github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/ephemeral/device_ek.go (about) 1 package ephemeral 2 3 import ( 4 "encoding/json" 5 "fmt" 6 7 "github.com/keybase/client/go/kbcrypto" 8 "github.com/keybase/client/go/libkb" 9 "github.com/keybase/client/go/protocol/keybase1" 10 ) 11 12 type DeviceEKSeed keybase1.Bytes32 13 14 func newDeviceEphemeralSeed() (seed DeviceEKSeed, err error) { 15 randomSeed, err := makeNewRandomSeed() 16 if err != nil { 17 return seed, err 18 } 19 return DeviceEKSeed(randomSeed), nil 20 } 21 22 func (s *DeviceEKSeed) DeriveDHKey() *libkb.NaclDHKeyPair { 23 return deriveDHKey(keybase1.Bytes32(*s), libkb.DeriveReasonDeviceEKEncryption) 24 } 25 26 func postNewDeviceEK(mctx libkb.MetaContext, sig string) (err error) { 27 defer mctx.Trace("postNewDeviceEK", &err)() 28 29 apiArg := libkb.APIArg{ 30 Endpoint: "user/device_ek", 31 SessionType: libkb.APISessionTypeREQUIRED, 32 Args: libkb.HTTPArgs{ 33 "sig": libkb.S{Val: sig}, 34 "device_id": libkb.S{Val: string(mctx.ActiveDevice().DeviceID())}, 35 }, 36 } 37 _, err = mctx.G().GetAPI().Post(mctx, apiArg) 38 return err 39 } 40 41 func serverMaxDeviceEK(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (maxGeneration keybase1.EkGeneration, err error) { 42 defer mctx.Trace("serverMaxDeviceEK", &err)() 43 44 deviceEKs, err := allDeviceEKMetadataMaybeStale(mctx, merkleRoot) 45 if err != nil { 46 return maxGeneration, err 47 } 48 deviceID := mctx.ActiveDevice().DeviceID() 49 metadata, ok := deviceEKs[deviceID] 50 if ok { 51 return metadata.Generation, nil 52 } 53 // We may not have an EK yet, let's try with this and fail if the server 54 // rejects. 55 mctx.Debug("No deviceEK found on the server") 56 return 0, nil 57 } 58 59 func publishNewDeviceEK(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (metadata keybase1.DeviceEkMetadata, err error) { 60 defer mctx.Trace("publishNewDeviceEK", &err)() 61 62 seed, err := newDeviceEphemeralSeed() 63 if err != nil { 64 return metadata, err 65 } 66 67 storage := mctx.G().GetDeviceEKStorage() 68 generation, err := storage.MaxGeneration(mctx, true) 69 if err != nil || generation < 0 { 70 // Let's try to get the max from the server 71 generation, err = serverMaxDeviceEK(mctx, merkleRoot) 72 if err != nil { 73 return metadata, err 74 } 75 } 76 // This is our first generation 77 if generation < 0 { 78 generation = 0 79 } 80 generation++ 81 82 metadata, err = signAndPostDeviceEK(mctx, generation, seed, merkleRoot) 83 if err != nil { 84 mctx.Debug("Error posting deviceEK, retrying with server maxGeneration") 85 // Let's retry posting with the server given max 86 generation, err = serverMaxDeviceEK(mctx, merkleRoot) 87 if err != nil { 88 return metadata, err 89 } 90 generation++ 91 metadata, err = signAndPostDeviceEK(mctx, generation, seed, merkleRoot) 92 if err != nil { 93 return metadata, err 94 } 95 } 96 97 return metadata, err 98 } 99 100 func signAndPostDeviceEK(mctx libkb.MetaContext, generation keybase1.EkGeneration, 101 seed DeviceEKSeed, merkleRoot libkb.MerkleRoot) (metadata keybase1.DeviceEkMetadata, err error) { 102 defer mctx.Trace("signAndPostDeviceEK", &err)() 103 104 storage := mctx.G().GetDeviceEKStorage() 105 106 // Sign the statement blob with the device's long term signing key. 107 signingKey, err := mctx.ActiveDevice().SigningKey() 108 if err != nil { 109 return metadata, err 110 } 111 112 dhKeypair := seed.DeriveDHKey() 113 statement, signedStatement, err := signDeviceEKStatement(generation, dhKeypair, signingKey, merkleRoot) 114 115 metadata = statement.CurrentDeviceEkMetadata 116 // Ensure we successfully write the secret to disk before posting to the 117 // server since the secret never leaves the device. 118 if err = storage.Put(mctx, generation, keybase1.DeviceEk{ 119 Seed: keybase1.Bytes32(seed), 120 Metadata: metadata, 121 }); err != nil { 122 return metadata, err 123 } 124 125 err = postNewDeviceEK(mctx, signedStatement) 126 if err != nil { 127 storage.ClearCache() 128 serr := NewDeviceEKStorage(mctx).Delete(mctx, generation, "unable to post deviceEK: %v", err) 129 if serr != nil { 130 mctx.Debug("DeviceEK deletion failed %v", err) 131 } 132 } 133 134 return metadata, err 135 } 136 137 func signDeviceEKStatement(generation keybase1.EkGeneration, dhKeypair *libkb.NaclDHKeyPair, signingKey libkb.GenericKey, merkleRoot libkb.MerkleRoot) (statement keybase1.DeviceEkStatement, signedStatement string, err error) { 138 metadata := keybase1.DeviceEkMetadata{ 139 Kid: dhKeypair.GetKID(), 140 Generation: generation, 141 HashMeta: merkleRoot.HashMeta(), 142 // The ctime is derivable from the hash meta, by fetching the hashed 