github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/teams/appkeys.go (about)

     1  package teams
     2  
     3  import (
     4  	"errors"
     5  	"fmt"
     6  
     7  	"github.com/keybase/client/go/libkb"
     8  	"github.com/keybase/client/go/protocol/keybase1"
     9  )
    10  
    11  func AllApplicationKeys(mctx libkb.MetaContext, team Teamer,
    12  	application keybase1.TeamApplication, latestGen keybase1.PerTeamKeyGeneration) (res []keybase1.TeamApplicationKey, err error) {
    13  	defer mctx.Trace("teams.AllApplicationKeys", &err)()
    14  	for gen := keybase1.PerTeamKeyGeneration(1); gen <= latestGen; gen++ {
    15  		appKey, err := ApplicationKeyAtGeneration(mctx, team, application, gen)
    16  		if err != nil {
    17  			return res, err
    18  		}
    19  		res = append(res, appKey)
    20  	}
    21  	return res, nil
    22  
    23  }
    24  
    25  func AllApplicationKeysWithKBFS(mctx libkb.MetaContext, team Teamer,
    26  	application keybase1.TeamApplication, latestGen keybase1.PerTeamKeyGeneration) (res []keybase1.TeamApplicationKey, err error) {
    27  	teamKeys, err := AllApplicationKeys(mctx, team, application, latestGen)
    28  	if err != nil {
    29  		return res, err
    30  	}
    31  	var kbfsKeys []keybase1.CryptKey
    32  	if team.MainChain() != nil {
    33  		kbfsKeys = team.MainChain().TlfCryptKeys[application]
    34  	}
    35  	if len(kbfsKeys) > 0 {
    36  		latestKBFSGen := kbfsKeys[len(kbfsKeys)-1].Generation()
    37  		for _, k := range kbfsKeys {
    38  			res = append(res, keybase1.TeamApplicationKey{
    39  				Application:   application,
    40  				KeyGeneration: keybase1.PerTeamKeyGeneration(k.KeyGeneration),
    41  				Key:           k.Key,
    42  			})
    43  		}
    44  		for _, tk := range teamKeys {
    45  			res = append(res, keybase1.TeamApplicationKey{
    46  				Application:   application,
    47  				KeyGeneration: keybase1.PerTeamKeyGeneration(tk.Generation() + latestKBFSGen),
    48  				Key:           tk.Key,
    49  			})
    50  		}
    51  	} else {
    52  		res = teamKeys
    53  	}
    54  	return res, nil
    55  }
    56  
    57  func ApplicationKeyAtGeneration(mctx libkb.MetaContext, team Teamer,
    58  	application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.TeamApplicationKey, err error) {
    59  
    60  	item, err := GetAndVerifyPerTeamKey(mctx, team, generation)
    61  	if err != nil {
    62  		return res, err
    63  	}
    64  
    65  	var rkm *keybase1.ReaderKeyMask
    66  	if UseRKMForApp(application) {
    67  		rkmReal, err := readerKeyMask(team.MainChain(), application, generation)
    68  		if err != nil {
    69  			return res, err
    70  		}
    71  		rkm = &rkmReal
    72  	} else {
    73  		var zeroMask [32]byte
    74  		zeroRKM := keybase1.ReaderKeyMask{
    75  			Application: application,
    76  			Generation:  generation,
    77  			Mask:        zeroMask[:],
    78  		}
    79  		rkm = &zeroRKM
    80  	}
    81  
    82  	return applicationKeyForMask(*rkm, item.Seed)
    83  }
    84  
    85  func ApplicationKeyAtGenerationWithKBFS(mctx libkb.MetaContext, team Teamer,
    86  	application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.TeamApplicationKey, err error) {
    87  
    88  	var kbfsKeys []keybase1.CryptKey
    89  	if team.MainChain() != nil {
    90  		kbfsKeys = team.MainChain().TlfCryptKeys[application]
    91  	}
    92  	if len(kbfsKeys) > 0 {
    93  		latestKBFSGen := keybase1.PerTeamKeyGeneration(kbfsKeys[len(kbfsKeys)-1].Generation())
    94  		for _, k := range kbfsKeys {
    95  			if k.Generation() == int(generation) {
    96  				return keybase1.TeamApplicationKey{
    97  					Application:   application,
    98  					KeyGeneration: generation,
    99  					Key:           k.Key,
   100  				}, nil
   101  			}
   102  		}
   103  		if res, err = ApplicationKeyAtGeneration(mctx, team, application, generation-latestKBFSGen); err != nil {
   104  			return res, err
   105  		}
   106  		res.KeyGeneration += latestKBFSGen
   107  		return res, nil
   108  	}
   109  	return ApplicationKeyAtGeneration(mctx, team, application, generation)
   110  }
   111  
   112  func UseRKMForApp(application keybase1.TeamApplication) bool {
   113  	switch application {
   114  	case keybase1.TeamApplication_SEITAN_INVITE_TOKEN:
   115  		// Seitan tokens do not use RKMs because implicit admins have all the privileges of explicit members.
