github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/kbfsmd/key_bundle_v2.go (about)

     1  // Copyright 2016 Keybase Inc. All rights reserved.
     2  // Use of this source code is governed by a BSD
     3  // license that can be found in the LICENSE file.
     4  
     5  package kbfsmd
     6  
     7  import (
     8  	"fmt"
     9  
    10  	"github.com/keybase/client/go/kbfs/kbfscodec"
    11  	"github.com/keybase/client/go/kbfs/kbfscrypto"
    12  	"github.com/keybase/client/go/protocol/keybase1"
    13  	"github.com/keybase/go-codec/codec"
    14  	"github.com/pkg/errors"
    15  )
    16  
    17  // EPubKeyLocationV2 represents the location of a user's ephemeral
    18  // public key. Note that for V2, a reader ePubKey can be in either the
    19  // writers array (if rekeyed normally) or the readers array (if
    20  // rekeyed by a reader), but a writer ePubKey can be in either array
    21  // also; if a reader whose ePubKey is in the readers array is
    22  // promoted, then the reader becomes a writer whose ePubKey is still
    23  // in the readers array.
    24  type EPubKeyLocationV2 int
    25  
    26  const (
    27  	// WriterEPubKeys means the ephemeral public key is in the
    28  	// writers array.
    29  	WriterEPubKeys EPubKeyLocationV2 = 1
    30  	// ReaderEPubKeys means the ephemeral public key is in the
    31  	// writers array.
    32  	ReaderEPubKeys EPubKeyLocationV2 = 2
    33  )
    34  
    35  func (t EPubKeyLocationV2) String() string {
    36  	switch t {
    37  	case WriterEPubKeys:
    38  		return "WriterEPubKeys"
    39  	case ReaderEPubKeys:
    40  		return "ReaderEPubKeys"
    41  	default:
    42  		return fmt.Sprintf("EPubKeyLocationV2(%d)", t)
    43  	}
    44  }
    45  
    46  // GetEphemeralPublicKeyInfoV2 encapsulates all the ugly logic needed to
    47  // deal with the "negative hack" from
    48  // RootMetadataV2.UpdateKeyGeneration.
    49  func GetEphemeralPublicKeyInfoV2(info TLFCryptKeyInfo,
    50  	wkb TLFWriterKeyBundleV2, rkb TLFReaderKeyBundleV2) (
    51  	keyLocation EPubKeyLocationV2, index int,
    52  	ePubKey kbfscrypto.TLFEphemeralPublicKey, err error) {
    53  	var publicKeys kbfscrypto.TLFEphemeralPublicKeys
    54  	if info.EPubKeyIndex >= 0 {
    55  		index = info.EPubKeyIndex
    56  		publicKeys = wkb.TLFEphemeralPublicKeys
    57  		keyLocation = WriterEPubKeys
    58  	} else {
    59  		index = -1 - info.EPubKeyIndex
    60  		publicKeys = rkb.TLFReaderEphemeralPublicKeys
    61  		keyLocation = ReaderEPubKeys
    62  	}
    63  	keyCount := len(publicKeys)
    64  	if index >= keyCount {
    65  		return EPubKeyLocationV2(0),
    66  			0, kbfscrypto.TLFEphemeralPublicKey{},
    67  			fmt.Errorf("Invalid key in %s with index %d >= %d",
    68  				keyLocation, index, keyCount)
    69  	}
    70  
    71  	return keyLocation, index, publicKeys[index], nil
    72  }
    73  
    74  // DeviceKeyInfoMapV2 is a map from a user devices (identified by the
    75  // KID of the corresponding device CryptPublicKey) to the
    76  // TLF's symmetric secret key information.
    77  type DeviceKeyInfoMapV2 map[keybase1.KID]TLFCryptKeyInfo
    78  
    79  func (dkimV2 DeviceKeyInfoMapV2) fillInDeviceInfos(
    80  	uid keybase1.UID, tlfCryptKey kbfscrypto.TLFCryptKey,
    81  	ePrivKey kbfscrypto.TLFEphemeralPrivateKey, ePubIndex int,
    82  	updatedDeviceKeys DevicePublicKeys) (
    83  	serverHalves DeviceKeyServerHalves, err error) {
    84  	serverHalves = make(DeviceKeyServerHalves, len(updatedDeviceKeys))
    85  	// TODO: parallelize
    86  	for k := range updatedDeviceKeys {
    87  		// Skip existing entries, and only fill in new ones.
