2012-07-25 19:51:48 +04:00
|
|
|
<?php
|
|
|
|
|
/***
|
2012-07-25 18:59:55 +04:00
|
|
|
* ownCloud
|
|
|
|
|
*
|
|
|
|
|
* @author Bjoern Schiessle
|
|
|
|
|
* @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com>
|
|
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 3 of the License, or any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Affero General Public
|
|
|
|
|
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*
|
2012-07-25 19:51:48 +04:00
|
|
|
*/
|
|
|
|
|
|
2012-10-17 19:35:19 +04:00
|
|
|
namespace OCA\Encryption;
|
2012-07-25 19:51:48 +04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* This class provides basic operations to read/write encryption keys from/to the filesystem
|
|
|
|
|
*/
|
|
|
|
|
class Keymanager {
|
|
|
|
|
|
2012-08-01 17:11:41 +04:00
|
|
|
# TODO: make all dependencies (including static classes) explicit, such as ocfsview objects, by adding them as method arguments (dependency injection)
|
2012-08-08 16:20:29 +04:00
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
/**
|
2012-08-15 21:49:53 +04:00
|
|
|
* @brief retrieve the ENCRYPTED private key from a user
|
2012-07-25 19:51:48 +04:00
|
|
|
*
|
|
|
|
|
* @return string private key or false
|
2012-08-15 21:49:53 +04:00
|
|
|
* @note the key returned by this method must be decrypted before use
|
2012-07-25 19:51:48 +04:00
|
|
|
*/
|
2012-08-15 21:49:53 +04:00
|
|
|
public static function getPrivateKey( $user, $view ) {
|
2012-08-10 13:44:38 +04:00
|
|
|
|
2012-08-15 21:49:53 +04:00
|
|
|
$view->chroot( '/' . $user . '/' . 'files_encryption' );
|
2012-08-10 14:27:09 +04:00
|
|
|
return $view->file_get_contents( '/' . $user.'.private.key' );
|
|
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
}
|
2012-08-14 22:06:56 +04:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief retrieve public key for a specified user
|
|
|
|
|
* @return string public key or false
|
|
|
|
|
*/
|
2012-12-11 19:10:56 +04:00
|
|
|
public static function getPublicKey( $userId = NULL ) {
|
2012-08-14 22:06:56 +04:00
|
|
|
|
2012-12-11 19:10:56 +04:00
|
|
|
// If the username wasn't specified, fetch it
|
|
|
|
|
if ( ! $userId ) {
|
|
|
|
|
|
|
|
|
|
$userId = \OCP\User::getUser();
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create new view with the right
|
2012-08-14 22:06:56 +04:00
|
|
|
$view = new \OC_FilesystemView( '/public-keys/' );
|
2012-12-11 19:10:56 +04:00
|
|
|
|
|
|
|
|
return $view->file_get_contents( '/' . $userId . '.public.key' );
|
2012-08-14 22:06:56 +04:00
|
|
|
|
|
|
|
|
}
|
2012-07-25 19:51:48 +04:00
|
|
|
|
2012-08-15 15:18:11 +04:00
|
|
|
/**
|
|
|
|
|
* @brief retrieve both keys from a user (private and public)
|
|
|
|
|
*
|
|
|
|
|
* @return string private key or false
|
|
|
|
|
*/
|
|
|
|
|
public static function getUserKeys() {
|
|
|
|
|
|
|
|
|
|
return array(
|
|
|
|
|
'privatekey' => self::getPrivateKey(),
|
|
|
|
|
'publickey' => self::getPublicKey(),
|
2012-11-14 18:58:27 +04:00
|
|
|
);
|
