mirrors
/
nextcloud
kopia lustrzana https://github.com/nextcloud/server.git
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Wydania 993 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23709 Commity
415 Gałęzie
Drzewo: b585d87d9d
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'b585d87d9d'
${ noResults }
nextcloud/apps/files_encryption/lib/keymanager.php

keymanager.php 14KB
Czysty Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500 
  1. <?php

  2. /**

  3.  * @author Björn Schießle <schiessle@owncloud.com>

  4.  * @author Christopher Schäpers <kondou@ts.unde.re>

  5.  * @author Florin Peter <github@florin-peter.de>

  6.  * @author Joas Schilling <nickvergessen@owncloud.com>

  7.  * @author Jörn Friedrich Dreyer <jfd@butonic.de>

  8.  * @author Morris Jobke <hey@morrisjobke.de>

  9.  * @author Robin Appelman <icewind@owncloud.com>

  10.  * @author Robin McCorkell <rmccorkell@karoshi.org.uk>

  11.  * @author Sam Tuke <mail@samtuke.com>

  12.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  13.  * @author Vincent Petry <pvince81@owncloud.com>

  14.  *

  15.  * @copyright Copyright (c) 2015, ownCloud, Inc.

  16.  * @license AGPL-3.0

  17.  *

  18.  * This code is free software: you can redistribute it and/or modify

  19.  * it under the terms of the GNU Affero General Public License, version 3,

  20.  * as published by the Free Software Foundation.

  21.  *

  22.  * This program is distributed in the hope that it will be useful,

  23.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  24.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  25.  * GNU Affero General Public License for more details.

  26.  *

  27.  * You should have received a copy of the GNU Affero General Public License, version 3,

  28.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  29.  *

  30.  */

  31. 

  32. namespace OCA\Files_Encryption;

  33. 

  34. /**

  35.  * Class to manage storage and retrieval of encryption keys

  36.  * @note Where a method requires a view object, it's root must be '/'

  37.  */

  38. class Keymanager {

  39. 

  40. 	// base dir where all the file related keys are stored

  41. 	private static $keys_base_dir = '/files_encryption/keys/';

  42. 	private static $encryption_base_dir = '/files_encryption';

  43. 	private static $public_key_dir = '/files_encryption/public_keys';

  44. 

  45. 	private static $key_cache = array(); // cache keys

  46. 

  47. 	/**

  48. 	 * read key from hard disk

  49. 	 *

  50. 	 * @param string $path to key

  51. 	 * @param \OC\Files\View $view

  52. 	 * @return string|bool either the key or false

  53. 	 */

  54. 	private static function getKey($path, $view) {

  55. 

  56. 		$key = false;

  57. 

  58. 		if (isset(self::$key_cache[$path])) {

  59. 			$key =  self::$key_cache[$path];

  60. 		} else {

  61. 

  62. 			/** @var \OCP\Files\Storage $storage */

  63. 			list($storage, $internalPath) = $view->resolvePath($path);

  64. 

  65. 			if ($storage->file_exists($internalPath)) {

  66. 				$key = $storage->file_get_contents($internalPath);

  67. 				self::$key_cache[$path] = $key;

  68. 			}

  69. 

  70. 		}

  71. 

  72. 		return $key;

  73. 	}

  74. 

  75. 	/**

  76. 	 * write key to disk

  77. 	 *

  78. 	 *

  79. 	 * @param string $path path to key directory

  80. 	 * @param string $name key name

  81. 	 * @param string $key key

  82. 	 * @param \OC\Files\View $view

  83. 	 * @return bool

  84. 	 */

  85. 	private static function setKey($path, $name, $key, $view) {

  86. 		self::keySetPreparation($view, $path);

  87. 

  88. 		/** @var \OCP\Files\Storage $storage */

  89. 		$pathToKey = \OC\Files\Filesystem::normalizePath($path . '/' . $name);

  90. 		list($storage, $internalPath) = \OC\Files\Filesystem::resolvePath($pathToKey);

  91. 		$result = $storage->file_put_contents($internalPath, $key);

  92. 

