github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/ephemeral/teambot_ek.go (about)

     1  package ephemeral
     2  
     3  import (
     4  	"crypto/hmac"
     5  	"crypto/sha256"
     6  	"encoding/json"
     7  	"fmt"
     8  	"time"
     9  
    10  	"github.com/keybase/client/go/kbcrypto"
    11  	"github.com/keybase/client/go/libkb"
    12  	"github.com/keybase/client/go/protocol/gregor1"
    13  	"github.com/keybase/client/go/protocol/keybase1"
    14  	"github.com/keybase/client/go/teambot"
    15  	"github.com/keybase/client/go/teams"
    16  )
    17  
    18  type TeambotEKSeed keybase1.Bytes32
    19  
    20  func (s *TeambotEKSeed) DeriveDHKey() *libkb.NaclDHKeyPair {
    21  	return deriveDHKey(keybase1.Bytes32(*s), libkb.DeriveReasonTeambotEKEncryption)
    22  }
    23  
    24  func deriveTeambotEKFromTeamEK(mctx libkb.MetaContext, teamEK keybase1.TeamEk, botUID keybase1.UID) TeambotEKSeed {
    25  	hasher := hmac.New(sha256.New, teamEK.Seed[:])
    26  	_, _ = hasher.Write(botUID.ToBytes())
    27  	_, _ = hasher.Write([]byte(libkb.EncryptionReasonTeambotEphemeralKey))
    28  	return TeambotEKSeed(libkb.MakeByte32(hasher.Sum(nil)))
    29  }
    30  
    31  func newTeambotEKSeedFromBytes(b []byte) (s TeambotEKSeed, err error) {
    32  	seed, err := newEKSeedFromBytes(b)
    33  	if err != nil {
    34  		return s, err
    35  	}
    36  	return TeambotEKSeed(seed), nil
    37  }
    38  
    39  type TeambotEphemeralKeyer struct{}
    40  
    41  var _ EphemeralKeyer = (*TeambotEphemeralKeyer)(nil)
    42  
    43  func NewTeambotEphemeralKeyer() *TeambotEphemeralKeyer {
    44  	return &TeambotEphemeralKeyer{}
    45  }
    46  
    47  func (k *TeambotEphemeralKeyer) Type() keybase1.TeamEphemeralKeyType {
    48  	return keybase1.TeamEphemeralKeyType_TEAMBOT
    49  }
    50  
    51  func postNewTeambotEK(mctx libkb.MetaContext, teamID keybase1.TeamID, sig, box string) (err error) {
    52  	defer mctx.Trace("postNewTeambotEK", &err)()
    53  
    54  	apiArg := libkb.APIArg{
    55  		Endpoint:    "teambot/key",
    56  		SessionType: libkb.APISessionTypeREQUIRED,
    57  		Args: libkb.HTTPArgs{
    58  			"team_id":      libkb.S{Val: string(teamID)},
    59  			"sig":          libkb.S{Val: sig},
    60  			"box":          libkb.S{Val: box},
    61  			"is_ephemeral": libkb.B{Val: true},
    62  			"application":  libkb.I{Val: int(keybase1.TeamApplication_CHAT)},
    63  		},
    64  		AppStatusCodes: []int{libkb.SCOk, libkb.SCTeambotKeyGenerationExists},
    65  	}
    66  	_, err = mctx.G().GetAPI().Post(mctx, apiArg)
    67  	return err
    68  }
    69  
    70  func prepareNewTeambotEK(mctx libkb.MetaContext, team *teams.Team, botUID keybase1.UID,
    71  	seed TeambotEKSeed, metadata *keybase1.TeambotEkMetadata,
    72  	merkleRoot libkb.MerkleRoot) (sig string, box *keybase1.TeambotEkBoxed, err error) {
    73  	defer mctx.Trace("prepareNewTeambotEK", &err)()
    74  
    75  	statement, _, _, err := fetchUserEKStatement(mctx, botUID)
    76  	if err != nil {
    77  		return "", nil, err
    78  	}
    79  	activeMetadataMap, err := activeUserEKMetadata(mctx, map[keybase1.UID]*keybase1.UserEkStatement{botUID: statement}, merkleRoot)
    80  	if err != nil {
    81  		return "", nil, err
    82  	} else if len(activeMetadataMap) == 0 {
    83  		mctx.Debug("unable to make teambot key, bot has no active user EKs")
    84  		return "", nil, nil
    85  	}
    86  	activeMetadata := activeMetadataMap[botUID]
    87  	metadata.UserEkGeneration = activeMetadata.Generation
    88  
    89  	// Encrypting with a nil sender means we'll generate a random sender
    90  	// private key.