    88  		if _, ok := dkimV2[k.KID()]; ok {
    89  			continue
    90  		}
    91  
    92  		clientInfo, serverHalf, err := splitTLFCryptKey(
    93  			uid, tlfCryptKey, ePrivKey, ePubIndex, k)
    94  		if err != nil {
    95  			return nil, err
    96  		}
    97  
    98  		dkimV2[k.KID()] = clientInfo
    99  		serverHalves[k] = serverHalf
   100  	}
   101  
   102  	return serverHalves, nil
   103  }
   104  
   105  func (dkimV2 DeviceKeyInfoMapV2) toPublicKeys() DevicePublicKeys {
   106  	publicKeys := make(DevicePublicKeys, len(dkimV2))
   107  	for kid := range dkimV2 {
   108  		publicKeys[kbfscrypto.MakeCryptPublicKey(kid)] = true
   109  	}
   110  	return publicKeys
   111  }
   112  
   113  // UserDeviceKeyInfoMapV2 maps a user's keybase UID to their
   114  // DeviceKeyInfoMapV2.
   115  type UserDeviceKeyInfoMapV2 map[keybase1.UID]DeviceKeyInfoMapV2
   116  
   117  // ToPublicKeys converts this object to a UserDevicePublicKeys object.
   118  func (udkimV2 UserDeviceKeyInfoMapV2) ToPublicKeys() UserDevicePublicKeys {
   119  	publicKeys := make(UserDevicePublicKeys, len(udkimV2))
   120  	for u, dkimV2 := range udkimV2 {
   121  		publicKeys[u] = dkimV2.toPublicKeys()
   122  	}
   123  	return publicKeys
   124  }
   125  
   126  // RemoveDevicesNotIn removes any info for any device that is not
   127  // contained in the given map of users and devices.
   128  func (udkimV2 UserDeviceKeyInfoMapV2) RemoveDevicesNotIn(
   129  	updatedUserKeys UserDevicePublicKeys) ServerHalfRemovalInfo {
   130  	removalInfo := make(ServerHalfRemovalInfo)
   131  	for uid, dkim := range udkimV2 {
   132  		userRemoved := false
   133  		deviceServerHalfIDs := make(DeviceServerHalfRemovalInfo)
   134  		if deviceKeys, ok := updatedUserKeys[uid]; ok {
   135  			for kid, info := range dkim {
   136  				key := kbfscrypto.MakeCryptPublicKey(kid)
   137  				if !deviceKeys[key] {
   138  					delete(dkim, kid)
   139  					deviceServerHalfIDs[key] = append(
   140  						deviceServerHalfIDs[key],
   141  						info.ServerHalfID)
   142  				}
   143  			}
   144  
   145  			if len(deviceServerHalfIDs) == 0 {
   146  				continue
   147  			}
   148  		} else {
   149  			// The user was completely removed, which
   150  			// shouldn't happen but might as well make it
   151  			// work just in case.
   152  			userRemoved = true
   153  			for kid, info := range dkim {
   154  				key := kbfscrypto.MakeCryptPublicKey(kid)
   155  				deviceServerHalfIDs[key] = append(
   156  					deviceServerHalfIDs[key],
   157  					info.ServerHalfID)
   158  			}
   159  
   160  			delete(udkimV2, uid)
   161  		}
   162  
   163  		removalInfo[uid] = UserServerHalfRemovalInfo{
   164  			UserRemoved:         userRemoved,
   165  			DeviceServerHalfIDs: deviceServerHalfIDs,
   166  		}
   167  	}
   168  
   169  	return removalInfo
   170  }
   171  
   172  // FillInUserInfos fills in this map from the given info.
