github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/ephemeral/user_ek.go (about)

     1  package ephemeral
     2  
     3  import (
     4  	"encoding/json"
     5  	"fmt"
     6  
     7  	"github.com/keybase/client/go/kbcrypto"
     8  	"github.com/keybase/client/go/libkb"
     9  	"github.com/keybase/client/go/protocol/keybase1"
    10  )
    11  
    12  type UserEKSeed keybase1.Bytes32
    13  
    14  func newUserEphemeralSeed() (seed UserEKSeed, err error) {
    15  	randomSeed, err := makeNewRandomSeed()
    16  	if err != nil {
    17  		return seed, err
    18  	}
    19  	return UserEKSeed(randomSeed), nil
    20  }
    21  
    22  func newUserEKSeedFromBytes(b []byte) (s UserEKSeed, err error) {
    23  	seed, err := newEKSeedFromBytes(b)
    24  	if err != nil {
    25  		return s, err
    26  	}
    27  	return UserEKSeed(seed), nil
    28  }
    29  
    30  func (s *UserEKSeed) DeriveDHKey() *libkb.NaclDHKeyPair {
    31  	return deriveDHKey(keybase1.Bytes32(*s), libkb.DeriveReasonUserEKEncryption)
    32  }
    33  
    34  // Upload a new userEK directly, when we're not adding it to a PUK or device
    35  // transaction.
    36  func postNewUserEK(mctx libkb.MetaContext, sig string, boxes []keybase1.UserEkBoxMetadata) (err error) {
    37  	defer mctx.Trace("postNewUserEK", &err)()
    38  
    39  	boxesJSON, err := json.Marshal(boxes)
    40  	if err != nil {
    41  		return err
    42  	}
    43  	apiArg := libkb.APIArg{
    44  		Endpoint:    "user/user_ek",
    45  		SessionType: libkb.APISessionTypeREQUIRED,
    46  		Args: libkb.HTTPArgs{
    47  			"sig":   libkb.S{Val: sig},
    48  			"boxes": libkb.S{Val: string(boxesJSON)},
    49  		},
    50  	}
    51  	_, err = mctx.G().GetAPI().Post(mctx, apiArg)
    52  	return err
    53  }
    54  
    55  // There are two cases where we need to generate a new userEK. One is where
    56  // we're rolling the userEK by itself, and we need to sign it with the current
    57  // PUK. The other is where we're rolling the PUK, and we need to sign a new
    58  // userEK with the new PUK to upload both together. This helper covers the
    59  // steps common to both cases.
    60  func prepareNewUserEK(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot,
    61  	pukSigning *libkb.NaclSigningKeyPair) (sig string, boxes []keybase1.UserEkBoxMetadata,
    62  	newMetadata keybase1.UserEkMetadata, myBox *keybase1.UserEkBoxed, err error) {
    63  	defer mctx.Trace("prepareNewUserEK", &err)()
    64  
    65  	seed, err := newUserEphemeralSeed()
    66  	if err != nil {
    67  		return "", nil, newMetadata, nil, err
    68  	}
    69  
    70  	prevStatement, latestGeneration, wrongKID, err := fetchUserEKStatement(mctx, mctx.G().Env.GetUID())
    71  	if !wrongKID && err != nil {
    72  		return "", nil, newMetadata, nil, err
    73  	}
    74  	var newGeneration keybase1.EkGeneration
    75  	if prevStatement == nil {
    76  		// Even if the userEK statement was signed by the wrong key (this can
    77  		// happen when legacy clients roll the PUK), fetchUserEKStatement will
    78  		// return the generation number from the last (unverifiable) statement.
    79  		// If there was never any statement, latestGeneration will be 0, so
    80  		// adding one is correct in all cases.
    81  		newGeneration = latestGeneration + 1
    82  	} else {
    83  		newGeneration = prevStatement.CurrentUserEkMetadata.Generation + 1
    84  	}
    85  
    86  	dhKeypair := seed.DeriveDHKey()
    87  
    88  	metadata := keybase1.UserEkMetadata{
    89  		Kid:        dhKeypair.GetKID(),
    90  		Generation: newGeneration,
    91  		HashMeta:   merkleRoot.HashMeta(),
    92  		// The ctime is derivable from the hash meta, by fetching the hashed
    93  		// root from the server, but including it saves readers a potential
    94  		// extra round trip.