    91  	recipientKey, err := libkb.ImportKeypairFromKID(activeMetadata.Kid)
    92  	if err != nil {
    93  		return "", nil, err
    94  	}
    95  	boxedSeed, err := recipientKey.EncryptToString(seed[:], nil)
    96  	if err != nil {
    97  		return "", nil, err
    98  	}
    99  
   100  	boxed := keybase1.TeambotEkBoxed{
   101  		Box:      boxedSeed,
   102  		Metadata: *metadata,
   103  	}
   104  
   105  	metadataJSON, err := json.Marshal(metadata)
   106  	if err != nil {
   107  		return "", nil, err
   108  	}
   109  
   110  	signingKey, err := team.SigningKey(mctx.Ctx())
   111  	if err != nil {
   112  		return "", nil, err
   113  	}
   114  	sig, _, err = signingKey.SignToString(metadataJSON)
   115  	if err != nil {
   116  		return "", nil, err
   117  	}
   118  	return sig, &boxed, nil
   119  }
   120  
   121  func fetchLatestTeambotEK(mctx libkb.MetaContext, teamID keybase1.TeamID) (metadata *keybase1.TeambotEkMetadata, wrongKID bool, err error) {
   122  	defer mctx.Trace("fetchLatestTeambotEK", &err)()
   123  
   124  	var parsedResponse teambot.TeambotKeyResponse
   125  	gotResult := false
   126  	for i := 0; i < 10; i++ {
   127  		apiArg := libkb.APIArg{
   128  			Endpoint:    "teambot/key",
   129  			SessionType: libkb.APISessionTypeREQUIRED,
   130  			Args: libkb.HTTPArgs{
   131  				"team_id":      libkb.S{Val: string(teamID)},
   132  				"is_ephemeral": libkb.B{Val: true},
   133  				"application":  libkb.I{Val: int(keybase1.TeamApplication_CHAT)},
   134  			},
   135  		}
   136  		res, err := mctx.G().GetAPI().Get(mctx, apiArg)
   137  		if err != nil {
   138  			return nil, false, err
   139  		}
   140  
   141  		if err = res.Body.UnmarshalAgain(&parsedResponse); err != nil {
   142  			return nil, false, err
   143  		}
   144  		if parsedResponse.Result == nil {
   145  			mctx.Debug("no teambot ek response, trying again, attempt: %d", i)
   146  			time.Sleep(time.Second)
   147  			continue
   148  		}
   149  		gotResult = true
   150  		break
   151  	}
   152  	if !gotResult {
   153  		return nil, false, nil
   154  	}
   155  	return verifyTeambotSigWithLatestPTK(mctx, teamID, parsedResponse.Result.Sig)
   156  }
   157  
   158  func extractTeambotEKMetadataFromSig(sig string) (*kbcrypto.NaclSigningKeyPublic, *keybase1.TeambotEkMetadata, error) {
   159  	signerKey, payload, _, err := kbcrypto.NaclVerifyAndExtract(sig)
   160  	if err != nil {
   161  		return signerKey, nil, err
   162  	}
   163  
   164  	parsedMetadata := keybase1.TeambotEkMetadata{}
   165  	if err = json.Unmarshal(payload, &parsedMetadata); err != nil {
   166  		return signerKey, nil, err
   167  	}
   168  	return signerKey, &parsedMetadata, nil
   169  }
   170  
   171  // Verify that the blob is validly signed, and that the signing key is the
   172  // given team's latest PTK, then parse its contents.