   173  func (udkimV2 UserDeviceKeyInfoMapV2) FillInUserInfos(
   174  	newIndex int, updatedUserKeys UserDevicePublicKeys,
   175  	ePrivKey kbfscrypto.TLFEphemeralPrivateKey,
   176  	tlfCryptKey kbfscrypto.TLFCryptKey) (
   177  	serverHalves UserDeviceKeyServerHalves, err error) {
   178  	serverHalves = make(UserDeviceKeyServerHalves, len(updatedUserKeys))
   179  	for u, updatedDeviceKeys := range updatedUserKeys {
   180  		if _, ok := udkimV2[u]; !ok {
   181  			udkimV2[u] = DeviceKeyInfoMapV2{}
   182  		}
   183  
   184  		deviceServerHalves, err := udkimV2[u].fillInDeviceInfos(
   185  			u, tlfCryptKey, ePrivKey, newIndex,
   186  			updatedDeviceKeys)
   187  		if err != nil {
   188  			return nil, err
   189  		}
   190  		if len(deviceServerHalves) > 0 {
   191  			serverHalves[u] = deviceServerHalves
   192  		}
   193  	}
   194  	return serverHalves, nil
   195  }
   196  
   197  // All section references below are to https://keybase.io/docs/crypto/kbfs
   198  // (version 1.8).
   199  
   200  // TLFWriterKeyBundleV2 is a bundle of all the writer keys for a top-level
   201  // folder.
   202  type TLFWriterKeyBundleV2 struct {
   203  	// Maps from each writer to their crypt key bundle.
   204  	WKeys UserDeviceKeyInfoMapV2
   205  
   206  	// M_f as described in § 4.1.1.
   207  	TLFPublicKey kbfscrypto.TLFPublicKey `codec:"pubKey"`
   208  
   209  	// M_e as described in § 4.1.1.  Because devices can be added
   210  	// into the key generation after it is initially created (so
   211  	// those devices can get access to existing data), we track
   212  	// multiple ephemeral public keys; the one used by a
   213  	// particular device is specified by EPubKeyIndex in its
   214  	// TLFCryptoKeyInfo struct.
   215  	TLFEphemeralPublicKeys kbfscrypto.TLFEphemeralPublicKeys `codec:"ePubKey"`
   216  
   217  	codec.UnknownFieldSetHandler
   218  }
   219  
   220  // IsWriter returns true if the given user device is in the writer set.
   221  func (wkb TLFWriterKeyBundleV2) IsWriter(user keybase1.UID, deviceKey kbfscrypto.CryptPublicKey) bool {
   222  	_, ok := wkb.WKeys[user][deviceKey.KID()]
   223  	return ok
   224  }
   225  
   226  // TLFWriterKeyGenerationsV2 stores a slice of TLFWriterKeyBundleV2,
   227  // where the last element is the current generation.
   228  type TLFWriterKeyGenerationsV2 []TLFWriterKeyBundleV2
   229  
   230  // LatestKeyGeneration returns the current key generation for this TLF.
   231  func (wkg TLFWriterKeyGenerationsV2) LatestKeyGeneration() KeyGen {
   232  	return KeyGen(len(wkg))
   233  }
   234  
   235  // IsWriter returns whether or not the user+device is an authorized writer
   236  // for the latest generation.
   237  func (wkg TLFWriterKeyGenerationsV2) IsWriter(user keybase1.UID, deviceKey kbfscrypto.CryptPublicKey) bool {
   238  	keyGen := wkg.LatestKeyGeneration()
   239  	if keyGen < 1 {
   240  		return false
   241  	}
   242  	return wkg[keyGen-1].IsWriter(user, deviceKey)
   243  }
   244  
   245  // ToTLFWriterKeyBundleV3 converts a TLFWriterKeyGenerationsV2 to a TLFWriterKeyBundleV3.
   246  func (wkg TLFWriterKeyGenerationsV2) ToTLFWriterKeyBundleV3(
   247  	codec kbfscodec.Codec,
   248  	tlfCryptKeyGetter func() ([]kbfscrypto.TLFCryptKey, error)) (
   249  	TLFWriterKeyBundleV2, TLFWriterKeyBundleV3, error) {
   250  	keyGen := wkg.LatestKeyGeneration()
   251  	if keyGen < FirstValidKeyGen {
   252  		return TLFWriterKeyBundleV2{}, TLFWriterKeyBundleV3{},
   253  			errors.New("No key generations to convert")
   254  	}
   255  
   256  	// Copy the latest UserDeviceKeyInfoMap.
