Bug fix.

- Remove unsafe keystore.
- Refactor functionality from unsafe keystore into mutable keystore.

src/app/_helpers/index.ts

@@ -1,5 +1,4 @@
 export * from '@app/_helpers/custom.validator';
 export * from '@app/_helpers/error.interceptor';
 export * from '@app/_helpers/custom-error-state-matcher';
-export * from '@app/_helpers/unsafe-key-store';
 export * from '@app/_helpers/pgp-key-store';

src/app/_helpers/pgp-key-store.ts

@@ -1,31 +1,35 @@
 const openpgp = require('openpgp');
 const keyring = new openpgp.Keyring();
+import { KeyStore } from '@src/assets/js/cic-meta/auth';
 
-interface MutableKeyStore{
+interface MutableKeyStore extends KeyStore {
-  loadKeyring: () => Promise<void>;
+  loadKeyring(): Promise<void>;
-  importKeyPair: (publicKey: any, privateKey: any) => Promise<void>;
+  importKeyPair(publicKey: any, privateKey: any): Promise<void>;
-  importPublicKey: (publicKey: any) => Promise<void>;
+  importPublicKey(publicKey: any): Promise<void>;
-  importPrivateKey: (privateKey: any) => Promise<void>;
+  importPrivateKey(privateKey: any): Promise<void>;
-  getPublicKeys: () => Array<any>;
+  getPublicKeys(): Array<any>;
-  getTrustedKeys: () => Array<any>;
+  getTrustedKeys(): Array<any>;
-  getPrivateKeys: () => Array<any>;
+  getTrustedActiveKeys(): Array<any>;
-  getPrivateKey: () => any;
+  getEncryptKeys(): Array<any>;
-  isValidKey: (key: any) => boolean;
+  getPrivateKeys(): Array<any>;
-  getFingerPrint: () => string;
+  getPrivateKey(): any;
-  getKeyId: (key: any) => string;
+  isValidKey(key: any): boolean;
-  getKeysForId: (keyId: string) => Array<any>;
+  getFingerprint(): string;
-  getPublicKeyForId: (keyId: string) => any;
+  getKeyId(key: any): string;
-  getPrivateKeyForId: (keyId: string) => any;
+  getPrivateKeyId(): string;
-  getPublicKeyForSubkeyId: (subkeyId: string) => any;
+  getKeysForId(keyId: string): Array<any>;
-  getPublicKeysForAddress: (address: string) => Array<any>;
+  getPublicKeyForId(keyId: string): any;
-  removeKeysForId: (keyId: string) => Array<any>;
+  getPrivateKeyForId(keyId: string): any;
-  removePublicKeyForId: (keyId: string) => any;
+  getPublicKeyForSubkeyId(subkeyId: string): any;
-  removePublicKey: (publicKey: any) => any;
+  getPublicKeysForAddress(address: string): Array<any>;
-  clearKeysInKeyring: () => void;
+  removeKeysForId(keyId: string): Array<any>;
+  removePublicKeyForId(keyId: string): any;
+  removePublicKey(publicKey: any): any;
+  clearKeysInKeyring(): void;
+  sign(plainText: string): Promise<any>;
 }
 
 class MutablePgpKeyStore implements MutableKeyStore{
-  fingerprint: string;
 
   async loadKeyring(): Promise<void> {
     await keyring.load();
@@ -45,7 +49,6 @@ class MutablePgpKeyStore implements MutableKeyStore{
 
   async importPrivateKey(privateKey: any): Promise<void> {
     await keyring.privateKeys.importKey(privateKey);
-    this.fingerprint = keyring.privateKeys.keys[0].keyPacket.fingerprint;
   }
 
   getPublicKeys(): Array<any> {
@@ -56,6 +59,14 @@ class MutablePgpKeyStore implements MutableKeyStore{
     return keyring.publicKeys.keys;
   }
 