  93. 		if (is_int($result) && $result > 0) {

  94. 			self::$key_cache[$pathToKey] = $key;

  95. 			return true;

  96. 		}

  97. 

  98. 		return false;

  99. 	}

  100. 

  101. 	/**

  102. 	 * retrieve the ENCRYPTED private key from a user

  103. 	 *

  104. 	 * @param \OC\Files\View $view

  105. 	 * @param string $user

  106. 	 * @return string private key or false (hopefully)

  107. 	 * @note the key returned by this method must be decrypted before use

  108. 	 */

  109. 	public static function getPrivateKey(\OC\Files\View $view, $user) {

  110. 		$path = '/' . $user . '/' . 'files_encryption' . '/' . $user . '.privateKey';

  111. 		return self::getKey($path, $view);

  112. 	}

  113. 

  114. 	/**

  115. 	 * retrieve public key for a specified user

  116. 	 * @param \OC\Files\View $view

  117. 	 * @param string $userId

  118. 	 * @return string public key or false

  119. 	 */

  120. 	public static function getPublicKey(\OC\Files\View $view, $userId) {

  121. 		$path = self::$public_key_dir . '/' . $userId . '.publicKey';

  122. 		return self::getKey($path, $view);

  123. 	}

  124. 

  125. 	public static function getPublicKeyPath() {

  126. 		return self::$public_key_dir;

  127. 	}

  128. 

  129. 	/**

  130. 	 * Retrieve a user's public and private key

  131. 	 * @param \OC\Files\View $view

  132. 	 * @param string $userId

  133. 	 * @return array keys: privateKey, publicKey

  134. 	 */

  135. 	public static function getUserKeys(\OC\Files\View $view, $userId) {

  136. 

  137. 		return array(

  138. 			'publicKey' => self::getPublicKey($view, $userId),

  139. 			'privateKey' => self::getPrivateKey($view, $userId)

  140. 		);

  141. 

  142. 	}

  143. 

  144. 	/**

  145. 	 * Retrieve public keys for given users

  146. 	 * @param \OC\Files\View $view

  147. 	 * @param array $userIds

  148. 	 * @return array of public keys for the specified users

  149. 	 */

  150. 	public static function getPublicKeys(\OC\Files\View $view, array $userIds) {

  151. 

  152. 		$keys = array();

  153. 		foreach ($userIds as $userId) {

  154. 			$keys[$userId] = self::getPublicKey($view, $userId);

  155. 		}

  156. 

  157. 		return $keys;

  158. 

  159. 	}

  160. 

  161. 	/**

  162. 	 * store file encryption key

  163. 	 *

  164. 	 * @param \OC\Files\View $view

  165. 	 * @param \OCA\Files_Encryption\Util $util

  166. 	 * @param string $path relative path of the file, including filename

  167. 	 * @param string $catfile keyfile content

  168. 	 * @return bool true/false

  169. 	 * @note The keyfile is not encrypted here. Client code must

  170. 	 * asymmetrically encrypt the keyfile before passing it to this method

  171. 	 */

  172. 	public static function setFileKey(\OC\Files\View $view, $util, $path, $catfile) {

  173. 		$path = self::getKeyPath($view, $util, $path);

  174. 		return self::setKey($path, 'fileKey', $catfile, $view);

  175. 

  176. 	}

  177. 

  178. 	/**

  179. 	 * get path to key folder for a given file

  180. 	 *

  181. 	 * @param \OC\Files\View $view relative to data directory

  182. 	 * @param \OCA\Files_Encryption\Util $util

  183. 	 * @param string $path path to the file, relative to the users file directory

  184. 	 * @return string

  185. 	 */

  186. 	public static function getKeyPath($view, $util, $path) {

  187. 

  188. 		if ($view->is_dir('/' . \OCP\User::getUser() . '/' . $path)) {

  189. 			throw new Exception\EncryptionException('file was expected but directoy was given', Exception\EncryptionException::GENERIC);

  190. 		}

  191. 

  192. 		list($owner, $filename) = $util->getUidAndFilename($path);

  193. 		$filename = Helper::stripPartialFileExtension($filename);

  194. 		$filePath_f = ltrim($filename, '/');

  195. 

