github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/sync_secret.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  // A module for syncing secrets with the server, such as SKB PGP keys,
     5  // and server-halves of our various secret keys.
     6  package libkb
     7  
     8  import (
     9  	"fmt"
    10  	"strings"
    11  	"sync"
    12  
    13  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    14  )
    15  
    16  type ServerPrivateKey struct {
    17  	Kid     string  `json:"kid"`
    18  	KeyType KeyType `json:"key_type"`
    19  	Bundle  string  `json:"bundle"`
    20  	Mtime   int     `json:"mtime"`
    21  	Ctime   int     `json:"ctime"`
    22  	KeyBits int     `json:"key_bits"`
    23  	KeyAlgo int     `json:"key_algo"`
    24  }
    25  
    26  type ServerPrivateKeyMap map[string]ServerPrivateKey
    27  
    28  type DeviceKey struct {
    29  	Type          keybase1.DeviceTypeV2 `json:"type"`
    30  	CTime         int64                 `json:"ctime"`
    31  	MTime         int64                 `json:"mtime"`
    32  	Description   string                `json:"name"`
    33  	Status        int                   `json:"status"`
    34  	LksServerHalf string                `json:"lks_server_half"`
    35  	PPGen         PassphraseGeneration  `json:"passphrase_generation"`
    36  	LastUsedTime  int64                 `json:"last_used_time"`
    37  }
    38  
    39  func (d DeviceKey) Display() string {
    40  	if d.Type == keybase1.DeviceTypeV2_PAPER {
    41  		// XXX not sure if we need to support our existing paper keys, but without this
    42  		// someone is surely going to complain:
    43  		if strings.HasPrefix(d.Description, "Paper Key") {
    44  			return d.Description
    45  		}
    46  		return fmt.Sprintf("Paper Key (%s...)", d.Description)
    47  	}
    48  	return d.Description
    49  }
    50  
    51  type DeviceKeyMap map[keybase1.DeviceID]DeviceKey
    52  
    53  type ServerPrivateKeys struct {
    54  	Status      APIStatus           `json:"status"`
    55  	Version     int                 `json:"version"`
    56  	Mtime       *int                `json:"mtime"`
    57  	PrivateKeys ServerPrivateKeyMap `json:"private_keys"` // note these are only PGP keys
    58  	Devices     DeviceKeyMap        `json:"devices"`
    59  }
    60  
    61  type SecretSyncer struct {
    62  	sync.Mutex
    63  	Contextified
    64  	dirty bool
    65  	keys  *ServerPrivateKeys
    66  }
    67  
    68  type DeviceTypeSet map[keybase1.DeviceTypeV2]bool
    69  
    70  var DefaultDeviceTypes = DeviceTypeSet{
    71  	keybase1.DeviceTypeV2_DESKTOP: true,
    72  	keybase1.DeviceTypeV2_MOBILE:  true,
    73  }
    74  
    75  var AllDeviceTypes = DeviceTypeSet{
    76  	keybase1.DeviceTypeV2_DESKTOP: true,
    77  	keybase1.DeviceTypeV2_MOBILE:  true,
    78  	keybase1.DeviceTypeV2_PAPER:   true,
    79  }
    80  
    81  func NewSecretSyncer(g *GlobalContext) *SecretSyncer {
    82  	return &SecretSyncer{
    83  		Contextified: NewContextified(g),
    84  	}
    85  }
    86  
    87  func (ss *SecretSyncer) Clear() error {
    88  	ss.keys = nil
    89  
    90  	return nil
    91  }
    92  
    93  func (ss *SecretSyncer) loadFromStorage(m MetaContext, uid keybase1.UID, useExpiration bool) (err error) {
    94  	var tmp ServerPrivateKeys
    95  	var found bool
    96  	found, err = ss.G().LocalDb.GetInto(&tmp, ss.dbKey(uid))
    97  	m.Debug("| loadFromStorage -> found=%v, err=%s", found, ErrToOk(err))
    98  	if err != nil {
    99  		return err
   100  	}
   101  	if !found {
   102  		m.Debug("| Loaded empty record set")
   103  		return nil
   104  	}
   105  	if ss.cachedSyncedSecretsOutOfDate(&tmp) {
   106  		m.Debug("| Synced secrets out of date")
   107  		return nil
   108  	}
   109  
   110  	// only set ss.keys to something if found.
   111  	//
   112  	// This is part of keybase-issues#1783:  an (old) user with a synced
   113  	// private key fell back to gpg instead of using a synced key.