2012-08-15 15:18:11 +04:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
/**
|
2012-08-03 13:49:55 +04:00
|
|
|
* @brief retrieve a list of the public key from all users with access to the file
|
2012-07-25 18:59:55 +04:00
|
|
|
*
|
2012-08-03 13:49:55 +04:00
|
|
|
* @param string path to file
|
|
|
|
|
* @return array of public keys for the given file
|
2012-07-25 18:59:55 +04:00
|
|
|
*/
|
2012-08-03 13:49:55 +04:00
|
|
|
public static function getPublicKeys($path) {
|
|
|
|
|
$userId = \OCP\User::getUser();
|
|
|
|
|
$path = ltrim( $path, '/' );
|
|
|
|
|
$filepath = '/'.$userId.'/files/'.$path;
|
|
|
|
|
|
2012-11-14 18:58:27 +04:00
|
|
|
// Check if sharing is enabled
|
|
|
|
|
if ( OC_App::isEnabled( 'files_sharing' ) ) {
|
|
|
|
|
|
|
|
|
|
// // Check if file was shared with other users
|
|
|
|
|
// $query = \OC_DB::prepare( "SELECT uid_owner, source, target, uid_shared_with FROM `*PREFIX*sharing` WHERE ( target = ? AND uid_shared_with = ? ) OR source = ? " );
|
|
|
|
|
// $result = $query->execute( array ($filepath, $userId, $filepath));
|
|
|
|
|
// $users = array();
|
|
|
|
|
// if ($row = $result->fetchRow()){
|
|
|
|
|
// $source = $row['source'];
|
|
|
|
|
// $owner = $row['uid_owner'];
|
|
|
|
|
// $users[] = $owner;
|
|
|
|
|
// // get the uids of all user with access to the file
|
|
|
|
|
// $query = \OC_DB::prepare( "SELECT source, uid_shared_with FROM `*PREFIX*sharing` WHERE source = ?" );
|
|
|
|
|
// $result = $query->execute( array ($source));
|
|
|
|
|
// while ( ($row = $result->fetchRow()) ) {
|
|
|
|
|
// $users[] = $row['uid_shared_with'];
|
|
|
|
|
// }
|
|
|
|
|
// }
|
|
|
|
|
|
2012-08-03 13:49:55 +04:00
|
|
|
} else {
|
|
|
|
|
// check if it is a file owned by the user and not shared at all
|
|
|
|
|
$userview = new \OC_FilesystemView( '/'.$userId.'/files/' );
|
|
|
|
|
if ($userview->file_exists($path)) {
|
|
|
|
|
$users[] = $userId;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-26 15:49:22 +04:00
|
|
|
$view = new \OC_FilesystemView( '/public-keys/' );
|
2012-08-03 13:49:55 +04:00
|
|
|
|
|
|
|
|
$keylist = array();
|
|
|
|
|
$count = 0;
|
|
|
|
|
foreach ($users as $user) {
|
|
|
|
|
$keylist['key'.++$count] = $view->file_get_contents($user.'.public.key');
|
|
|
|
|
}
|
2012-08-09 17:45:34 +04:00
|
|
|
|
2012-08-03 13:49:55 +04:00
|
|
|
return $keylist;
|
|
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2012-12-11 19:10:56 +04:00
|
|
|
* @brief retrieve keyfile for an encrypted file
|
2012-07-25 18:59:55 +04:00
|
|
|
*
|
2012-07-25 19:51:48 +04:00
|
|
|
* @param string file name
|
2012-07-25 18:59:55 +04:00
|
|
|
* @return string file key or false
|
2012-12-11 19:10:56 +04:00
|
|
|
* @note The keyfile returned is asymmetrically encrypted. Decryption
|
|
|
|
|
* of the keyfile must be performed by client code
|
2012-07-25 18:59:55 +04:00
|
|
|
*/
|
2012-08-16 22:18:18 +04:00
|
|
|
public static function getFileKey( $path, $staticUserClass = 'OCP\User' ) {
|
2012-08-15 21:49:53 +04:00
|
|
|
|
2012-07-31 22:28:11 +04:00
|
|
|
$keypath = ltrim( $path, '/' );