    95  		Ctime: keybase1.TimeFromSeconds(merkleRoot.Ctime()),
    96  	}
    97  
    98  	statement := keybase1.UserEkStatement{
    99  		CurrentUserEkMetadata: metadata,
   100  	}
   101  	statementJSON, err := json.Marshal(statement)
   102  	if err != nil {
   103  		return "", nil, newMetadata, nil, err
   104  	}
   105  	sig, _, err = pukSigning.SignToString(statementJSON)
   106  	if err != nil {
   107  		return "", nil, newMetadata, nil, err
   108  	}
   109  
   110  	boxes, myUserEKBoxed, err := boxUserEKForDevices(mctx, merkleRoot, seed, metadata)
   111  	if err != nil {
   112  		return "", nil, newMetadata, nil, err
   113  	}
   114  
   115  	return sig, boxes, metadata, myUserEKBoxed, nil
   116  }
   117  
   118  // Create a new userEK and upload it. Add our box to the local box store.
   119  func publishNewUserEK(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (
   120  	metadata keybase1.UserEkMetadata, err error) {
   121  	defer mctx.Trace("publishNewUserEK", &err)()
   122  
   123  	// Sign the statement blob with the latest PUK.
   124  	pukKeyring, err := mctx.G().GetPerUserKeyring(mctx.Ctx())
   125  	if err != nil {
   126  		return metadata, err
   127  	}
   128  	if err := pukKeyring.Sync(mctx); err != nil {
   129  		return metadata, err
   130  	}
   131  	if !pukKeyring.HasAnyKeys() {
   132  		return metadata, fmt.Errorf("A PUK is needed to generate ephemeral keys. Aborting.")
   133  	}
   134  	pukSigning, err := pukKeyring.GetLatestSigningKey(mctx)
   135  	if err != nil {
   136  		return metadata, err
   137  	}
   138  
   139  	sig, boxes, newMetadata, myBox, err := prepareNewUserEK(mctx, merkleRoot, pukSigning)
   140  	if err != nil {
   141  		return metadata, err
   142  	}
   143  
   144  	if err = postNewUserEK(mctx, sig, boxes); err != nil {
   145  		return metadata, err
   146  	}
   147  
   148  	// Cache the new box after we see the post succeeded.
   149  	if myBox == nil {
   150  		mctx.Debug("No box made for own deviceEK")
   151  	} else {
   152  		storage := mctx.G().GetUserEKBoxStorage()
   153  		err = storage.Put(mctx, newMetadata.Generation, *myBox)
   154  	}
   155  	return newMetadata, err
   156  }
   157  
   158  func ForcePublishNewUserEKForTesting(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot) (metadata keybase1.UserEkMetadata, err error) {
   159  	defer mctx.Trace("ForcePublishNewUserEKForTesting", &err)()
   160  	return publishNewUserEK(mctx, merkleRoot)
   161  }
   162  
   163  func boxUserEKForDevices(mctx libkb.MetaContext, merkleRoot libkb.MerkleRoot,
   164  	seed UserEKSeed, userMetadata keybase1.UserEkMetadata) (boxes []keybase1.UserEkBoxMetadata,
   165  	myUserEKBoxed *keybase1.UserEkBoxed, err error) {
   166  	defer mctx.Trace("boxUserEKForDevices", &err)()
   167  
   168  	devicesMetadata, err := allActiveDeviceEKMetadata(mctx, merkleRoot)
   169  	if err != nil {
   170  		return nil, nil, err
   171  	}
   172  
   173  	myDeviceID := mctx.ActiveDevice().DeviceID()
   174  	for deviceID, deviceMetadata := range devicesMetadata {
   175  		recipientKey, err := libkb.ImportKeypairFromKID(deviceMetadata.Kid)
   176  		if err != nil {
   177  			return nil, nil, err
   178  		}
   179  		// Encrypting with a nil sender means we'll generate a random sender private key.