  196. 		// in case of system wide mount points the keys are stored directly in the data directory

  197. 		if ($util->isSystemWideMountPoint($filename)) {

  198. 			$keyPath = self::$keys_base_dir . $filePath_f . '/';

  199. 		} else {

  200. 			$keyPath = '/' . $owner . self::$keys_base_dir . $filePath_f . '/';

  201. 		}

  202. 

  203. 		return $keyPath;

  204. 	}

  205. 

  206. 	/**

  207. 	 * get path to file key for a given file

  208. 	 *

  209. 	 * @param \OC\Files\View $view relative to data directory

  210. 	 * @param \OCA\Files_Encryption\Util $util

  211. 	 * @param string $path path to the file, relative to the users file directory

  212. 	 * @return string

  213. 	 */

  214. 	public static function getFileKeyPath($view, $util, $path) {

  215. 		$keyDir = self::getKeyPath($view, $util, $path);

  216. 		return $keyDir . 'fileKey';

  217. 	}

  218. 

  219. 	/**

  220. 	 * get path to share key for a given user

  221. 	 *

  222. 	 * @param \OC\Files\View $view relateive to data directory

  223. 	 * @param \OCA\Files_Encryption\Util $util

  224. 	 * @param string $path path to file relative to the users files directoy

  225. 	 * @param string $uid user for whom we want the share-key path

  226. 	 * @retrun string

  227. 	 */

  228. 	public static function getShareKeyPath($view, $util, $path, $uid) {

  229. 		$keyDir = self::getKeyPath($view, $util, $path);

  230. 		return $keyDir . $uid . '.shareKey';

  231. 	}

  232. 

  233. 	/**

  234. 	 * delete key

  235. 	 *

  236. 	 * @param \OC\Files\View $view

  237. 	 * @param string $path

  238. 	 * @return boolean

  239. 	 */

  240. 	private static function deleteKey($view, $path) {

  241. 		$normalizedPath = \OC\Files\Filesystem::normalizePath($path);

  242. 		$result = $view->unlink($normalizedPath);

  243. 

  244. 		if ($result) {

  245. 			unset(self::$key_cache[$normalizedPath]);

  246. 			return true;

  247. 		}

  248. 

  249. 		return false;

  250. 	}

  251. 

  252. 	/**

  253. 	 * delete public key from a given user

  254. 	 *

  255. 	 * @param \OC\Files\View $view

  256. 	 * @param string $uid user

  257. 	 * @return bool

  258. 	 */

  259. 	public static function deletePublicKey($view, $uid) {

  260. 

  261. 		$result = false;

  262. 

  263. 		if (!\OCP\User::userExists($uid)) {

  264. 			$publicKey = self::$public_key_dir . '/' . $uid . '.publicKey';

  265. 			self::deleteKey($view, $publicKey);

  266. 		}

  267. 

  268. 		return $result;

  269. 	}

  270. 

  271. 	/**

  272. 	 * check if public key for user exists

  273. 	 *

  274. 	 * @param \OC\Files\View $view

  275. 	 * @param string $uid

  276. 	 */

  277. 	public static function publicKeyExists($view, $uid) {

  278. 		return $view->file_exists(self::$public_key_dir . '/'. $uid . '.publicKey');

  279. 	}

  280. 

  281. 

  282. 

  283. 	/**

  284. 	 * retrieve keyfile for an encrypted file

  285. 	 * @param \OC\Files\View $view

  286. 	 * @param \OCA\Files_Encryption\Util $util

  287. 	 * @param string|false $filePath

  288. 	 * @return string file key or false

  289. 	 * @note The keyfile returned is asymmetrically encrypted. Decryption

  290. 	 * of the keyfile must be performed by client code

  291. 	 */

  292. 	public static function getFileKey($view, $util, $filePath) {

  293. 		$path = self::getFileKeyPath($view, $util, $filePath);

  294. 		return self::getKey($path, $view);

  295. 	}

  296. 

  297. 	/**

  298. 	 * store private key from the user

  299. 	 * @param string $key

  300. 	 * @return bool

  301. 	 * @note Encryption of the private key must be performed by client code

  302. 	 * as no encryption takes place here

  303. 	 */

  304. 	public static function setPrivateKey($key, $user = '') {

  305. 