|
2012-08-16 22:18:18 +04:00
|
|
|
$user = $staticUserClass::getUser();
|
2012-07-30 14:38:38 +04:00
|
|
|
|
2012-11-14 18:58:27 +04:00
|
|
|
// // update $keypath and $user if path point to a file shared by someone else
|
|
|
|
|
// $query = \OC_DB::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" );
|
|
|
|
|
//
|
|
|
|
|
// $result = $query->execute( array ('/'.$user.'/files/'.$keypath, $user));
|
|
|
|
|
//
|
|
|
|
|
// if ($row = $result->fetchRow()) {
|
|
|
|
|
//
|
|
|
|
|
// $keypath = $row['source'];
|
|
|
|
|
// $keypath_parts = explode( '/', $keypath );
|
|
|
|
|
// $user = $keypath_parts[1];
|
|
|
|
|
// $keypath = str_replace( '/' . $user . '/files/', '', $keypath );
|
|
|
|
|
//
|
|
|
|
|
// }
|
2012-07-30 14:38:38 +04:00
|
|
|
|
2012-07-26 15:49:22 +04:00
|
|
|
$view = new \OC_FilesystemView('/'.$user.'/files_encryption/keyfiles/');
|
2012-08-16 22:18:18 +04:00
|
|
|
|
2012-08-14 22:06:56 +04:00
|
|
|
return $view->file_get_contents( $keypath . '.key' );
|
2012-08-10 14:27:09 +04:00
|
|
|
|
2012-10-10 21:40:59 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief retrieve file encryption key
|
|
|
|
|
*
|
|
|
|
|
* @param string file name
|
|
|
|
|
* @return string file key or false
|
|
|
|
|
*/
|
|
|
|
|
public static function deleteFileKey( $path, $staticUserClass = 'OCP\User' ) {
|
|
|
|
|
|
|
|
|
|
$keypath = ltrim( $path, '/' );
|
|
|
|
|
$user = $staticUserClass::getUser();
|
|
|
|
|
|
|
|
|
|
// update $keypath and $user if path point to a file shared by someone else
|
|
|
|
|
// $query = \OC_DB::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" );
|
|
|
|
|
//
|
|
|
|
|
// $result = $query->execute( array ('/'.$user.'/files/'.$keypath, $user));
|
|
|
|
|
//
|
|
|
|
|
// if ($row = $result->fetchRow()) {
|
|
|
|
|
//
|
|
|
|
|
// $keypath = $row['source'];
|
|
|
|
|
// $keypath_parts = explode( '/', $keypath );
|
|
|
|
|
// $user = $keypath_parts[1];
|
|
|
|
|
// $keypath = str_replace( '/' . $user . '/files/', '', $keypath );
|
|
|
|
|
//
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
$view = new \OC_FilesystemView('/'.$user.'/files_encryption/keyfiles/');
|
|
|
|
|
|
|
|
|
|
return $view->unlink( $keypath . '.key' );
|
|
|
|
|
|
|
|
|
|
}
|
2012-07-25 19:51:48 +04:00
|
|
|
|
|
|
|
|
/**
|
2012-08-03 15:52:41 +04:00
|
|
|
* @brief store private key from the user
|
2012-07-25 18:59:55 +04:00
|
|
|
* @param string key
|
2012-12-11 19:15:30 +04:00
|
|
|
* @return bool
|
|
|
|
|
* @note Encryption of the private key must be performed by client code
|
|
|
|
|
* as no encryption takes place here
|
2012-07-25 19:51:48 +04:00
|
|
|
*/
|
2012-12-11 17:22:46 +04:00
|
|
|
public static function setPrivateKey( $key ) {
|
2012-07-26 19:19:55 +04:00
|
|
|
|
2012-08-03 15:52:41 +04:00
|
|
|
$user = \OCP\User::getUser();
|
2012-12-11 17:22:46 +04:00
|
|
|
|
|
|
|
|
$view = new \OC_FilesystemView( '/' . $user . '/files_encryption' );
|
|
|
|
|
|
|
|
|
|
\OC_FileProxy::$enabled = false;
|
|
|
|
|
|
|
|
|
|
