKey = function (algorithm, opts, keyID) {
return this._secretStorage.addKey(algorithm, opts, keyID);
};
Crypto.prototype.hasSecretStorageKey = function (keyID) {
return this._secretStorage.hasKey(keyID);
};
Crypto.prototype.getSecretStorageKey = function (keyID) {
return this._secretStorage.getKey(keyID);
};
Crypto.prototype.storeSecret = function (name, secret, keys) {
return this._secretStorage.store(name, secret, keys);
};
Crypto.prototype.getSecret = function (name) {
return this._secretStorage.get(name);
};
Crypto.prototype.isSecretStored = function (name, checkKey) {
return this._secretStorage.isStored(name, checkKey);
};
Crypto.prototype.requestSecret = function (name, devices) {
if (!devices) {
devices = Object.keys(this._deviceList.getRawStoredDevicesForUser(this._userId));
}
return this._secretStorage.request(name, devices);
};
Crypto.prototype.getDefaultSecretStorageKeyId = function () {
return this._secretStorage.getDefaultKeyId();
};
Crypto.prototype.setDefaultSecretStorageKeyId = function (k) {
return this._secretStorage.setDefaultKeyId(k);
};
Crypto.prototype.checkSecretStorageKey = function (key, info) {
return this._secretStorage.checkKey(key, info);
};
/**
* Checks that a given secret storage private key matches a given public key.
* This can be used by the getSecretStorageKey callback to verify that the
* private key it is about to supply is the one that was requested.
*
* @param {Uint8Array} privateKey The private key
* @param {string} expectedPublicKey The public key
* @returns {boolean} true if the key matches, otherwise false
*/
Crypto.prototype.checkSecretStoragePrivateKey = function (privateKey, expectedPublicKey) {
let decryption = null;
try {
decryption = new global.Olm.PkDecryption();
const gotPubkey = decryption.init_with_private_key(privateKey); // make sure it agrees with the given pubkey
return gotPubkey === expectedPublicKey;
} finally {
if (decryption) decryption.free();
}
};
/**
* Fetches the backup private key, if cached
* @returns {Promise} the key, if any, or null
*/
Crypto.prototype.getSessionBackupPrivateKey = async function () {
let key = await new Promise(resolve => {
this._cryptoStore.doTxn('readonly', [_indexeddbCryptoStore.IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
this._cryptoStore.getSecretStorePrivateKey(txn, resolve, "m.megolm_backup.v1");
});
}); // make sure we have a Uint8Array, rather than a string
if (key && typeof key === "string") {
key = new Uint8Array(olmlib.decodeBase64(fixBackupKey(key) || key));
await this.storeSessionBackupPrivateKey(key);
}
if (key && key.ciphertext) {
const pickleKey = Buffer.from(this._olmDevice._pickleKey);
const decrypted = await (0, _aes.decryptAES)(key, pickleKey, "m.megolm_backup.v1");
key = olmlib.decodeBase64(decrypted);
}
return key;
};
/**
* Stores the session backup key to the cache
* @param {Uint8Array} key the private key
* @returns {Promise} so you can catch failures
*/
Crypto.prototype.storeSessionBackupPrivateKey = async function (key) {
if (!(key instanceof Uint8Array)) {
throw new Error(`storeSessionBackupPrivateKey expects Uint8Array, got ${key}`);
}
const pickleKey = Buffer.from(this._olmDevice._pickleKey);
key = await (0, _aes.encryptAES)(olmlib.encodeBase64(key), pickleKey, "m.megolm_backup.v1");
return this._cryptoStore.doTxn('readwrite', [_indexeddbCryptoStore.IndexedDBCryptoStore.STORE_ACCOUNT], txn => {
this._cryptoStore.storeSecretStorePrivateKey(txn, "m.megolm_backup.v1", key);
});
};
/**
* Checks that a given cross-signing private key matches a given public key.
* This can be used by the getCrossSigningKey callback to verify that the
* private key it is about to supply is the one that was requested.