   257  	wkbV2 := wkg[keyGen-FirstValidKeyGen]
   258  	ePubKeyCount := len(wkbV2.TLFEphemeralPublicKeys)
   259  	udkimV3, err := writerUDKIMV2ToV3(codec, wkbV2.WKeys, ePubKeyCount)
   260  	if err != nil {
   261  		return TLFWriterKeyBundleV2{}, TLFWriterKeyBundleV3{}, err
   262  	}
   263  	wkbV3 := TLFWriterKeyBundleV3{
   264  		Keys: udkimV3,
   265  		TLFEphemeralPublicKeys: make(
   266  			kbfscrypto.TLFEphemeralPublicKeys, ePubKeyCount),
   267  		TLFPublicKey: wkbV2.TLFPublicKey,
   268  	}
   269  	// Copy all of the TLFEphemeralPublicKeys at this generation.
   270  	copy(wkbV3.TLFEphemeralPublicKeys[:], wkbV2.TLFEphemeralPublicKeys)
   271  
   272  	if keyGen > FirstValidKeyGen {
   273  		// Fetch all of the TLFCryptKeys.
   274  		keys, err := tlfCryptKeyGetter()
   275  		if err != nil {
   276  			return TLFWriterKeyBundleV2{}, TLFWriterKeyBundleV3{}, err
   277  		}
   278  		// Sanity check.
   279  		if len(keys) != int(keyGen) {
   280  			return TLFWriterKeyBundleV2{}, TLFWriterKeyBundleV3{},
   281  				fmt.Errorf("expected %d keys, found %d", keyGen, len(keys))
   282  		}
   283  		// Save the current key.
   284  		currKey := keys[len(keys)-1]
   285  		// Get rid of the most current generation as that's in the UserDeviceKeyInfoMap already.
   286  		keys = keys[:len(keys)-1]
   287  		// Encrypt the historic keys with the current key.
   288  		wkbV3.EncryptedHistoricTLFCryptKeys, err = kbfscrypto.EncryptTLFCryptKeys(codec, keys, currKey)
   289  		if err != nil {
   290  			return TLFWriterKeyBundleV2{}, TLFWriterKeyBundleV3{}, err
   291  		}
   292  	}
   293  
   294  	return wkbV2, wkbV3, nil
   295  }
   296  
   297  // TLFReaderKeyBundleV2 stores all the reader keys with reader
   298  // permissions on a TLF.
   299  type TLFReaderKeyBundleV2 struct {
   300  	RKeys UserDeviceKeyInfoMapV2
   301  
   302  	// M_e as described in § 4.1.1. Because devices can be added
   303  	// into the key generation after it is initially created (so
   304  	// those devices can get access to existing data), we track
   305  	// multiple ephemeral public keys; the one used by a
   306  	// particular device is specified by EPubKeyIndex in its
   307  	// TLFCryptoKeyInfo struct.  This list is needed so a reader
   308  	// rekey doesn't modify the writer metadata.
   309  	TLFReaderEphemeralPublicKeys kbfscrypto.TLFEphemeralPublicKeys `codec:"readerEPubKey,omitempty"`
   310  
   311  	codec.UnknownFieldSetHandler
   312  }
   313  
   314  // IsReader returns true if the given user device is in the reader set.
   315  func (trb TLFReaderKeyBundleV2) IsReader(user keybase1.UID, deviceKey kbfscrypto.CryptPublicKey) bool {
   316  	_, ok := trb.RKeys[user][deviceKey.KID()]
   317  	return ok
   318  }
   319  
   320  // TLFReaderKeyGenerationsV2 stores a slice of TLFReaderKeyBundleV2,
   321  // where the last element is the current generation.
   322  type TLFReaderKeyGenerationsV2 []TLFReaderKeyBundleV2
   323  
   324  // LatestKeyGeneration returns the current key generation for this TLF.
   325  func (rkg TLFReaderKeyGenerationsV2) LatestKeyGeneration() KeyGen {
   326  	return KeyGen(len(rkg))
   327  }
   328  
   329  // IsReader returns whether or not the user+device is an authorized reader
   330  // for the latest generation.