if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
|
|
|
|
|
|
|
|
|
|
return $view->file_put_contents( $user . '.private.key', $key );
|
|
|
|
|
|
|
|
|
|
\OC_FileProxy::$enabled = true;
|
2012-07-26 19:19:55 +04:00
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
}
|
|
|
|
|
|
2012-08-15 15:18:11 +04:00
|
|
|
/**
|
|
|
|
|
* @brief store private keys from the user
|
|
|
|
|
*
|
|
|
|
|
* @param string privatekey
|
|
|
|
|
* @param string publickey
|
|
|
|
|
* @return bool true/false
|
|
|
|
|
*/
|
|
|
|
|
public static function setUserKeys($privatekey, $publickey) {
|
|
|
|
|
|
|
|
|
|
return (self::setPrivateKey($privatekey) && self::setPublicKey($publickey));
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
/**
|
2012-08-03 15:52:41 +04:00
|
|
|
* @brief store public key of the user
|
2012-07-25 18:59:55 +04:00
|
|
|
*
|
|
|
|
|
* @param string key
|
|
|
|
|
* @return bool true/false
|
2012-07-25 19:51:48 +04:00
|
|
|
*/
|
2012-12-11 17:22:46 +04:00
|
|
|
public static function setPublicKey( $key ) {
|
|
|
|
|
|
|
|
|
|
$view = new \OC_FilesystemView( '/public-keys' );
|
|
|
|
|
|
|
|
|
|
\OC_FileProxy::$enabled = false;
|
|
|
|
|
|
|
|
|
|
if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
|
|
|
|
|
|
|
|
|
|
return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key );
|
2012-07-26 19:19:55 +04:00
|
|
|
|
2012-12-11 17:22:46 +04:00
|
|
|
\OC_FileProxy::$enabled = true;
|
2012-07-26 19:19:55 +04:00
|
|
|
|
2012-07-25 18:59:55 +04:00
|
|
|
}
|
2012-07-25 19:51:48 +04:00
|
|
|
|
|
|
|
|
/**
|
2012-07-25 18:59:55 +04:00
|
|
|
* @brief store file encryption key
|
2012-07-25 19:51:48 +04:00
|
|
|
*
|
2012-07-25 21:28:56 +04:00
|
|
|
* @param string $path relative path of the file, including filename
|
|
|
|
|
* @param string $key
|
2012-07-25 18:59:55 +04:00
|
|
|
* @return bool true/false
|
2012-12-11 19:10:56 +04:00
|
|
|
* @note The keyfile is not encrypted here. Client code must
|
|
|
|
|
* asymmetrically encrypt the keyfile before passing it to this method
|
2012-07-31 22:28:11 +04:00
|
|
|
*/
|
2012-08-10 13:44:38 +04:00
|
|
|
public static function setFileKey( $path, $key, $view = Null, $dbClassName = '\OC_DB') {
|
2012-11-28 22:39:19 +04:00
|
|
|
|
2012-08-23 19:43:10 +04:00
|
|
|
$targetPath = ltrim( $path, '/' );
|
2012-08-03 15:52:41 +04:00
|
|
|
$user = \OCP\User::getUser();
|
2012-07-30 14:38:38 +04:00
|
|
|
|
2012-11-14 18:58:27 +04:00
|
|
|
// // update $keytarget and $user if key belongs to a file shared by someone else
|
|
|
|
|
// $query = $dbClassName::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" );
|
|
|
|
|
//
|
|
|
|
|
// $result = $query->execute( array ( '/'.$user.'/files/'.$targetPath, $user ) );
|
|
|
|
|
//
|
|
|
|
|
// if ( $row = $result->fetchRow( ) ) {
|
|
|
|
|
//
|
|
|
|
|
// $targetPath = $row['source'];
|
|
|
|
|
//
|
|
|
|
|
// $targetPath_parts = explode( '/', $targetPath );
|
|
|
|
|
//
|
|
|
|
|
// $user = $targetPath_parts[1];
|
|
|
|
|
//
|
|
|
|
|
// $rootview = new \OC_FilesystemView( '/' );
|
|
|
|
|