*
* @param {Uint8Array} privateKey The private key
* @param {string} expectedPublicKey The public key
* @returns {boolean} true if the key matches, otherwise false
*/
Crypto.prototype.checkCrossSigningPrivateKey = function (privateKey, expectedPublicKey) {
let signing = null;
try {
signing = new global.Olm.PkSigning();
const gotPubkey = signing.init_with_seed(privateKey); // make sure it agrees with the given pubkey
return gotPubkey === expectedPublicKey;
} finally {
if (signing) signing.free();
}
};
/**
* Run various follow-up actions after cross-signing keys have changed locally
* (either by resetting the keys for the account or by getting them from secret
* storage), such as signing the current device, upgrading device
* verifications, etc.
*/
Crypto.prototype._afterCrossSigningLocalKeyChange = async function () {
_logger.logger.info("Starting cross-signing key change post-processing"); // sign the current device with the new key, and upload to the server
const device = this._deviceList.getStoredDevice(this._userId, this._deviceId);
const signedDevice = await this._crossSigningInfo.signDevice(this._userId, device);
_logger.logger.info(`Starting background key sig upload for ${this._deviceId}`);
const upload = ({
shouldEmit
}) => {
return this._baseApis.uploadKeySignatures({
[this._userId]: {
[this._deviceId]: signedDevice
}
}).then(response => {
const {
failures
} = response || {};
if (Object.keys(failures || []).length > 0) {
if (shouldEmit) {
this._baseApis.emit("crypto.keySignatureUploadFailure", failures, "_afterCrossSigningLocalKeyChange", upload // continuation
);
}
throw new _errors.KeySignatureUploadError("Key upload failed", {
failures
});
}
_logger.logger.info(`Finished background key sig upload for ${this._deviceId}`);
}).catch(e => {
_logger.logger.error(`Error during background key sig upload for ${this._deviceId}`, e);
});
};
upload({
shouldEmit: true
});
const shouldUpgradeCb = this._baseApis._cryptoCallbacks.shouldUpgradeDeviceVerifications;
if (shouldUpgradeCb) {
_logger.logger.info("Starting device verification upgrade"); // Check all users for signatures if upgrade callback present
// FIXME: do this in batches
const users = {};
for (const [userId, crossSigningInfo] of Object.entries(this._deviceList._crossSigningInfo)) {
const upgradeInfo = await this._checkForDeviceVerificationUpgrade(userId, _CrossSigning.CrossSigningInfo.fromStorage(crossSigningInfo, userId));
if (upgradeInfo) {
users[userId] = upgradeInfo;
}
}
if (Object.keys(users).length > 0) {
_logger.logger.info(`Found ${Object.keys(users).length} verif users to upgrade`);
try {
const usersToUpgrade = await shouldUpgradeCb({
users: users
});
if (usersToUpgrade) {
for (const userId of usersToUpgrade) {
if (userId in users) {
await this._baseApis.setDeviceVerified(userId, users[userId].crossSigningInfo.getId());
}
}
}
} catch (e) {
_logger.logger.log("shouldUpgradeDeviceVerifications threw an error: not upgrading", e);
}
}
_logger.logger.info("Finished device verification upgrade");
}
_logger.logger.info("Finished cross-signing key change post-processing");
};
/**
* Check if a user's cross-signing key is a candidate for upgrading from device
* verification.
*
* @param {string} userId the user whose cross-signing information is to be checked
* @param {object} crossSigningInfo the cross-signing information to check
*/
Crypto.prototype._checkForDeviceVerificationUpgrade = async function (userId, crossSigningInfo) {
// only upgrade if this is the first cross-signing key that we've seen for
// them, and if their cross-signing key isn't already verified
const trustLevel = this._crossSigningInfo.checkUserTrust(crossSigningInfo);
if (crossSigningInfo.firstUse && !trustLevel.verified) {
const devices = this._deviceList.getRawStoredDevicesForUser(userId);
const deviceIds = await this._checkForValidDeviceSignature(userId, crossSigningInfo.keys.master, devices);
if (deviceIds.length) {
return {
devices: deviceIds.map(deviceId => _deviceinfo.DeviceInfo.fromStorage(devices[deviceId], deviceId)),
crossSigningInfo
};
}
}
};
/**
* Check if the cross-signing key is signed by a verified device.
