- Remove unsafe keystore.
- Refactor functionality from unsafe keystore into mutable keystore.
This commit is contained in:
Spencer Ofwiti 2021-02-17 14:13:08 +03:00
parent 458155dc1c
commit c2f257e221
8 changed files with 261 additions and 78 deletions

View File

@ -1,5 +1,4 @@
export * from '@app/_helpers/custom.validator'; export * from '@app/_helpers/custom.validator';
export * from '@app/_helpers/error.interceptor'; export * from '@app/_helpers/error.interceptor';
export * from '@app/_helpers/custom-error-state-matcher'; export * from '@app/_helpers/custom-error-state-matcher';
export * from '@app/_helpers/unsafe-key-store';
export * from '@app/_helpers/pgp-key-store'; export * from '@app/_helpers/pgp-key-store';

View File

@ -1,31 +1,35 @@
const openpgp = require('openpgp'); const openpgp = require('openpgp');
const keyring = new openpgp.Keyring(); const keyring = new openpgp.Keyring();
import { KeyStore } from '@src/assets/js/cic-meta/auth';
interface MutableKeyStore{ interface MutableKeyStore extends KeyStore {
loadKeyring: () => Promise<void>; loadKeyring(): Promise<void>;
importKeyPair: (publicKey: any, privateKey: any) => Promise<void>; importKeyPair(publicKey: any, privateKey: any): Promise<void>;
importPublicKey: (publicKey: any) => Promise<void>; importPublicKey(publicKey: any): Promise<void>;
importPrivateKey: (privateKey: any) => Promise<void>; importPrivateKey(privateKey: any): Promise<void>;
getPublicKeys: () => Array<any>; getPublicKeys(): Array<any>;
getTrustedKeys: () => Array<any>; getTrustedKeys(): Array<any>;
getPrivateKeys: () => Array<any>; getTrustedActiveKeys(): Array<any>;
getPrivateKey: () => any; getEncryptKeys(): Array<any>;
isValidKey: (key: any) => boolean; getPrivateKeys(): Array<any>;
getFingerPrint: () => string; getPrivateKey(): any;
getKeyId: (key: any) => string; isValidKey(key: any): boolean;
getKeysForId: (keyId: string) => Array<any>; getFingerprint(): string;
getPublicKeyForId: (keyId: string) => any; getKeyId(key: any): string;
getPrivateKeyForId: (keyId: string) => any; getPrivateKeyId(): string;
getPublicKeyForSubkeyId: (subkeyId: string) => any; getKeysForId(keyId: string): Array<any>;
getPublicKeysForAddress: (address: string) => Array<any>; getPublicKeyForId(keyId: string): any;
removeKeysForId: (keyId: string) => Array<any>; getPrivateKeyForId(keyId: string): any;
removePublicKeyForId: (keyId: string) => any; getPublicKeyForSubkeyId(subkeyId: string): any;
removePublicKey: (publicKey: any) => any; getPublicKeysForAddress(address: string): Array<any>;
clearKeysInKeyring: () => void; removeKeysForId(keyId: string): Array<any>;
removePublicKeyForId(keyId: string): any;
removePublicKey(publicKey: any): any;
clearKeysInKeyring(): void;
sign(plainText: string): Promise<any>;
} }
class MutablePgpKeyStore implements MutableKeyStore{ class MutablePgpKeyStore implements MutableKeyStore{
fingerprint: string;
async loadKeyring(): Promise<void> { async loadKeyring(): Promise<void> {
await keyring.load(); await keyring.load();
@ -45,7 +49,6 @@ class MutablePgpKeyStore implements MutableKeyStore{
async importPrivateKey(privateKey: any): Promise<void> { async importPrivateKey(privateKey: any): Promise<void> {
await keyring.privateKeys.importKey(privateKey); await keyring.privateKeys.importKey(privateKey);
this.fingerprint = keyring.privateKeys.keys[0].keyPacket.fingerprint;
} }
getPublicKeys(): Array<any> { getPublicKeys(): Array<any> {
@ -56,6 +59,14 @@ class MutablePgpKeyStore implements MutableKeyStore{
return keyring.publicKeys.keys; return keyring.publicKeys.keys;
} }
getTrustedActiveKeys(): Array<any> {
return keyring.publicKeys.keys;
}
getEncryptKeys(): Array<any> {
return [];
}
getPrivateKeys(): Array<any> { getPrivateKeys(): Array<any> {
return keyring.privateKeys.keys; return keyring.privateKeys.keys;
} }
@ -68,14 +79,18 @@ class MutablePgpKeyStore implements MutableKeyStore{
return typeof key === openpgp.Key; return typeof key === openpgp.Key;
} }
getFingerPrint(): string { getFingerprint(): string {
return this.fingerprint; return keyring.privateKeys.keys[0].keyPacket.fingerprint;
} }
getKeyId(key: any): string { getKeyId(key: any): string {
return key.getKeyId().toHex(); return key.getKeyId().toHex();
} }
getPrivateKeyId(): string {
return keyring.privateKeys.keys[0].getKeyId().toHex();
}
getKeysForId(keyId: string): Array<any> { getKeysForId(keyId: string): Array<any> {
return keyring.getKeysForId(keyId); return keyring.getKeysForId(keyId);
} }
@ -112,6 +127,21 @@ class MutablePgpKeyStore implements MutableKeyStore{
clearKeysInKeyring(): void { clearKeysInKeyring(): void {
keyring.clear(); keyring.clear();
} }
async sign(plainText): Promise<any> {
const privateKey = this.getPrivateKey();
if (!privateKey.isDecrypted()) {
const password = window.prompt('password');
await privateKey.decrypt(password);
}
const opts = {
message: openpgp.message.fromText(plainText),
privateKeys: [privateKey],
detached: true,
};
const signatureObject = await openpgp.sign(opts);
return signatureObject.signature;
}
} }
export { export {