//
|
|
|
|
|
// if ( ! $rootview->is_writable( $targetPath ) ) {
|
|
|
|
|
//
|
|
|
|
|
// \OC_Log::write( 'Encryption library', "File Key not updated because you don't have write access for the corresponding file", \OC_Log::ERROR );
|
|
|
|
|
//
|
|
|
|
|
// return false;
|
|
|
|
|
//
|
|
|
|
|
// }
|
|
|
|
|
//
|
|
|
|
|
// $targetPath = str_replace( '/'.$user.'/files/', '', $targetPath );
|
|
|
|
|
//
|
|
|
|
|
// //TODO: check for write permission on shared file once the new sharing API is in place
|
|
|
|
|
//
|
|
|
|
|
// }
|
2012-07-30 14:38:38 +04:00
|
|
|
|
2012-08-23 19:43:10 +04:00
|
|
|
$path_parts = pathinfo( $targetPath );
|
|
|
|
|
|
|
|
|
|
if ( !$view ) {
|
|
|
|
|
|
2012-08-16 22:18:18 +04:00
|
|
|
$view = new \OC_FilesystemView( '/' );
|
2012-08-23 19:43:10 +04:00
|
|
|
|
2012-08-08 16:15:35 +04:00
|
|
|
}
|
2012-07-31 22:28:11 +04:00
|
|
|
|
2012-08-16 22:18:18 +04:00
|
|
|
$view->chroot( '/' . $user . '/files_encryption/keyfiles' );
|
|
|
|
|
|
2012-08-23 19:43:10 +04:00
|
|
|
// If the file resides within a subdirectory, create it
|
2012-11-16 22:31:37 +04:00
|
|
|
if (
|
|
|
|
|
isset( $path_parts['dirname'] )
|
|
|
|
|
&& ! $view->file_exists( $path_parts['dirname'] )
|
|
|
|
|
) {
|
2012-08-23 19:43:10 +04:00
|
|
|
|
|
|
|
|
$view->mkdir( $path_parts['dirname'] );
|
|
|
|
|
|
|
|
|
|
}
|
2012-07-31 22:28:11 +04:00
|
|
|
|
2012-08-23 19:43:10 +04:00
|
|
|
// Save the keyfile in parallel directory
|
|
|
|
|
return $view->file_put_contents( '/' . $targetPath . '.key', $key );
|
2012-07-25 21:28:56 +04:00
|
|
|
|
2012-07-25 19:51:48 +04:00
|
|
|
}
|
|
|
|
|
|
2012-08-09 16:25:09 +04:00
|
|
|
/**
|
|
|
|
|
* @brief change password of private encryption key
|
|
|
|
|
*
|
|
|
|
|
* @param string $oldpasswd old password
|
|
|
|
|
* @param string $newpasswd new password
|
|
|
|
|
* @return bool true/false
|
|
|
|
|
*/
|
2012-08-09 14:19:51 +04:00
|
|
|
public static function changePasswd($oldpasswd, $newpasswd) {
|
2012-08-10 14:27:09 +04:00
|
|
|
|
2012-08-09 15:47:27 +04:00
|
|
|
if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) {
|
2012-08-15 11:54:21 +04:00
|
|
|
return Crypt::changekeypasscode($oldpasswd, $newpasswd);
|
2012-08-09 15:47:27 +04:00
|
|
|
}
|
2012-08-09 17:45:34 +04:00
|
|
|
return false;
|
2012-08-10 14:27:09 +04:00
|
|
|
|
2012-08-09 14:19:51 +04:00
|
|
|
}
|
|
|
|
|
|
2012-11-28 22:39:19 +04:00
|
|
|
/**
|
|
|
|
|
* @brief Fetch the legacy encryption key from user files
|
|
|
|
|
* @param string $login used to locate the legacy key
|
|
|
|
|
* @param string $passphrase used to decrypt the legacy key
|
|
|
|
|
* @return true / false
|
|
|
|
|
*
|
|
|
|
|
* if the key is left out, the default handeler will be used
|
|
|
|
|
*/
|
|
|
|
|
public function getLegacyKey() {
|
|
|
|
|
|
|
|
|
|
$user = \OCP\User::getUser();
|
|
|
|
|
$view = new \OC_FilesystemView( '/' . $user );
|
|
|
|
|
return $view->file_get_contents( 'encryption.key' );
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-25 18:59:55 +04:00
|
|
|
}
|