   331  func (rkg TLFReaderKeyGenerationsV2) IsReader(user keybase1.UID, deviceKey kbfscrypto.CryptPublicKey) bool {
   332  	keyGen := rkg.LatestKeyGeneration()
   333  	if keyGen < 1 {
   334  		return false
   335  	}
   336  	return rkg[keyGen-1].IsReader(user, deviceKey)
   337  }
   338  
   339  // ToTLFReaderKeyBundleV3 converts a TLFReaderKeyGenerationsV2 to a TLFReaderkeyBundleV3.
   340  func (rkg TLFReaderKeyGenerationsV2) ToTLFReaderKeyBundleV3(
   341  	codec kbfscodec.Codec, wkb TLFWriterKeyBundleV2) (
   342  	TLFReaderKeyBundleV3, error) {
   343  	keyGen := rkg.LatestKeyGeneration()
   344  	if keyGen < FirstValidKeyGen {
   345  		return TLFReaderKeyBundleV3{}, errors.New("No key generations to convert")
   346  	}
   347  
   348  	rkbV3 := TLFReaderKeyBundleV3{
   349  		Keys: make(UserDeviceKeyInfoMapV3),
   350  	}
   351  
   352  	// Copy the latest UserDeviceKeyInfoMap.
   353  	rkb := rkg[keyGen-FirstValidKeyGen]
   354  
   355  	// Copy all of the TLFReaderEphemeralPublicKeys.
   356  	rkbV3.TLFEphemeralPublicKeys = make(kbfscrypto.TLFEphemeralPublicKeys,
   357  		len(rkb.TLFReaderEphemeralPublicKeys))
   358  	copy(rkbV3.TLFEphemeralPublicKeys[:], rkb.TLFReaderEphemeralPublicKeys)
   359  
   360  	// Track a mapping of old writer ephemeral pubkey index to new
   361  	// reader ephemeral pubkey index.
   362  	pubKeyIndicesMap := make(map[int]int)
   363  
   364  	// We need to copy these in a slightly annoying way to work around
   365  	// the negative index hack. In V3 readers always have their ePubKey
   366  	// in the TLFReaderEphemeralPublicKeys list. In V2 they only do if
   367  	// the index is negative. Otherwise it's in the writer's list.
   368  	for uid, dkim := range rkb.RKeys {
   369  		dkimV3 := make(DeviceKeyInfoMapV3)
   370  		for kid, info := range dkim {
   371  			var infoCopy TLFCryptKeyInfo
   372  			err := kbfscodec.Update(codec, &infoCopy, info)
   373  			if err != nil {
   374  				return TLFReaderKeyBundleV3{}, err
   375  			}
   376  
   377  			keyLocation, index, ePubKey, err :=
   378  				GetEphemeralPublicKeyInfoV2(info, wkb, rkb)
   379  			if err != nil {
   380  				return TLFReaderKeyBundleV3{}, err
   381  			}
   382  
   383  			switch keyLocation {
   384  			case WriterEPubKeys:
   385  				// Map the old index in the writer list to a new index
   386  				// at the end of the reader list.
   387  				newIndex, ok := pubKeyIndicesMap[index]
   388  				if !ok {
   389  					rkbV3.TLFEphemeralPublicKeys =
   390  						append(rkbV3.TLFEphemeralPublicKeys, ePubKey)
   391  					// TODO: This index depends on
   392  					// map iteration order, which
   393  					// varies. Impose a consistent
   394  					// order on these indices.
   395  					newIndex = len(rkbV3.TLFEphemeralPublicKeys) - 1
   396  					pubKeyIndicesMap[index] = newIndex
   397  				}
   398  				infoCopy.EPubKeyIndex = newIndex
   399  			case ReaderEPubKeys:
   400  				// Use the real index in the reader list.
   401  				infoCopy.EPubKeyIndex = index
   402  			default:
   403  				return TLFReaderKeyBundleV3{}, fmt.Errorf("Unknown key location %s", keyLocation)
   404  			}
   405  			dkimV3[kbfscrypto.MakeCryptPublicKey(kid)] = infoCopy
   406  		}
   407  		rkbV3.Keys[uid] = dkimV3
   408  	}
   409  	return rkbV3, nil
   410  }