+  getTrustedActiveKeys(): Array<any> {
+    return keyring.publicKeys.keys;
+  }
+
+  getEncryptKeys(): Array<any> {
+    return [];
+  }
+
   getPrivateKeys(): Array<any> {
     return keyring.privateKeys.keys;
   }
@@ -68,14 +79,18 @@ class MutablePgpKeyStore implements MutableKeyStore{
     return typeof key === openpgp.Key;
   }
 
-  getFingerPrint(): string {
+  getFingerprint(): string {
-    return this.fingerprint;
+    return keyring.privateKeys.keys[0].keyPacket.fingerprint;
   }
 
   getKeyId(key: any): string {
     return key.getKeyId().toHex();
   }
 
+  getPrivateKeyId(): string {
+    return keyring.privateKeys.keys[0].getKeyId().toHex();
+  }
+
   getKeysForId(keyId: string): Array<any> {
     return keyring.getKeysForId(keyId);
   }
@@ -112,6 +127,21 @@ class MutablePgpKeyStore implements MutableKeyStore{
   clearKeysInKeyring(): void {
     keyring.clear();
   }
+
+  async sign(plainText): Promise<any> {
+    const privateKey = this.getPrivateKey();
+    if (!privateKey.isDecrypted()) {
+      const password = window.prompt('password');
+      await privateKey.decrypt(password);
+    }
+    const opts = {
+      message: openpgp.message.fromText(plainText),
+      privateKeys: [privateKey],
+      detached: true,
+    };
+    const signatureObject = await openpgp.sign(opts);
+    return signatureObject.signature;
+  }
 }
 
 export {

src/app/_helpers/unsafe-key-store.spec.ts

@@ -1,7 +0,0 @@
-import { UnsafeKeyStore } from '@app/_helpers/unsafe-key-store';
-
-describe('UnsafeKeyStore', () => {
-  it('should create an instance', () => {
-    expect(new UnsafeKeyStore()).toBeTruthy();
-  });
-});

src/app/_helpers/unsafe-key-store.ts

@@ -1,33 +0,0 @@
-// import * as openpgp from '@src/assets/js/openpgp.min.js';
-const openpgp = require('@src/assets/js/openpgp.min.js');
-
-export function UnsafeKeyStore(): void {
-  this.key = undefined;
-}
-
-UnsafeKeyStore.prototype.set = async function(privateKeyArmored): Promise<void> {
-  this.key = (await openpgp.key.readArmored(privateKeyArmored)).keys[0];
-  console.log('set pgp key', this.key.getKeyId().toHex());
-};
-
-UnsafeKeyStore.prototype.fingerprint = function(): any {
-  return this.key.keyPacket.fingerprint;
-};
-
-UnsafeKeyStore.prototype.keyId = function(): any {
-  return this.key.getKeyId();
-};
-
-UnsafeKeyStore.prototype.sign = async function(plainText): Promise<any> {
-  if (!this.key.isDecrypted()) {
-    const password = window.prompt('password');
-    await this.key.decrypt(password);
-  }
-  const opts = {
-    message: openpgp.message.fromText(plainText),
-    privateKeys: [this.key],
-    detached: true,
-  };
-  const signatureObject = await openpgp.sign(opts);
-  return signatureObject.signature;
-};

src/app/_services/auth.service.ts

@@ -1,12 +1,11 @@
 import { Injectable } from '@angular/core';
-import {MutableKeyStore, MutablePgpKeyStore, UnsafeKeyStore} from '@app/_helpers';
+import {MutableKeyStore, MutablePgpKeyStore} from '@app/_helpers';
 import { hobaParseChallengeHeader } from '@src/assets/js/hoba.js';
 import { signChallenge } from '@src/assets/js/hoba-pgp.js';
 import {environment} from '@src/environments/environment';
 import {HttpClient} from '@angular/common/http';
 
 const origin = 'http://localhost:4444';
-const pgpKeyStore = new UnsafeKeyStore();
 