   116  		return false
   117  	default:
   118  		return true
   119  	}
   120  }
   121  
   122  func applicationKeyForMask(mask keybase1.ReaderKeyMask, secret keybase1.PerTeamKeySeed) (keybase1.TeamApplicationKey, error) {
   123  	if secret.IsZero() {
   124  		return keybase1.TeamApplicationKey{}, errors.New("nil shared secret in Team#applicationKeyForMask")
   125  	}
   126  	var derivationString string
   127  	switch mask.Application {
   128  	case keybase1.TeamApplication_KBFS:
   129  		derivationString = libkb.TeamKBFSDerivationString
   130  	case keybase1.TeamApplication_CHAT:
   131  		derivationString = libkb.TeamChatDerivationString
   132  	case keybase1.TeamApplication_SALTPACK:
   133  		derivationString = libkb.TeamSaltpackDerivationString
   134  	case keybase1.TeamApplication_GIT_METADATA:
   135  		derivationString = libkb.TeamGitMetadataDerivationString
   136  	case keybase1.TeamApplication_SEITAN_INVITE_TOKEN:
   137  		derivationString = libkb.TeamSeitanTokenDerivationString
   138  	case keybase1.TeamApplication_STELLAR_RELAY:
   139  		derivationString = libkb.TeamStellarRelayDerivationString
   140  	case keybase1.TeamApplication_KVSTORE:
   141  		derivationString = libkb.TeamKVStoreDerivationString
   142  	default:
   143  		return keybase1.TeamApplicationKey{}, fmt.Errorf("unrecognized application id: %v", mask.Application)
   144  	}
   145  
   146  	key := keybase1.TeamApplicationKey{
   147  		Application:   mask.Application,
   148  		KeyGeneration: mask.Generation,
   149  	}
   150  
   151  	if len(mask.Mask) != 32 {
   152  		return keybase1.TeamApplicationKey{}, fmt.Errorf("mask length: %d, expected 32", len(mask.Mask))
   153  	}
   154  
   155  	secBytes := make([]byte, len(mask.Mask))
   156  	n := libkb.XORBytes(secBytes, derivedSecret(secret, derivationString), mask.Mask)
   157  	if n != 32 {
   158  		return key, errors.New("invalid derived secret xor mask size")
   159  	}
   160  	copy(key.Key[:], secBytes)
   161  
   162  	return key, nil
   163  }
   164  
   165  func readerKeyMask(teamData *keybase1.TeamData,
   166  	application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.ReaderKeyMask, err error) {
   167  
   168  	if teamData == nil {
   169  		return res, NewKeyMaskNotFoundErrorForApplication(application)
   170  	}
   171  
   172  	m2, ok := teamData.ReaderKeyMasks[application]
   173  	if !ok {
   174  		return res, NewKeyMaskNotFoundErrorForApplication(application)
   175  	}
   176  	mask, ok := m2[generation]
   177  	if !ok {
   178  		return res, NewKeyMaskNotFoundErrorForApplicationAndGeneration(application, generation)
   179  	}
   180  	return keybase1.ReaderKeyMask{
   181  		Application: application,
   182  		Generation:  generation,
   183  		Mask:        mask,
   184  	}, nil
   185  }