  306. 		$user = $user === '' ? \OCP\User::getUser() : $user;

  307. 		$path = '/' . $user . '/files_encryption';

  308. 		$header = Crypt::generateHeader();

  309. 

  310. 		return self::setKey($path, $user . '.privateKey', $header . $key, new \OC\Files\View());

  311. 

  312. 	}

  313. 

  314. 	/**

  315. 	 * check if recovery key exists

  316. 	 *

  317. 	 * @param \OC\Files\View $view

  318. 	 * @return bool

  319. 	 */

  320. 	public static function recoveryKeyExists($view) {

  321. 

  322. 		$result = false;

  323. 

  324. 		$recoveryKeyId = Helper::getRecoveryKeyId();

  325. 		if ($recoveryKeyId) {

  326. 			$result = ($view->file_exists(self::$public_key_dir . '/' . $recoveryKeyId . ".publicKey")

  327. 					&& $view->file_exists(self::$encryption_base_dir . '/' . $recoveryKeyId . ".privateKey"));

  328. 		}

  329. 

  330. 		return $result;

  331. 	}

  332. 

  333. 	public static function publicShareKeyExists($view) {

  334. 		$result = false;

  335. 

  336. 		$publicShareKeyId = Helper::getPublicShareKeyId();

  337. 		if ($publicShareKeyId) {

  338. 			$result = ($view->file_exists(self::$public_key_dir . '/' . $publicShareKeyId . ".publicKey")

  339. 					&& $view->file_exists(self::$encryption_base_dir . '/' . $publicShareKeyId . ".privateKey"));

  340. 

  341. 		}

  342. 

  343. 		return $result;

  344. 	}

  345. 

  346. 	/**

  347. 	 * store public key from the user

  348. 	 * @param string $key

  349. 	 * @param string $user

  350. 	 *

  351. 	 * @return bool

  352. 	 */

  353. 	public static function setPublicKey($key, $user = '') {

  354. 

  355. 		$user = $user === '' ? \OCP\User::getUser() : $user;

  356. 

  357. 		return self::setKey(self::$public_key_dir, $user . '.publicKey', $key, new \OC\Files\View('/'));

  358. 	}

  359. 

  360. 	/**

  361. 	 * write private system key (recovery and public share key) to disk

  362. 	 *

  363. 	 * @param string $key encrypted key

  364. 	 * @param string $keyName name of the key

  365. 	 * @return boolean

  366. 	 */

  367. 	public static function setPrivateSystemKey($key, $keyName) {

  368. 

  369. 		$keyName = $keyName . '.privateKey';

  370. 		$header = Crypt::generateHeader();

  371. 

  372. 		return self::setKey(self::$encryption_base_dir, $keyName,$header . $key, new \OC\Files\View());

  373. 	}

  374. 

  375. 	/**

  376. 	 * read private system key (recovery and public share key) from disk

  377. 	 *

  378. 	 * @param string $keyName name of the key

  379. 	 * @return string|boolean private system key or false

  380. 	 */

  381. 	public static function getPrivateSystemKey($keyName) {

  382. 		$path = $keyName . '.privateKey';

  383. 		return self::getKey($path, new \OC\Files\View(self::$encryption_base_dir));

  384. 	}

  385. 

  386. 	/**

  387. 	 * store multiple share keys for a single file

  388. 	 * @param \OC\Files\View $view

  389. 	 * @param \OCA\Files_Encryption\Util $util

  390. 	 * @param string $path

  391. 	 * @param array $shareKeys

  392. 	 * @return bool

  393. 	 */

  394. 	public static function setShareKeys($view, $util, $path, array $shareKeys) {

  395. 

  396. 		// in case of system wide mount points the keys are stored directly in the data directory

  397. 		$basePath = Keymanager::getKeyPath($view, $util, $path);

  398. 

  399. 		self::keySetPreparation($view, $basePath);

  400. 

  401. 		$result = true;

  402. 