 @Injectable({
   providedIn: 'root'
@@ -53,7 +52,6 @@ export class AuthService {
 
   sendResponse(hobaResponseEncoded): void {
     const xhr = new XMLHttpRequest();
-    // xhr.responseType = 'arraybuffer';
     xhr.responseType = 'text';
     xhr.open('GET', origin + window.location.search.substring(1));
     xhr.setRequestHeader('Authorization', 'HOBA ' + hobaResponseEncoded);
@@ -109,22 +107,21 @@ export class AuthService {
 
 
   async loginResponse(o): Promise<any> {
-    const r = await signChallenge(o.challenge, o.realm, origin, pgpKeyStore);
+    const r = await signChallenge(o.challenge, o.realm, origin, this.mutableKeyStore);
     this.sendResponse(r);
   }
 
   loginView(): void {
     document.getElementById('one').style.display = 'none';
     document.getElementById('two').style.display = 'block';
-    this.setState('click to log in with PGP key ' + pgpKeyStore.keyId().toHex());
+    this.setState('click to log in with PGP key ' + this.mutableKeyStore.getPrivateKeyId());
   }
 
   async setKey(privateKeyArmored): Promise<boolean> {
     console.log('settings pk' + privateKeyArmored);
     try {
-      await pgpKeyStore.set(privateKeyArmored);
-      localStorage.setItem(btoa('CICADA_PRIVATE_KEY'), privateKeyArmored);
       await this.mutableKeyStore.importPrivateKey(privateKeyArmored);
+      localStorage.setItem(btoa('CICADA_PRIVATE_KEY'), privateKeyArmored);
     } catch (e) {
       console.error('failed setting key', e);
       return false;
@@ -140,9 +137,7 @@ export class AuthService {
 
   async getPublicKeys(): Promise<void> {
     this.http.get(`${environment.publicKeysUrl}/keys.asc`).subscribe(async res => {
-      const armoredPublicKeys = res;
+      await this.mutableKeyStore.importPublicKey(res);
-      await this.mutableKeyStore.loadKeyring();
-      await this.mutableKeyStore.importPublicKey(armoredPublicKeys);
     }, error => {
       console.error('There was an error!', error);
     });

src/app/app.component.ts

@@ -10,6 +10,6 @@ export class AppComponent {
   title = 'cic-staff-client';
 
   constructor(private authService: AuthService) {
-    this.authService.getPublicKeys().then();
+    this.authService.mutableKeyStore.loadKeyring().then(r => this.authService.getPublicKeys().then());
   }
 }