   180  		box, err := recipientKey.EncryptToString(seed[:], nil)
   181  		if err != nil {
   182  			return nil, nil, err
   183  		}
   184  		boxMetadata := keybase1.UserEkBoxMetadata{
   185  			RecipientDeviceID:   deviceID,
   186  			RecipientGeneration: deviceMetadata.Generation,
   187  			Box:                 box,
   188  		}
   189  		boxes = append(boxes, boxMetadata)
   190  
   191  		if deviceID == myDeviceID {
   192  			myUserEKBoxed = &keybase1.UserEkBoxed{
   193  				Box:                box,
   194  				DeviceEkGeneration: deviceMetadata.Generation,
   195  				Metadata:           userMetadata,
   196  			}
   197  		}
   198  	}
   199  	return boxes, myUserEKBoxed, nil
   200  }
   201  
   202  type userEKStatementResponse struct {
   203  	Sigs map[keybase1.UID]*string `json:"sigs"`
   204  }
   205  
   206  // Returns nil if the user has never published a userEK. If the user has
   207  // published a userEK, but has since rolled their PUK without publishing a new
   208  // one, this function will also return nil and log a warning. This is a
   209  // transitional thing, and eventually when all "reasonably up to date" clients
   210  // in the wild have EK support, we will make that case an error.
   211  func fetchUserEKStatements(mctx libkb.MetaContext, uids []keybase1.UID) (
   212  	statements map[keybase1.UID]*keybase1.UserEkStatement, err error) {
   213  	defer mctx.Trace(fmt.Sprintf("fetchUserEKStatements: numUids: %v", len(uids)), &err)()
   214  
   215  	apiArg := libkb.APIArg{
   216  		Endpoint:    "user/get_user_ek_batch",
   217  		SessionType: libkb.APISessionTypeREQUIRED,
   218  		Args: libkb.HTTPArgs{
   219  			"uids": libkb.S{Val: libkb.UidsToString(uids)},
   220  		},
   221  	}
   222  	res, err := mctx.G().GetAPI().Post(mctx, apiArg)
   223  	if err != nil {
   224  		return nil, err
   225  	}
   226  
   227  	userEKStatements := userEKStatementResponse{}
   228  	if err = res.Body.UnmarshalAgain(&userEKStatements); err != nil {
   229  		return nil, err
   230  	}
   231  
   232  	getArg := func(i int) *libkb.LoadUserArg {
   233  		if i >= len(uids) {
   234  			return nil
   235  		}
   236  		tmp := libkb.NewLoadUserArgWithMetaContext(mctx).WithUID(uids[i])
   237  		return &tmp
   238  	}
   239  
   240  	var upaks []*keybase1.UserPlusKeysV2AllIncarnations
   241  	statements = make(map[keybase1.UID]*keybase1.UserEkStatement)
   242  	processResult := func(i int, upak *keybase1.UserPlusKeysV2AllIncarnations) error {
   243  		mctx.Debug("processing member %d/%d %.2f%% complete", i, len(uids), (float64(i) / float64(len(uids)) * 100))
   244  		if upak == nil {
   245  			mctx.Debug("Unable to load user %v", uids[i])
   246  			return nil
   247  		}
   248  		upaks = append(upaks, upak)
   249  		return nil
   250  	}
   251  
   252  	if err = mctx.G().GetUPAKLoader().Batcher(mctx.Ctx(), getArg, processResult, 0); err != nil {
   253  		return nil, err
   254  	}
   255  
   256  	for _, upak := range upaks {
   257  		uid := upak.GetUID()
   258  		sig, ok := userEKStatements.Sigs[uid]
   259  		if !ok || sig == nil {
   260  			mctx.Debug("missing memberEK statement for UID %v", uid)
   261  			continue
   262  		}
   263  
   264  		statement, _, wrongKID, err := verifySigWithLatestPUK(mctx, uid,
   265  			upak.Current.GetLatestPerUserKey(), *sig)
   266  		if wrongKID {
   267  			mctx.Debug("UID %v has a statement signed with the wrongKID, skipping", uid)
   268  			// Don't box for this member since they have no valid userEK
   269  			continue
   270  		} else if err != nil {
   271  			return nil, err
   272  		}
   273  		statements[uid] = statement
   274  	}
   275  
   276  	return statements, nil
   277  }
   278  
   279  // Returns nil if the user has never published a userEK. If the user has
   280  // published a userEK, but has since rolled their PUK without publishing a new
   281  // one, this function will return wrongKID. This allows clients to chose the
   282  // correct generation number but not include the statement when generating a
   283  // new userEK.