View File

@ -1,7 +0,0 @@
import { UnsafeKeyStore } from '@app/_helpers/unsafe-key-store';
describe('UnsafeKeyStore', () => {
it('should create an instance', () => {
expect(new UnsafeKeyStore()).toBeTruthy();
});
});

View File

@ -1,33 +0,0 @@
// import * as openpgp from '@src/assets/js/openpgp.min.js';
const openpgp = require('@src/assets/js/openpgp.min.js');
export function UnsafeKeyStore(): void {
this.key = undefined;
}
UnsafeKeyStore.prototype.set = async function(privateKeyArmored): Promise<void> {
this.key = (await openpgp.key.readArmored(privateKeyArmored)).keys[0];
console.log('set pgp key', this.key.getKeyId().toHex());
};
UnsafeKeyStore.prototype.fingerprint = function(): any {
return this.key.keyPacket.fingerprint;
};
UnsafeKeyStore.prototype.keyId = function(): any {
return this.key.getKeyId();
};
UnsafeKeyStore.prototype.sign = async function(plainText): Promise<any> {
if (!this.key.isDecrypted()) {
const password = window.prompt('password');
await this.key.decrypt(password);
}
const opts = {
message: openpgp.message.fromText(plainText),
privateKeys: [this.key],
detached: true,
};
const signatureObject = await openpgp.sign(opts);
return signatureObject.signature;
};