  403. 		foreach ($shareKeys as $userId => $shareKey) {

  404. 			if (!self::setKey($basePath, $userId . '.shareKey', $shareKey, $view)) {

  405. 				// If any of the keys are not set, flag false

  406. 				$result = false;

  407. 			}

  408. 		}

  409. 

  410. 		// Returns false if any of the keys weren't set

  411. 		return $result;

  412. 	}

  413. 

  414. 	/**

  415. 	 * retrieve shareKey for an encrypted file

  416. 	 * @param \OC\Files\View $view

  417. 	 * @param string $userId

  418. 	 * @param \OCA\Files_Encryption\Util $util

  419. 	 * @param string $filePath

  420. 	 * @return string file key or false

  421. 	 * @note The sharekey returned is encrypted. Decryption

  422. 	 * of the keyfile must be performed by client code

  423. 	 */

  424. 	public static function getShareKey($view, $userId, $util, $filePath) {

  425. 		$path = self::getShareKeyPath($view, $util, $filePath, $userId);

  426. 		return self::getKey($path, $view);

  427. 	}

  428. 

  429. 	/**

  430. 	 * Delete a single user's shareKey for a single file

  431. 	 *

  432. 	 * @param \OC\Files\View $view relative to data/

  433. 	 * @param array $userIds list of users we want to remove

  434. 	 * @param string $keyPath

  435. 	 * @param string $owner the owner of the file

  436. 	 * @param string $ownerPath the owners name of the file for which we want to remove the users relative to data/user/files

  437. 	 */

  438. 	public static function delShareKey($view, $userIds, $keysPath, $owner, $ownerPath) {

  439. 

  440. 		$key = array_search($owner, $userIds, true);

  441. 		if ($key !== false && $view->file_exists('/' . $owner . '/files/' . $ownerPath)) {

  442. 			unset($userIds[$key]);

  443. 		}

  444. 

  445. 		self::recursiveDelShareKeys($keysPath, $userIds, $view);

  446. 

  447. 	}

  448. 

  449. 	/**

  450. 	 * recursively delete share keys from given users

  451. 	 *

  452. 	 * @param string $dir directory

  453. 	 * @param array $userIds user ids for which the share keys should be deleted

  454. 	 * @param \OC\Files\View $view view relative to data/

  455. 	 */

  456. 	private static function recursiveDelShareKeys($dir, $userIds, $view) {

  457. 

  458. 		$dirContent = $view->opendir($dir);

  459. 

  460. 		if (is_resource($dirContent)) {

  461. 			while (($file = readdir($dirContent)) !== false) {

  462. 				if (!\OC\Files\Filesystem::isIgnoredDir($file)) {

  463. 					if ($view->is_dir($dir . '/' . $file)) {

  464. 						self::recursiveDelShareKeys($dir . '/' . $file, $userIds, $view);

  465. 					} else {

  466. 						foreach ($userIds as $userId) {

  467. 							if ($userId . '.shareKey' === $file) {

  468. 								\OCP\Util::writeLog('files_encryption', 'recursiveDelShareKey: delete share key: ' . $file, \OCP\Util::DEBUG);

  469. 								self::deleteKey($view, $dir . '/' . $file);

  470. 							}

  471. 						}

  472. 					}

  473. 				}

  474. 			}

  475. 			closedir($dirContent);

  476. 		}

  477. 	}

  478. 

  479. 	/**

  480. 	 * Make preparations to vars and filesystem for saving a keyfile

  481. 	 *

  482. 	 * @param \OC\Files\View $view

  483. 	 * @param string $path relatvie to the views root

  484. 	 * @param string $basePath

  485. 	 */

  486. 	protected static function keySetPreparation($view, $path) {

  487. 		// If the file resides within a subdirectory, create it

  488. 		if (!$view->file_exists($path)) {

  489. 			$sub_dirs = explode('/', $path);

  490. 			$dir = '';

  491. 			foreach ($sub_dirs as $sub_dir) {

  492. 				$dir .= '/' . $sub_dir;

  493. 				if (!$view->is_dir($dir)) {

  494. 					$view->mkdir($dir);

  495. 				}

  496. 			}

  497. 		}

  498. 	}

  499. 

  500. }