   114  	//
   115  
   116  	m.Debug("| Loaded version %d", tmp.Version)
   117  	ss.keys = &tmp
   118  
   119  	return nil
   120  }
   121  
   122  func (ss *SecretSyncer) syncFromServer(m MetaContext, uid keybase1.UID, forceReload bool) (err error) {
   123  	hargs := HTTPArgs{}
   124  
   125  	if ss.keys != nil && !forceReload {
   126  		m.Debug("| adding version %d to fetch_private call", ss.keys.Version)
   127  		hargs.Add("version", I{ss.keys.Version})
   128  	}
   129  	var res *APIRes
   130  	res, err = ss.G().API.Get(m, APIArg{
   131  		Endpoint:    "key/fetch_private",
   132  		Args:        hargs,
   133  		SessionType: APISessionTypeREQUIRED,
   134  		RetryCount:  5, // It's pretty bad to fail this, so retry.
   135  	})
   136  	m.Debug("| syncFromServer -> %s", ErrToOk(err))
   137  	if err != nil {
   138  		return
   139  	}
   140  
   141  	var obj ServerPrivateKeys
   142  	if err = res.Body.UnmarshalAgain(&obj); err != nil {
   143  		return
   144  	}
   145  
   146  	m.Debug("| Returned object: {Status: %v, Version: %d, #pgpkeys: %d, #devices: %d}", obj.Status, obj.Version, len(obj.PrivateKeys), len(obj.Devices))
   147  	if forceReload || ss.keys == nil || obj.Version > ss.keys.Version {
   148  		m.Debug("| upgrade to version -> %d", obj.Version)
   149  		ss.keys = &obj
   150  		ss.dirty = true
   151  	} else {
   152  		m.Debug("| not changing synced keys: synced version %d not newer than existing version %d", obj.Version, ss.keys.Version)
   153  	}
   154  
   155  	return
   156  }
   157  
   158  func (ss *SecretSyncer) dbKey(uid keybase1.UID) DbKey {
   159  	return DbKeyUID(DBUserSecretKeys, uid)
   160  }
   161  
   162  func (ss *SecretSyncer) store(m MetaContext, uid keybase1.UID) (err error) {
   163  	if !ss.dirty {
   164  		return
   165  	}
   166  	if err = m.G().LocalDb.PutObj(ss.dbKey(uid), nil, ss.keys); err != nil {
   167  		return
   168  	}
   169  	ss.dirty = false
   170  	return
   171  }
   172  
   173  // FindActiveKey examines the synced keys, looking for one that's currently
   174  // active. The key will be chosen at random due to non-deterministic order of
   175  // FindActiveKeys output.
   176  // Returns ret=nil if none was found.
   177  func (ss *SecretSyncer) FindActiveKey(ckf *ComputedKeyFamily) (ret *SKB, err error) {
   178  	keys, err := ss.FindActiveKeys(ckf)
   179  	if err != nil {
   180  		return nil, err
   181  	}
   182  	if len(keys) == 0 {
   183  		return nil, nil
   184  	}
   185  	ss.G().Log.Debug("NOTE: calling SecretSyncer.FindActiveKey: returning first secret key from randomly ordered map", err)
   186  	return keys[0], nil
   187  }
   188  
   189  // FindActiveKey examines the synced keys, and returns keys that are currently
   190  // active.
   191  func (ss *SecretSyncer) FindActiveKeys(ckf *ComputedKeyFamily) (ret []*SKB, err error) {
   192  	ss.Lock()
   193  	defer ss.Unlock()
   194  
   195  	if ss.keys == nil {
   196  		return ret, nil
   197  	}
   198  	for _, key := range ss.keys.PrivateKeys {
   199  		keyRet, err := key.FindActiveKey(ss.G(), ckf)
   200  		if err != nil {
   201  			ss.G().Log.Debug("SecretSyncer.FindActiveKeys: error from key.FindActiveKey, skipping key: %s", err)
   202  		} else {
   203  			ret = append(ret, keyRet)
   204  		}
   205  	}
   206  	return ret, nil
   207  }
   208  
   209  // AllActiveKeys returns all the active synced PGP keys.
   210  func (ss *SecretSyncer) AllActiveKeys(ckf *ComputedKeyFamily) []*SKB {
   211  	ss.Lock()
   212  	defer ss.Unlock()
   213  	var res []*SKB
   214  	for _, key := range ss.keys.PrivateKeys {
   215  		if ret, _ := key.FindActiveKey(ss.G(), ckf); ret != nil {
   216  			res = append(res, ret)
   217  		}
   218  	}
   219  	return res
   220  }
   221  
   222  func (ss *SecretSyncer) FindPrivateKey(kid string) (ServerPrivateKey, bool) {
   223  	ss.Lock()
   224  	defer ss.Unlock()
   225  	k, ok := ss.keys.PrivateKeys[kid]
   226  	return k, ok
   227  }
   228  
   229  func (k *ServerPrivateKey) FindActiveKey(g *GlobalContext, ckf *ComputedKeyFamily) (ret *SKB, err error) {
   230  	kid := keybase1.KIDFromString(k.Kid)
   231  	if ckf.GetKeyRole(kid) != DLGSibkey {
   232  		return
   233  	}
   234  	if ret, err = DecodeArmoredSKBPacket(k.Bundle); err != nil {
   235  		return
   236  	}
   237  	ret.SetGlobalContext(g)
   238  	return ret, nil
   239  }
   240  
   241  func (ss *SecretSyncer) FindDevice(id keybase1.DeviceID) (DeviceKey, error) {
   242  	ss.Lock()
   243  	defer ss.Unlock()
   244  	if ss.keys == nil {
   245  		return DeviceKey{}, DeviceNotFoundError{"SecretSyncer", id, false}
   246  	}
   247  	dev, ok := ss.keys.Devices[id]
   248  	if !ok {
   249  		return DeviceKey{}, DeviceNotFoundError{"SecretSyncer", id, true}
   250  	}
   251  	return dev, nil
   252  }
   253  
   254  func (ss *SecretSyncer) AllDevices() DeviceKeyMap {
   255  	ss.Lock()
   256  	defer ss.Unlock()
   257  	if ss.keys == nil {
   258  		return nil
   259  	}
   260  	return ss.keys.Devices
   261  }
   262  
   263  func (ss *SecretSyncer) HasDevices() bool {
   264  	if ss.keys == nil {
   265  		return false
   266  	}
   267  	return len(ss.keys.Devices) > 0
   268  }
   269  
   270  func (ss *SecretSyncer) Devices() (DeviceKeyMap, error) {
   271  	ss.Lock()
   272  	defer ss.Unlock()
   273  	if ss.keys == nil {
   274  		return nil, fmt.Errorf("no keys")
   275  	}
   276  	return ss.keys.Devices, nil
   277  }
   278  
   279  // IsDeviceNameTaken returns true if a desktop or mobile device is
   280  // using a name already.