View File

@ -1,12 +1,11 @@
import { Injectable } from '@angular/core'; import { Injectable } from '@angular/core';
import {MutableKeyStore, MutablePgpKeyStore, UnsafeKeyStore} from '@app/_helpers'; import {MutableKeyStore, MutablePgpKeyStore} from '@app/_helpers';
import { hobaParseChallengeHeader } from '@src/assets/js/hoba.js'; import { hobaParseChallengeHeader } from '@src/assets/js/hoba.js';
import { signChallenge } from '@src/assets/js/hoba-pgp.js'; import { signChallenge } from '@src/assets/js/hoba-pgp.js';
import {environment} from '@src/environments/environment'; import {environment} from '@src/environments/environment';
import {HttpClient} from '@angular/common/http'; import {HttpClient} from '@angular/common/http';
const origin = 'http://localhost:4444'; const origin = 'http://localhost:4444';
const pgpKeyStore = new UnsafeKeyStore();
@Injectable({ @Injectable({
providedIn: 'root' providedIn: 'root'
@ -53,7 +52,6 @@ export class AuthService {
sendResponse(hobaResponseEncoded): void { sendResponse(hobaResponseEncoded): void {
const xhr = new XMLHttpRequest(); const xhr = new XMLHttpRequest();
// xhr.responseType = 'arraybuffer';
xhr.responseType = 'text'; xhr.responseType = 'text';
xhr.open('GET', origin + window.location.search.substring(1)); xhr.open('GET', origin + window.location.search.substring(1));
xhr.setRequestHeader('Authorization', 'HOBA ' + hobaResponseEncoded); xhr.setRequestHeader('Authorization', 'HOBA ' + hobaResponseEncoded);
@ -109,22 +107,21 @@ export class AuthService {
async loginResponse(o): Promise<any> { async loginResponse(o): Promise<any> {
const r = await signChallenge(o.challenge, o.realm, origin, pgpKeyStore); const r = await signChallenge(o.challenge, o.realm, origin, this.mutableKeyStore);
this.sendResponse(r); this.sendResponse(r);
} }
loginView(): void { loginView(): void {
document.getElementById('one').style.display = 'none'; document.getElementById('one').style.display = 'none';
document.getElementById('two').style.display = 'block'; document.getElementById('two').style.display = 'block';
this.setState('click to log in with PGP key ' + pgpKeyStore.keyId().toHex()); this.setState('click to log in with PGP key ' + this.mutableKeyStore.getPrivateKeyId());
} }
async setKey(privateKeyArmored): Promise<boolean> { async setKey(privateKeyArmored): Promise<boolean> {
console.log('settings pk' + privateKeyArmored); console.log('settings pk' + privateKeyArmored);
try { try {
await pgpKeyStore.set(privateKeyArmored);
localStorage.setItem(btoa('CICADA_PRIVATE_KEY'), privateKeyArmored);
await this.mutableKeyStore.importPrivateKey(privateKeyArmored); await this.mutableKeyStore.importPrivateKey(privateKeyArmored);
localStorage.setItem(btoa('CICADA_PRIVATE_KEY'), privateKeyArmored);
} catch (e) { } catch (e) {
console.error('failed setting key', e); console.error('failed setting key', e);
return false; return false;
@ -140,9 +137,7 @@ export class AuthService {
async getPublicKeys(): Promise<void> { async getPublicKeys(): Promise<void> {
this.http.get(`${environment.publicKeysUrl}/keys.asc`).subscribe(async res => { this.http.get(`${environment.publicKeysUrl}/keys.asc`).subscribe(async res => {
const armoredPublicKeys = res; await this.mutableKeyStore.importPublicKey(res);
await this.mutableKeyStore.loadKeyring();
await this.mutableKeyStore.importPublicKey(armoredPublicKeys);
}, error => { }, error => {
console.error('There was an error!', error); console.error('There was an error!', error);
}); });

View File

@ -10,6 +10,6 @@ export class AppComponent {
title = 'cic-staff-client'; title = 'cic-staff-client';
constructor(private authService: AuthService) { constructor(private authService: AuthService) {
this.authService.getPublicKeys().then(); this.authService.mutableKeyStore.loadKeyring().then(r => this.authService.getPublicKeys().then());
} }
} }