*
* @param {string} userId the user ID whose key is being checked
* @param {object} key the key that is being checked
* @param {object} devices the user's devices. Should be a map from device ID
* to device info
*/
Crypto.prototype._checkForValidDeviceSignature = async function (userId, key, devices) {
const deviceIds = [];
if (devices && key.signatures && key.signatures[userId]) {
for (const signame of Object.keys(key.signatures[userId])) {
const [, deviceId] = signame.split(':', 2);
if (deviceId in devices && devices[deviceId].verified === DeviceVerification.VERIFIED) {
try {
await olmlib.verifySignature(this._olmDevice, key, userId, deviceId, devices[deviceId].keys[signame]);
deviceIds.push(deviceId);
} catch (e) {}
}
}
}
return deviceIds;
};
/**
* Get the user's cross-signing key ID.
*
* @param {string} [type=master] The type of key to get the ID of. One of
* "master", "self_signing", or "user_signing". Defaults to "master".
*
* @returns {string} the key ID
*/
Crypto.prototype.getCrossSigningId = function (type) {
return this._crossSigningInfo.getId(type);
};
/**
* Get the cross signing information for a given user.
*
* @param {string} userId the user ID to get the cross-signing info for.
*
* @returns {CrossSigningInfo} the cross signing informmation for the user.
*/
Crypto.prototype.getStoredCrossSigningForUser = function (userId) {
return this._deviceList.getStoredCrossSigningForUser(userId);
};
/**
* Check whether a given user is trusted.
*
* @param {string} userId The ID of the user to check.
*
* @returns {UserTrustLevel}
*/
Crypto.prototype.checkUserTrust = function (userId) {
const userCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
if (!userCrossSigning) {
return new _CrossSigning.UserTrustLevel(false, false, false);
}
return this._crossSigningInfo.checkUserTrust(userCrossSigning);
};
/**
* Check whether a given device is trusted.
*
* @param {string} userId The ID of the user whose devices is to be checked.
* @param {string} deviceId The ID of the device to check
*
* @returns {DeviceTrustLevel}
*/
Crypto.prototype.checkDeviceTrust = function (userId, deviceId) {
const device = this._deviceList.getStoredDevice(userId, deviceId);
return this._checkDeviceInfoTrust(userId, device);
};
/**
* Check whether a given deviceinfo is trusted.
*
* @param {string} userId The ID of the user whose devices is to be checked.
* @param {module:crypto/deviceinfo?} device The device info object to check
*
* @returns {DeviceTrustLevel}
*/
Crypto.prototype._checkDeviceInfoTrust = function (userId, device) {
const trustedLocally = !!(device && device.isVerified());
const userCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
if (device && userCrossSigning) {
// The _trustCrossSignedDevices only affects trust of other people's cross-signing
// signatures
const trustCrossSig = this._trustCrossSignedDevices || userId === this._userId;
return this._crossSigningInfo.checkDeviceTrust(userCrossSigning, device, trustedLocally, trustCrossSig);
} else {
return new _CrossSigning.DeviceTrustLevel(false, false, trustedLocally, false);
}
};
/*
* Event handler for DeviceList's userNewDevices event
*/
Crypto.prototype._onDeviceListUserCrossSigningUpdated = async function (userId) {
if (userId === this._userId) {
// An update to our own cross-signing key.
// Get the new key first:
const newCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
const seenPubkey = newCrossSigning ? newCrossSigning.getId() : null;
const currentPubkey = this._crossSigningInfo.getId();
const changed = currentPubkey !== seenPubkey;
if (currentPubkey && seenPubkey && !changed) {
// If it's not changed, just make sure everything is up to date
await this.checkOwnCrossSigningTrust();
} else {
// We'll now be in a state where cross-signing on the account is not trusted
// because our locally stored cross-signing keys will not match the ones
// on the server for our account. So we clear our own stored cross-signing keys,
// effectively disabling cross-signing until the user gets verified by the device
// that reset the keys
this._storeTrustedSelfKeys(null); // emit cross-signing has been disabled
this.emit("crossSigning.keysChanged", {}); // as the trust for our own user has changed,
// also emit an event for this
this.emit("userTrustStatusChanged", this._userId, this.checkUserTrust(userId));
}
} else {
await this._checkDeviceVerifications(userId); // Update verified before latch using the current state and save the new
// latch value in the device list store.
const crossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
if (crossSigning) {
crossSigning.updateCrossSigningVerifiedBefore(this.checkUserTrust(userId).isCrossSigningVerified());
this._deviceList.setRawStoredCrossSigningForUser(userId, crossSigning.toStorage());
}
this.emit("userTrustStatusChanged", userId, this.checkUserTrust(userId));
}
};
/**
* Check the copy of our cross-signing key that we have in the device list and
* see if we can get the private key. If so, mark it as trusted.