   173  func verifyTeambotSigWithLatestPTK(mctx libkb.MetaContext, teamID keybase1.TeamID, sig string) (
   174  	metadata *keybase1.TeambotEkMetadata, wrongKID bool, err error) {
   175  	defer mctx.Trace("verifyTeambotSigWithLatestPTK", &err)()
   176  
   177  	signerKey, metadata, err := extractTeambotEKMetadataFromSig(sig)
   178  	if err != nil {
   179  		return nil, false, err
   180  	}
   181  
   182  	team, err := teams.Load(mctx.Ctx(), mctx.G(), keybase1.LoadTeamArg{
   183  		ID: teamID,
   184  	})
   185  	if err != nil {
   186  		return nil, false, err
   187  	}
   188  
   189  	// Verify the signing key corresponds to the latest PTK. We load the team's
   190  	// from cache, but if the KID doesn't match, we try a forced reload to see
   191  	// if the cache might've been stale. Only if the KID still doesn't match
   192  	// after the reload do we complain.
   193  	teamSigningKID, err := team.SigningKID(mctx.Ctx())
   194  	if err != nil {
   195  		return nil, false, err
   196  	}
   197  	if !teamSigningKID.Equal(signerKey.GetKID()) {
   198  		// The latest PTK might be stale. Force a reload, then check this over again.
   199  		team, err := teams.Load(mctx.Ctx(), mctx.G(), keybase1.LoadTeamArg{
   200  			ID:          team.ID,
   201  			ForceRepoll: true,
   202  		})
   203  		if err != nil {
   204  			return nil, false, err
   205  		}
   206  		teamSigningKID, err = team.SigningKID(mctx.Ctx())
   207  		if err != nil {
   208  			return nil, false, err
   209  		}
   210  		// return the metdata with wrongKID=true
   211  		if !teamSigningKID.Equal(signerKey.GetKID()) {
   212  			return metadata, true, fmt.Errorf("teambotEK returned for PTK signing KID %s, but latest is %s",
   213  				signerKey.GetKID(), teamSigningKID)
   214  		}
   215  	}
   216  
   217  	// If we didn't short circuit above, then the signing key is correct.
   218  	return metadata, false, nil
   219  }
   220  
   221  func (k *TeambotEphemeralKeyer) Unbox(mctx libkb.MetaContext, boxed keybase1.TeamEphemeralKeyBoxed,
   222  	contentCtime *gregor1.Time) (ek keybase1.TeamEphemeralKey, err error) {
   223  	defer mctx.Trace(fmt.Sprintf("TeambotEphemeralKeyer#Unbox: teambotEKGeneration: %v", boxed.Generation()), &err)()
   224  
   225  	typ, err := boxed.KeyType()
   226  	if err != nil {
   227  		return ek, err
   228  	}
   229  	if !typ.IsTeambot() {
   230  		return ek, NewIncorrectTeamEphemeralKeyTypeError(typ, keybase1.TeamEphemeralKeyType_TEAMBOT)
   231  	}
   232  
   233  	teambotEKBoxed := boxed.Teambot()
   234  	teambotEKGeneration := teambotEKBoxed.Metadata.Generation
   235  	userEKBoxStorage := mctx.G().GetUserEKBoxStorage()
   236  	userEK, err := userEKBoxStorage.Get(mctx, teambotEKBoxed.Metadata.UserEkGeneration, contentCtime)
   237  	if err != nil {
   238  		mctx.Debug("unable to get from userEKStorage %v", err)
   239  		if _, ok := err.(EphemeralKeyError); ok {
   240  			return ek, newEKUnboxErr(mctx, TeambotEKKind, teambotEKGeneration, UserEKKind,
   241  				teambotEKBoxed.Metadata.UserEkGeneration, contentCtime)
   242  		}
   243  		return ek, err
   244  	}
   245  
   246  	userSeed := UserEKSeed(userEK.Seed)
   247  	userKeypair := userSeed.DeriveDHKey()
   248  