   284  func fetchUserEKStatement(mctx libkb.MetaContext, uid keybase1.UID) (
   285  	statement *keybase1.UserEkStatement, latestGeneration keybase1.EkGeneration, wrongKID bool, err error) {
   286  	defer mctx.Trace("fetchUserEKStatement", &err)()
   287  
   288  	apiArg := libkb.APIArg{
   289  		Endpoint:    "user/user_ek",
   290  		SessionType: libkb.APISessionTypeREQUIRED,
   291  		Args: libkb.HTTPArgs{
   292  			"uids": libkb.S{Val: libkb.UidsToString([]keybase1.UID{uid})},
   293  		},
   294  	}
   295  	res, err := mctx.G().GetAPI().Get(mctx, apiArg)
   296  	if err != nil {
   297  		return nil, latestGeneration, false, err
   298  	}
   299  
   300  	parsedResponse := userEKStatementResponse{}
   301  	err = res.Body.UnmarshalAgain(&parsedResponse)
   302  	if err != nil {
   303  		return nil, latestGeneration, false, err
   304  	}
   305  	// User has no statements
   306  	if len(parsedResponse.Sigs) == 0 {
   307  		return nil, latestGeneration, false, nil
   308  	}
   309  	if len(parsedResponse.Sigs) != 1 {
   310  		return nil, latestGeneration, false, fmt.Errorf("Invalid server response, multiple userEK statements returned")
   311  	}
   312  	sig, ok := parsedResponse.Sigs[uid]
   313  	if !ok {
   314  		return nil, latestGeneration, false, fmt.Errorf("Invalid server response, wrong uid returned")
   315  	}
   316  
   317  	upak, _, err := mctx.G().GetUPAKLoader().LoadV2(
   318  		libkb.NewLoadUserArgWithMetaContext(mctx).WithUID(uid))
   319  	if err != nil {
   320  		return nil, latestGeneration, false, err
   321  	}
   322  	latestPUK := upak.Current.GetLatestPerUserKey()
   323  	statement, latestGeneration, wrongKID, err = verifySigWithLatestPUK(mctx, uid, latestPUK, *sig)
   324  	// Check the wrongKID condition before checking the error, since an error
   325  	// is still returned in this case. TODO: Turn this warning into an error
   326  	// after EK support is sufficiently widespread.
   327  	if wrongKID {
   328  		mctx.Debug("It looks like you revoked a device without generating new ephemeral keys. Are you running an old version?")
   329  		return nil, latestGeneration, true, nil
   330  	} else if err != nil {
   331  		return nil, latestGeneration, false, err
   332  	}
   333  
   334  	return statement, latestGeneration, false, nil
   335  }
   336  
   337  func extractUserEKStatementFromSig(sig string) (signerKey *kbcrypto.NaclSigningKeyPublic, statement *keybase1.UserEkStatement, err error) {
   338  	signerKey, payload, _, err := kbcrypto.NaclVerifyAndExtract(sig)
   339  	if err != nil {
   340  		return signerKey, nil, err
   341  	}
   342  
   343  	parsedStatement := keybase1.UserEkStatement{}
   344  	if err = json.Unmarshal(payload, &parsedStatement); err != nil {
   345  		return signerKey, nil, err
   346  	}
   347  	return signerKey, &parsedStatement, nil
   348  }
   349  
   350  // Verify that the blob is validly signed, and that the signing key is the
   351  // given user's latest PUK, then parse its contents. If the blob is signed by
   352  // the wrong KID, that's still an error, but we'll also return this special
   353  // `wrongKID` flag. As a transitional measure while we wait for all clients in
   354  // the wild to have EK support, callers will treat that case as "there is no
   355  // key" and convert the error to a warning. We set `latestGeneration` so that
   356  // callers can use this value to generate a new key even if `wrongKID` is set.