*/
Crypto.prototype.checkOwnCrossSigningTrust = async function () {
const userId = this._userId; // Before proceeding, ensure our cross-signing public keys have been
// downloaded via the device list.
await this.downloadKeys([this._userId]); // If we see an update to our own master key, check it against the master
// key we have and, if it matches, mark it as verified
// First, get the new cross-signing info
const newCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
if (!newCrossSigning) {
_logger.logger.error("Got cross-signing update event for user " + userId + " but no new cross-signing information found!");
return;
}
const seenPubkey = newCrossSigning.getId();
const masterChanged = this._crossSigningInfo.getId() !== seenPubkey;
if (masterChanged) {
_logger.logger.info("Got new master public key", seenPubkey);
_logger.logger.info("Attempting to retrieve cross-signing master private key");
let signing = null;
try {
const ret = await this._crossSigningInfo.getCrossSigningKey('master', seenPubkey);
signing = ret[1];
_logger.logger.info("Got cross-signing master private key");
} catch (e) {
_logger.logger.error("Cross-signing master private key not available", e);
} finally {
if (signing) signing.free();
}
}
const oldSelfSigningId = this._crossSigningInfo.getId("self_signing");
const oldUserSigningId = this._crossSigningInfo.getId("user_signing"); // Update the version of our keys in our cross-signing object and the local store
this._storeTrustedSelfKeys(newCrossSigning.keys);
const selfSigningChanged = oldSelfSigningId !== newCrossSigning.getId("self_signing");
const userSigningChanged = oldUserSigningId !== newCrossSigning.getId("user_signing");
const keySignatures = {};
if (selfSigningChanged) {
_logger.logger.info("Got new self-signing key", newCrossSigning.getId("self_signing"));
_logger.logger.info("Attempting to retrieve cross-signing self-signing private key");
let signing = null;
try {
const ret = await this._crossSigningInfo.getCrossSigningKey("self_signing", newCrossSigning.getId("self_signing"));
signing = ret[1];
_logger.logger.info("Got cross-signing self-signing private key");
} catch (e) {
_logger.logger.error("Cross-signing self-signing private key not available", e);
} finally {
if (signing) signing.free();
}
const device = this._deviceList.getStoredDevice(this._userId, this._deviceId);
const signedDevice = await this._crossSigningInfo.signDevice(this._userId, device);
keySignatures[this._deviceId] = signedDevice;
}
if (userSigningChanged) {
_logger.logger.info("Got new user-signing key", newCrossSigning.getId("user_signing"));
_logger.logger.info("Attempting to retrieve cross-signing user-signing private key");
let signing = null;
try {
const ret = await this._crossSigningInfo.getCrossSigningKey("user_signing", newCrossSigning.getId("user_signing"));
signing = ret[1];
_logger.logger.info("Got cross-signing user-signing private key");
} catch (e) {
_logger.logger.error("Cross-signing user-signing private key not available", e);
} finally {
if (signing) signing.free();
}
}
if (masterChanged) {
const masterKey = this._crossSigningInfo.keys.master;
await this._signObject(masterKey);
const deviceSig = masterKey.signatures[this._userId]["ed25519:" + this._deviceId]; // Include only the _new_ device signature in the upload.
// We may have existing signatures from deleted devices, which will cause
// the entire upload to fail.
keySignatures[this._crossSigningInfo.getId()] = Object.assign({}, masterKey, {
signatures: {
[this._userId]: {
["ed25519:" + this._deviceId]: deviceSig
}
}
});
}
const keysToUpload = Object.keys(keySignatures);
if (keysToUpload.length) {
const upload = ({
shouldEmit
}) => {
_logger.logger.info(`Starting background key sig upload for ${keysToUpload}`);
return this._baseApis.uploadKeySignatures({
[this._userId]: keySignatures
}).then(response => {
const {
failure