diff options
Diffstat (limited to 'lib/private/Security/IdentityProof')
| -rw-r--r-- | lib/private/Security/IdentityProof/Key.php | 38 | ||||
| -rw-r--r-- | lib/private/Security/IdentityProof/Manager.php | 130 | ||||
| -rw-r--r-- | lib/private/Security/IdentityProof/Signer.php | 58 |
3 files changed, 91 insertions, 135 deletions
diff --git a/lib/private/Security/IdentityProof/Key.php b/lib/private/Security/IdentityProof/Key.php index 349ffd3c15a..0bfcd6bf9ed 100644 --- a/lib/private/Security/IdentityProof/Key.php +++ b/lib/private/Security/IdentityProof/Key.php @@ -3,42 +3,16 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> - * - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\IdentityProof; class Key { - /** @var string */ - private $publicKey; - /** @var string */ - private $privateKey; - - /** - * @param string $publicKey - * @param string $privateKey - */ - public function __construct(string $publicKey, string $privateKey) { - $this->publicKey = $publicKey; - $this->privateKey = $privateKey; + public function __construct( + private string $publicKey, + private string $privateKey, + ) { } public function getPrivate(): string { diff --git a/lib/private/Security/IdentityProof/Manager.php b/lib/private/Security/IdentityProof/Manager.php index c92d7390969..c16b8314beb 100644 --- a/lib/private/Security/IdentityProof/Manager.php +++ b/lib/private/Security/IdentityProof/Manager.php @@ -3,75 +3,55 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\IdentityProof; use OC\Files\AppData\Factory; use OCP\Files\IAppData; +use OCP\Files\NotFoundException; +use OCP\ICache; +use OCP\ICacheFactory; use OCP\IConfig; use OCP\IUser; use OCP\Security\ICrypto; use Psr\Log\LoggerInterface; class Manager { - /** @var IAppData */ - private $appData; - /** @var ICrypto */ - private $crypto; - /** @var IConfig */ - private $config; - private LoggerInterface $logger; - - public function __construct(Factory $appDataFactory, - ICrypto $crypto, - IConfig $config, - LoggerInterface $logger + private IAppData $appData; + + protected ICache $cache; + + public function __construct( + Factory $appDataFactory, + private ICrypto $crypto, + private IConfig $config, + private LoggerInterface $logger, + private ICacheFactory $cacheFactory, ) { $this->appData = $appDataFactory->get('identityproof'); - $this->crypto = $crypto; - $this->config = $config; - $this->logger = $logger; + $this->cache = $this->cacheFactory->createDistributed('identityproof::'); } /** * Calls the openssl functions to generate a public and private key. * In a separate function for unit testing purposes. * + * @param array $options config options to generate key {@see openssl_csr_new} + * * @return array [$publicKey, $privateKey] * @throws \RuntimeException */ - protected function generateKeyPair(): array { + protected function generateKeyPair(array $options = []): array { $config = [ - 'digest_alg' => 'sha512', - 'private_key_bits' => 2048, + 'digest_alg' => $options['algorithm'] ?? 'sha512', + 'private_key_bits' => $options['bits'] ?? 2048, + 'private_key_type' => $options['type'] ?? OPENSSL_KEYTYPE_RSA, ]; // Generate new key $res = openssl_pkey_new($config); - if ($res === false) { $this->logOpensslError(); throw new \RuntimeException('OpenSSL reported a problem'); @@ -94,16 +74,17 @@ class Manager { * Note: If a key already exists it will be overwritten * * @param string $id key id - * @return Key + * @param array $options config options to generate key {@see openssl_csr_new} + * * @throws \RuntimeException */ - protected function generateKey(string $id): Key { - [$publicKey, $privateKey] = $this->generateKeyPair(); + protected function generateKey(string $id, array $options = []): Key { + [$publicKey, $privateKey] = $this->generateKeyPair($options); // Write the private and public key to the disk try { $this->appData->newFolder($id); - } catch (\Exception $e) { + } catch (\Exception) { } $folder = $this->appData->getFolder($id); $folder->newFile('private') @@ -117,18 +98,28 @@ class Manager { /** * Get key for a specific id * - * @param string $id - * @return Key * @throws \RuntimeException */ protected function retrieveKey(string $id): Key { try { + $cachedPublicKey = $this->cache->get($id . '-public'); + $cachedPrivateKey = $this->cache->get($id . '-private'); + + if ($cachedPublicKey !