   281  func (ss *SecretSyncer) IsDeviceNameTaken(name string, includeTypesSet DeviceTypeSet) bool {
   282  	devs, err := ss.ActiveDevices(includeTypesSet)
   283  	if err != nil {
   284  		return false
   285  	}
   286  	for _, v := range devs {
   287  		if NameCmp(v.Description, name) {
   288  			return true
   289  		}
   290  	}
   291  	return false
   292  }
   293  
   294  // HasActiveDevice returns true if there is an active desktop or
   295  // mobile device available.
   296  func (ss *SecretSyncer) HasActiveDevice(includeTypesSet DeviceTypeSet) (bool, error) {
   297  	devs, err := ss.ActiveDevices(includeTypesSet)
   298  	if err != nil {
   299  		return false, err
   300  	}
   301  	return len(devs) > 0, nil
   302  }
   303  
   304  // ActiveDevices returns all the active desktop and mobile devices.
   305  func (ss *SecretSyncer) ActiveDevices(includeTypesSet DeviceTypeSet) (DeviceKeyMap, error) {
   306  	ss.Lock()
   307  	defer ss.Unlock()
   308  	if ss.keys == nil {
   309  		return nil, fmt.Errorf("no keys")
   310  	}
   311  
   312  	if includeTypesSet == nil {
   313  		return nil, fmt.Errorf("need valid includeTypesSet")
   314  	}
   315  
   316  	res := make(DeviceKeyMap)
   317  	for k, v := range ss.keys.Devices {
   318  		if v.Status != DeviceStatusActive {
   319  			continue
   320  		}
   321  
   322  		if includeTypesSet[v.Type] {
   323  			res[k] = v
   324  		}
   325  	}
   326  	return res, nil
   327  }
   328  
   329  func (ss *SecretSyncer) DumpPrivateKeys() {
   330  	ss.Lock()
   331  	defer ss.Unlock()
   332  	for s, key := range ss.keys.PrivateKeys {
   333  		ss.G().Log.Info("Private key: %s", s)
   334  		ss.G().Log.Info("  -- kid: %s, keytype: %d, bits: %d, algo: %d", key.Kid, key.KeyType, key.KeyBits, key.KeyAlgo)
   335  	}
   336  }
   337  
   338  // As we add more fields to the data we're caching here, we need to detect the
   339  // cases where our cached data is missing the new fields. We can extend this
   340  // function with more cases as we add more fields.
   341  func (ss *SecretSyncer) cachedSyncedSecretsOutOfDate(cached *ServerPrivateKeys) bool {
   342  	for _, dev := range cached.Devices {
   343  		if dev.LastUsedTime == 0 {
   344  			ss.G().Log.Debug("cachedSyncedSecretsOutOfDate noticed a cached device with no last used time")
   345  			return true
   346  		}
   347  	}
   348  	return false
   349  }
   350  
   351  func (k ServerPrivateKey) ToSKB(gc *GlobalContext) (*SKB, error) {
   352  	if k.KeyType != KeyTypeP3skbPrivate {
   353  		return nil, fmt.Errorf("invalid key type for skb conversion: %d", k.KeyType)
   354  	}
   355  	skb, err := DecodeArmoredSKBPacket(k.Bundle)
   356  	if err != nil {
   357  		return nil, err
   358  	}
   359  	return skb, nil
   360  }
   361  
   362  func (ss *SecretSyncer) needsLogin(m MetaContext) bool { return true }
   363  
   364  func (d DeviceKey) ToLKSec() (LKSecServerHalf, error) {
   365  	return NewLKSecServerHalfFromHex(d.LksServerHalf)
   366  }