   357  func verifySigWithLatestPUK(mctx libkb.MetaContext, uid keybase1.UID,
   358  	latestPUK *keybase1.PerUserKey, sig string) (
   359  	statement *keybase1.UserEkStatement, latestGeneration keybase1.EkGeneration, wrongKID bool, err error) {
   360  	defer mctx.Trace("verifySigWithLatestPUK", &err)()
   361  
   362  	// Parse the statement before we verify the signing key. Even if the
   363  	// signing key is bad (likely because of a legacy PUK roll that didn't
   364  	// include a userEK statement), we'll still return the generation number.
   365  	signerKey, parsedStatement, err := extractUserEKStatementFromSig(sig)
   366  	if err != nil {
   367  		return nil, latestGeneration, false, err
   368  	}
   369  	latestGeneration = parsedStatement.CurrentUserEkMetadata.Generation
   370  
   371  	// Verify the signing key corresponds to the latest PUK. We use the user's
   372  	// UPAK from cache, but if the KID doesn't match, we try a forced reload to
   373  	// see if the cache might've been stale. Only if the KID still doesn't
   374  	// match after the reload do we complain.
   375  	if latestPUK == nil || !latestPUK.SigKID.Equal(signerKey.GetKID()) {
   376  		// The latest PUK might be stale. Force a reload, then check this over again.
   377  		upak, _, err := mctx.G().GetUPAKLoader().LoadV2(
   378  			libkb.NewLoadUserArgWithMetaContext(mctx).WithUID(uid).WithForceReload())
   379  		if err != nil {
   380  			return nil, latestGeneration, false, err
   381  		}
   382  		latestPUK = upak.Current.GetLatestPerUserKey()
   383  		if latestPUK == nil || !latestPUK.SigKID.Equal(signerKey.GetKID()) {
   384  			// The latest PUK still doesn't match the signing key after a
   385  			// forced reload. Bail out, and set the `wrongKID` flag.
   386  			latestPUKSigningKIDString := "<nil>"
   387  			if latestPUK != nil {
   388  				latestPUKSigningKIDString = fmt.Sprint(latestPUK.SigKID)
   389  			}
   390  			err = fmt.Errorf("userEK returned for PUK signing KID %s, but latest is %s",
   391  				signerKey.GetKID(), latestPUKSigningKIDString)
   392  			return nil, latestGeneration, true, err
   393  		}
   394  	}
   395  
   396  	return parsedStatement, latestGeneration, false, nil
   397  }
   398  
   399  func filterStaleUserEKStatements(mctx libkb.MetaContext, statementMap map[keybase1.UID]*keybase1.UserEkStatement,
   400  	merkleRoot libkb.MerkleRoot) (activeMap map[keybase1.UID]keybase1.UserEkStatement, err error) {
   401  	defer mctx.Trace(fmt.Sprintf("filterStaleUserEKStatements: numStatements: %v", len(statementMap)), &err)()
   402  
   403  	activeMap = make(map[keybase1.UID]keybase1.UserEkStatement)
   404  	for uid, statement := range statementMap {
   405  		if statement == nil {
   406  			mctx.Debug("found stale userStatement for uid: %s", uid)
   407  			continue
   408  		}
   409  		metadata := statement.CurrentUserEkMetadata
   410  		if ctimeIsStale(metadata.Ctime.Time(), merkleRoot) {
   411  			mctx.Debug("found stale userStatement for KID: %s", metadata.Kid)
   412  			continue
   413  		}
   414  		activeMap[uid] = *statement
   415  	}
   416  
   417  	return activeMap, nil
   418  }
   419  
   420  func activeUserEKMetadata(mctx libkb.MetaContext, statementMap map[keybase1.UID]*keybase1.UserEkStatement,
   421  	merkleRoot libkb.MerkleRoot) (activeMetadata map[keybase1.UID]keybase1.UserEkMetadata, err error) {
   422  	activeMap, err := filterStaleUserEKStatements(mctx, statementMap, merkleRoot)
   423  	if err != nil {
   424  		return nil, err
   425  	}
   426  	activeMetadata = make(map[keybase1.UID]keybase1.UserEkMetadata)
   427  	for uid, statement := range activeMap {
   428  		activeMetadata[uid] = statement.CurrentUserEkMetadata
   429  	}
   430  	return activeMetadata, nil
   431  }