143 // root from the server, but including it saves readers a potential 144 // extra round trip. 145 Ctime: keybase1.TimeFromSeconds(merkleRoot.Ctime()), 146 } 147 statement = keybase1.DeviceEkStatement{ 148 CurrentDeviceEkMetadata: metadata, 149 } 150 151 statementJSON, err := json.Marshal(statement) 152 if err != nil { 153 return statement, signedStatement, err 154 } 155 156 signedStatement, _, err = signingKey.SignToString(statementJSON) 157 return statement, signedStatement, err 158 } 159 160 type deviceEKStatementResponse struct { 161 Sigs []string `json:"sigs"` 162 } 163 164 func allDeviceEKMetadataMaybeStale(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (metadata map[keybase1.DeviceID]keybase1.DeviceEkMetadata, err error) { 165 defer mctx.Trace("allDeviceEKMetadataMaybeStale", &err)() 166 167 apiArg := libkb.APIArg{ 168 Endpoint: "user/device_eks", 169 SessionType: libkb.APISessionTypeREQUIRED, 170 Args: libkb.HTTPArgs{}, 171 } 172 res, err := mctx.G().GetAPI().Get(mctx, apiArg) 173 if err != nil { 174 return nil, err 175 } 176 177 parsedResponse := deviceEKStatementResponse{} 178 err = res.Body.UnmarshalAgain(&parsedResponse) 179 if err != nil { 180 return nil, err 181 } 182 183 // Make a map of the user's own active devices, by KID. We'll use this to 184 // match deviceEK sigs with the device that issued them below. (Checking 185 // the signing key is intentionally the only way to do this, so that we're 186 // forced to check authenticity.) 187 getDeviceKIDs := func(force bool) (map[keybase1.KID]keybase1.PublicKey, error) { 188 arg := libkb.NewLoadUserArgWithMetaContext( 189 mctx).WithUID(mctx.ActiveDevice().UID()) 190 if force { 191 arg = arg.WithForceReload() 192 } 193 self, _, err := mctx.G().GetUPAKLoader().Load(arg) 194 if err != nil { 195 return nil, err 196 } 197 kidToDevice := map[keybase1.KID]keybase1.PublicKey{} 198 for _, device := range self.Base.DeviceKeys { 199 if device.IsRevoked { 200 continue 201 } 202 kidToDevice[device.KID] = device 203 } 204 return kidToDevice, nil 205 } 206 207 kidToDevice, err := getDeviceKIDs(false) 208 if err != nil { 209 return nil, err 210 } 211 212 if len(kidToDevice) != len(parsedResponse.Sigs) { 213 mctx.Debug("mismatch of active devices in UPAK to device EK sigs (%d (upak) != %d (ek sigs), attempting force reload.", len(kidToDevice), len(parsedResponse.Sigs)) 214 // force a reload in case we are missing a device 215 kidToDevice, err = getDeviceKIDs(true) 216 if err != nil { 217 return nil, err 218 } 219 mctx.Debug("%d active devices found after force reload vs %d sigs.", len(kidToDevice), len(parsedResponse.Sigs)) 220 } 221 222 // The client now needs to verify two things about these blobs its 223 // received: 1) Each is validly signed. 2) The signing key belongs to one 224 // of the current user's devices. 225 metadata = map[keybase1.DeviceID]keybase1.DeviceEkMetadata{} 226 for _, sig := range parsedResponse.Sigs { 227 // Verify the sig. 228 signerKey, payload, _, err := kbcrypto.NaclVerifyAndExtract(sig) 229 if err != nil { 230 return nil, err 231 } 232 233 // Find the device that matches the signing key. This checks 234 // authenticity. 235 matchingDevice, ok := kidToDevice[signerKey.GetKID()] 236 if !ok { 237 return nil, fmt.Errorf("deviceEK returned for unknown device KID %s", signerKey.GetKID()) 238 } 239 240 // Decode the signed JSON. 241 var verifiedStatement keybase1.DeviceEkStatement 242 err = json.Unmarshal(payload, &verifiedStatement) 243 if err != nil { 244 return nil, err 245 } 246 247 metadata[matchingDevice.DeviceID] = verifiedStatement.CurrentDeviceEkMetadata 248 } 249 250 return metadata, nil 251 } 252 253 // allActiveDeviceEKMetadata fetches the latest deviceEK for each of your 254 // devices, filtering out the ones that are stale. 255 func allActiveDeviceEKMetadata(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (metadata map[keybase1.DeviceID]keybase1.DeviceEkMetadata, err error) { 256 defer mctx.Trace("allActiveDeviceEKMetadata", &err)() 257 258 maybeStale, err := allDeviceEKMetadataMaybeStale(mctx, merkleRoot) 259 if err != nil { 260 return nil, err 261 } 262 263 active := map[keybase1.DeviceID]keybase1.DeviceEkMetadata{} 264 for deviceID, metadata := range maybeStale { 265 // Check whether the key is stale. This isn't considered an error, 266 // since the server doesn't do this check for us. We log these cases 267 // and skip them. 268 if ctimeIsStale(metadata.Ctime.Time(), merkleRoot) { 269 mctx.Debug("skipping stale deviceEK %s for device KID %s", metadata.Kid, deviceID) 270 continue 271 } 272 active[deviceID] = metadata 273 } 274 275 return active, nil 276 }