src/assets/js/cic-meta/auth.ts

@@ -0,0 +1,199 @@
+import * as pgp from 'openpgp';
+import * as crypto from 'crypto';
+
+interface Signable {
+  digest(): string;
+}
+
+type KeyGetter = () => any;
+
+type Signature = {
+  engine: string
+  algo: string
+  data: string
+  digest: string
+};
+
+interface Signer {
+  prepare(Signable): boolean;
+
+  onsign(Signature): void;
+
+  onverify(bool): void;
+
+  sign(digest: string): void;
+
+  verify(digest: string, signature: Signature): void;
+
+  fingerprint(): string;
+}
+
+
+interface Authoritative {
+}
+
+interface KeyStore {
+  getPrivateKey: KeyGetter;
+  getFingerprint: () => string;
+  getTrustedKeys: () => Array<any>;
+  getTrustedActiveKeys: () => Array<any>;
+  getEncryptKeys: () => Array<any>;
+}
+
+class PGPKeyStore implements KeyStore {
+
+  fingerprint: string;
+  pk: any;
+
+  pubk = {
+    active: [],
+    trusted: [],
+    encrypt: [],
+  };
+  loads = 0x00;
+  loadsTarget = 0x0f;
+  onload: (k: KeyStore) => void;
+
+  constructor(passphrase: string, pkArmor: string, pubkActiveArmor: string, pubkTrustedArmor: string, pubkEncryptArmor: string,
+              onload = (ks: KeyStore) => {
+              }) {
+    this._readKey(pkArmor, undefined, 1, passphrase);
+    this._readKey(pubkActiveArmor, 'active', 2);
+    this._readKey(pubkTrustedArmor, 'trusted', 4);
+    this._readKey(pubkEncryptArmor, 'encrypt', 8);
+    this.onload = onload;
+  }
+
+  private _readKey(a: string, x: any, n: number, pass?: string): void {
+    pgp.key.readArmored(a).then((k) => {
+      if (pass !== undefined) {
+        this.pk = k.keys[0];
+        this.pk.decrypt(pass).then(() => {
+          this.fingerprint = this.pk.getFingerprint();
+          console.log('private key (sign)', this.fingerprint);
+          this._registerLoad(n);
+        });
+      } else {
+        this.pubk[x] = k.keys;
+        k.keys.forEach((pubk) => {
+          console.log('public key (' + x + ')', pubk.getFingerprint());
+        });
+        this._registerLoad(n);
+      }
+    });
+  }
+
+  private _registerLoad(b: number): void {
+    this.loads |= b;
+    if (this.loads == this.loadsTarget) {
+      this.onload(this);
+    }
+  }
+
+  public getTrustedKeys(): Array<any> {
+    return this.pubk.trusted;
+  }
+
+  public getTrustedActiveKeys(): Array<any> {
+    return this.pubk.active;
+  }
+
+  public getEncryptKeys(): Array<any> {
+    return this.pubk.encrypt;
+  }
+
+  public getPrivateKey(): any {
+    return this.pk;
+  }
+
+  public getFingerprint(): string {
+    return this.fingerprint;
+  }
+}
+
+class PGPSigner implements Signer {
+
+  engine = 'pgp';
+  algo = 'sha256';
+  dgst: string;
+  signature: Signature;
+  keyStore: KeyStore;
+  onsign: (Signature) => void;
+  onverify: (bool) => void;
+
+  constructor(keyStore: KeyStore) {
+    this.keyStore = keyStore;
+    this.onsign = (string) => {
+    };
+    this.onverify = (boolean) => {
+    };
+  }
+
+  public fingerprint(): string {
+    return this.keyStore.getFingerprint();
+  }
+
+  public prepare(material: Signable): boolean {
+    this.dgst = material.digest();
+    return true;
+  }
+
+  public verify(digest: string, signature: Signature): void {
+    pgp.signature.readArmored(signature.data).then((s) => {
+      const opts = {
+        message: pgp.cleartext.fromText(digest),
+        publicKeys: this.keyStore.getTrustedKeys(),
+        signature: s,
+      };
+      pgp.verify(opts).then((v) => {
+        let i = 0;
+        for (i = 0; i < v.signatures.length; i++) {
+          const s = v.signatures[i];
+          if (s.valid) {
+            this.onverify(s);
+            return;
+          }
+        }
+        console.error('checked ' + i + ' signature(s) but none valid');
+        this.onverify(false);
+      });
+    }).catch((e) => {
+      console.error(e);
+      this.onverify(false);
+    });
+  }
+
+  public sign(digest: string): void {
+    const m = pgp.cleartext.fromText(digest);
+    const pk = this.keyStore.getPrivateKey();
+    const opts = {
+      message: m,
+      privateKeys: [pk],
+      detached: true,
+    };
+    pgp.sign(opts).then((s) => {
+      this.signature = {
+        engine: this.engine,
+        algo: this.algo,
+        data: s.signature,
+        // TODO: fix for browser later
+        digest: digest,
+      };
+      this.onsign(this.signature);
+    }).catch((e) => {
+      console.error(e);
+      this.onsign(undefined);
+    });
+  }
+}
+
+export {
+  Signature,
+  Authoritative,
+  Signer,
+  KeyGetter,
+  Signable,
+  KeyStore,
+  PGPSigner,
+  PGPKeyStore,
+};

src/assets/js/hoba-pgp.js

@@ -3,7 +3,7 @@ import {hobaResult, hobaToSign} from "@src/assets/js/hoba.js";
 const alg = '969';
 
 export async function signChallenge(challenge, realm, origin, keyStore) {
-	const fingerprint = keyStore.fingerprint();
+	const fingerprint = keyStore.getFingerprint();
 	const nonce_array = new Uint8Array(32);
 	crypto.getRandomValues(nonce_array);