   249  	msg, _, err := userKeypair.DecryptFromString(teambotEKBoxed.Box)
   250  	if err != nil {
   251  		mctx.Debug("unable to decrypt teambotEKBoxed %v", err)
   252  		return ek, newEKUnboxErr(mctx, TeambotEKKind, teambotEKGeneration, UserEKKind,
   253  			teambotEKBoxed.Metadata.UserEkGeneration, contentCtime)
   254  	}
   255  
   256  	seed, err := newTeambotEKSeedFromBytes(msg)
   257  	if err != nil {
   258  		return ek, err
   259  	}
   260  
   261  	keypair := seed.DeriveDHKey()
   262  	if !keypair.GetKID().Equal(teambotEKBoxed.Metadata.Kid) {
   263  		return ek, fmt.Errorf("Failed to verify server given seed [%s] against signed KID [%s]. Box: %+v",
   264  			teambotEKBoxed.Metadata.Kid, keypair.GetKID(), teambotEKBoxed)
   265  	}
   266  
   267  	return keybase1.NewTeamEphemeralKeyWithTeambot(keybase1.TeambotEk{
   268  		Seed:     keybase1.Bytes32(seed),
   269  		Metadata: teambotEKBoxed.Metadata,
   270  	}), nil
   271  }
   272  
   273  func (k *TeambotEphemeralKeyer) Fetch(mctx libkb.MetaContext, teamID keybase1.TeamID, generation keybase1.EkGeneration,
   274  	contentCtime *gregor1.Time) (teambotEK keybase1.TeamEphemeralKeyBoxed, err error) {
   275  	apiArg := libkb.APIArg{
   276  		Endpoint:    "teambot/box",
   277  		SessionType: libkb.APISessionTypeREQUIRED,
   278  		Args: libkb.HTTPArgs{
   279  			"team_id":      libkb.S{Val: string(teamID)},
   280  			"generation":   libkb.U{Val: uint64(generation)},
   281  			"is_ephemeral": libkb.B{Val: true},
   282  			"application":  libkb.I{Val: int(keybase1.TeamApplication_CHAT)},
   283  		},
   284  	}
   285  
   286  	var resp teambot.TeambotKeyBoxedResponse
   287  	res, err := mctx.G().GetAPI().Get(mctx, apiArg)
   288  	if err != nil {
   289  		err = errFromAppStatus(err)
   290  		return teambotEK, err
   291  	}
   292  
   293  	if err = res.Body.UnmarshalAgain(&resp); err != nil {
   294  		return teambotEK, err
   295  	}
   296  
   297  	if resp.Result == nil {
   298  		err = newEKMissingBoxErr(mctx, TeambotEKKind, generation)
   299  		return teambotEK, err
   300  	}
   301  
   302  	// Although we verify the signature is valid, it's possible that this key
   303  	// was signed with a PTK that is not our latest and greatest. We allow this
   304  	// when we are using this ek for *decryption*. When getting a key for
   305  	// *encryption* callers are responsible for verifying the signature is
   306  	// signed by the latest PTK or requesting the generation of a new EK. This
   307  	// logic currently lives in ephemeral/lib.go#getLatestTeambotEK
   308  	_, metadata, err := extractTeambotEKMetadataFromSig(resp.Result.Sig)
   309  	if err != nil {
   310  		return teambotEK, err
   311  	} else if metadata == nil { // shouldn't happen
   312  		return teambotEK, fmt.Errorf("unable to fetch valid teambotEKMetadata")
   313  	}
   314  
   315  	if generation != metadata.Generation {
   316  		// sanity check that we got the right generation
   317  		return teambotEK, newEKCorruptedErr(mctx, TeambotEKKind, generation, metadata.Generation)
   318  	}
   319  	teambotEKBoxed := keybase1.TeambotEkBoxed{
   320  		Box:      resp.Result.Box,
   321  		Metadata: *metadata,
   322  	}
   323  	return keybase1.NewTeamEphemeralKeyBoxedWithTeambot(teambotEKBoxed), nil
   324  }