View File

@ -0,0 +1,199 @@
import * as pgp from 'openpgp';
import * as crypto from 'crypto';
interface Signable {
digest(): string;
}
type KeyGetter = () => any;
type Signature = {
engine: string
algo: string
data: string
digest: string
};
interface Signer {
prepare(Signable): boolean;
onsign(Signature): void;
onverify(bool): void;
sign(digest: string): void;
verify(digest: string, signature: Signature): void;
fingerprint(): string;
}
interface Authoritative {
}
interface KeyStore {
getPrivateKey: KeyGetter;
getFingerprint: () => string;
getTrustedKeys: () => Array<any>;
getTrustedActiveKeys: () => Array<any>;
getEncryptKeys: () => Array<any>;
}
class PGPKeyStore implements KeyStore {
fingerprint: string;
pk: any;
pubk = {
active: [],
trusted: [],
encrypt: [],
};
loads = 0x00;
loadsTarget = 0x0f;
onload: (k: KeyStore) => void;
constructor(passphrase: string, pkArmor: string, pubkActiveArmor: string, pubkTrustedArmor: string, pubkEncryptArmor: string,
onload = (ks: KeyStore) => {
}) {
this._readKey(pkArmor, undefined, 1, passphrase);
this._readKey(pubkActiveArmor, 'active', 2);
this._readKey(pubkTrustedArmor, 'trusted', 4);
this._readKey(pubkEncryptArmor, 'encrypt', 8);
this.onload = onload;
}
private _readKey(a: string, x: any, n: number, pass?: string): void {
pgp.key.readArmored(a).then((k) => {
if (pass !== undefined) {
this.pk = k.keys[0];
this.pk.decrypt(pass).then(() => {
this.fingerprint = this.pk.getFingerprint();
console.log('private key (sign)', this.fingerprint);
this._registerLoad(n);
});
} else {
this.pubk[x] = k.keys;
k.keys.forEach((pubk) => {
console.log('public key (' + x + ')', pubk.getFingerprint());
});
this._registerLoad(n);
}
});
}
private _registerLoad(b: number): void {
this.loads |= b;
if (this.loads == this.loadsTarget) {
this.onload(this);
}
}
public getTrustedKeys(): Array<any> {
return this.pubk.trusted;
}
public getTrustedActiveKeys(): Array<any> {
return this.pubk.active;
}
public getEncryptKeys(): Array<any> {
return this.pubk.encrypt;
}
public getPrivateKey(): any {
return this.pk;
}
public getFingerprint(): string {
return this.fingerprint;
}
}
class PGPSigner implements Signer {
engine = 'pgp';
algo = 'sha256';
dgst: string;
signature: Signature;
keyStore: KeyStore;
onsign: (Signature) => void;
onverify: (bool) => void;
constructor(keyStore: KeyStore) {
this.keyStore = keyStore;
this.onsign = (string) => {
};
this.onverify = (boolean) => {
};
}
public fingerprint(): string {
return this.keyStore.getFingerprint();
}
public prepare(material: Signable): boolean {
this.dgst = material.digest();
return true;
}
public verify(digest: string, signature: Signature): void {
pgp.signature.readArmored(signature.data).then((s) => {
const opts = {
message: pgp.cleartext.fromText(digest),
publicKeys: this.keyStore.getTrustedKeys(),
signature: s,
};
pgp.verify(opts).then((v) => {
let i = 0;
for (i = 0; i < v.signatures.length; i++) {
const s = v.signatures[i];
if (s.valid) {
this.onverify(s);
return;
}
}
console.error('checked ' + i + ' signature(s) but none valid');
this.onverify(false);
});
}).catch((e) => {
console.error(e);
this.onverify(false);
});
}
public sign(digest: string): void {
const m = pgp.cleartext.fromText(digest);
const pk = this.keyStore.getPrivateKey();
const opts = {
message: m,
privateKeys: [pk],
detached: true,
};
pgp.sign(opts).then((s) => {
this.signature = {
engine: this.engine,
algo: this.algo,
data: s.signature,
// TODO: fix for browser later
digest: digest,
};
this.onsign(this.signature);
}).catch((e) => {
console.error(e);
this.onsign(undefined);
});
}
}
export {
Signature,
Authoritative,
Signer,
KeyGetter,
Signable,
KeyStore,
PGPSigner,
PGPKeyStore,
};

View File

@ -3,7 +3,7 @@ import {hobaResult, hobaToSign} from "@src/assets/js/hoba.js";
const alg = '969'; const alg = '969';
export async function signChallenge(challenge, realm, origin, keyStore) { export async function signChallenge(challenge, realm, origin, keyStore) {
const fingerprint = keyStore.fingerprint(); const fingerprint = keyStore.getFingerprint();
const nonce_array = new Uint8Array(32); const nonce_array = new Uint8Array(32);
crypto.getRandomValues(nonce_array); crypto.getRandomValues(nonce_array);