== null && $cachedPrivateKey !== null) { + $decryptedPrivateKey = $this->crypto->decrypt($cachedPrivateKey); + + return new Key($cachedPublicKey, $decryptedPrivateKey); + } + $folder = $this->appData->getFolder($id); - $privateKey = $this->crypto->decrypt( - $folder->getFile('private')->getContent() - ); + $privateKey = $folder->getFile('private')->getContent(); $publicKey = $folder->getFile('public')->getContent(); - return new Key($publicKey, $privateKey); + + $this->cache->set($id . '-public', $publicKey); + $this->cache->set($id . '-private', $privateKey); + + $decryptedPrivateKey = $this->crypto->decrypt($privateKey); + return new Key($publicKey, $decryptedPrivateKey); } catch (\Exception $e) { return $this->generateKey($id); } @@ -137,8 +128,6 @@ class Manager { /** * Get public and private key for $user * - * @param IUser $user - * @return Key * @throws \RuntimeException */ public function getKey(IUser $user): Key { @@ -149,7 +138,6 @@ class Manager { /** * Get instance wide public and private key * - * @return Key * @throws \RuntimeException */ public function getSystemKey(): Key { @@ -160,6 +148,38 @@ class Manager { return $this->retrieveKey('system-' . $instanceId); } + public function hasAppKey(string $app, string $name): bool { + $id = $this->generateAppKeyId($app, $name); + try { + $folder = $this->appData->getFolder($id); + return ($folder->fileExists('public') && $folder->fileExists('private')); + } catch (NotFoundException) { + return false; + } + } + + public function getAppKey(string $app, string $name): Key { + return $this->retrieveKey($this->generateAppKeyId($app, $name)); + } + + public function generateAppKey(string $app, string $name, array $options = []): Key { + return $this->generateKey($this->generateAppKeyId($app, $name), $options); + } + + public function deleteAppKey(string $app, string $name): bool { + try { + $folder = $this->appData->getFolder($this->generateAppKeyId($app, $name)); + $folder->delete(); + return true; + } catch (NotFoundException) { + return false; + } + } + + private function generateAppKeyId(string $app, string $name): string { + return 'app-' . $app . '-' . $name; + } + private function logOpensslError(): void { $errors = []; while ($error = openssl_error_string()) { diff --git a/lib/private/Security/IdentityProof/Signer.php b/lib/private/Security/IdentityProof/Signer.php index 7431bfe815f..6083cbb5c9b 100644 --- a/lib/private/Security/IdentityProof/Signer.php +++ b/lib/private/Security/IdentityProof/Signer.php @@ -3,27 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\IdentityProof; @@ -32,32 +13,16 @@ use OCP\IUser; use OCP\IUserManager; class Signer { - /** @var Manager */ - private $keyManager; - /** @var ITimeFactory */ - private $timeFactory; - /** @var IUserManager */ - private $userManager; - - /** - * @param Manager $keyManager - * @param ITimeFactory $timeFactory - * @param IUserManager $userManager - */ - public function __construct(Manager $keyManager, - ITimeFactory $timeFactory, - IUserManager $userManager) { - $this->keyManager = $keyManager; - $this->timeFactory = $timeFactory; - $this->userManager = $userManager; + public function __construct( + private Manager $keyManager, + private ITimeFactory $timeFactory, + private IUserManager $userManager, + ) { } /** * Returns a signed blob for $data * - * @param string $type - * @param array $data - * @param IUser $user * @return array ['message', 'signature'] */ public function sign(string $type, array $data, IUser $user): array { @@ -79,13 +44,10 @@ class Signer { /** * Whether the data is signed properly * - * @param array $data - * @return bool */ public function verify(array $data): bool { - if (isset($data['message']) + if (isset($data['message']['signer']) && isset($data['signature']) - && isset($data['message']['signer']) ) { $location = strrpos($data['message']['signer'], '@'); $userId = substr($data['message']['signer'], 0, $location); @@ -93,12 +55,12 @@ class Signer { $user = $this->userManager->get($userId); if ($user !== null) { $key = $this->keyManager->getKey($user); - return (bool)openssl_verify( + return openssl_verify( json_encode($data['message']), base64_decode($data['signature']), $key->getPublic(), OPENSSL_ALGO_SHA512 - ); + ) === 1; } } |