nextcloud/apps/files_encryption/lib/keymanager.php

576 lines
14 KiB
PHP
Raw Normal View History

<?php
/**
* ownCloud
*
* @author Bjoern Schiessle
* @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Encryption;
/**
* @brief Class to manage storage and retrieval of encryption keys
* @note Where a method requires a view object, it's root must be '/'
*/
2013-05-20 03:24:36 +04:00
class Keymanager
{
2013-05-20 00:31:00 +04:00
/**
* @brief retrieve the ENCRYPTED private key from a user
2013-05-20 00:31:00 +04:00
*
* @param \OC_FilesystemView $view
* @param string $user
* @return string private key or false (hopefully)
* @note the key returned by this method must be decrypted before use
*/
2013-05-20 03:24:36 +04:00
public static function getPrivateKey(\OC_FilesystemView $view, $user)
{
2013-05-20 03:24:36 +04:00
$path = '/' . $user . '/' . 'files_encryption' . '/' . $user . '.private.key';
2013-05-20 03:24:36 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$key = $view->file_get_contents($path);
\OC_FileProxy::$enabled = $proxyStatus;
return $key;
}
/**
* @brief retrieve public key for a specified user
2013-02-09 21:01:38 +04:00
* @param \OC_FilesystemView $view
* @param $userId
* @return string public key or false
*/
2013-05-20 03:24:36 +04:00
public static function getPublicKey(\OC_FilesystemView $view, $userId)
{
2013-04-25 16:56:11 +04:00
2013-05-20 03:24:36 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
2013-05-20 03:24:36 +04:00
$result = $view->file_get_contents('/public-keys/' . $userId . '.public.key');
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-05-20 03:24:36 +04:00
return $result;
}
2013-05-20 03:24:36 +04:00
/**
* @brief Retrieve a user's public and private key
2013-02-09 21:01:38 +04:00
* @param \OC_FilesystemView $view
* @param $userId
* @return array keys: privateKey, publicKey
*/
2013-05-20 03:24:36 +04:00
public static function getUserKeys(\OC_FilesystemView $view, $userId)
{
return array(
2013-05-20 03:24:36 +04:00
'publicKey' => self::getPublicKey($view, $userId)
, 'privateKey' => self::getPrivateKey($view, $userId)
);
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief Retrieve public keys for given users
* @param \OC_FilesystemView $view
* @param array $userIds
* @return array of public keys for the specified users
*/
2013-05-20 03:24:36 +04:00
public static function getPublicKeys(\OC_FilesystemView $view, array $userIds)
{
$keys = array();
2013-05-20 03:24:36 +04:00
foreach ($userIds as $userId) {
$keys[$userId] = self::getPublicKey($view, $userId);
}
2013-05-20 03:24:36 +04:00
return $keys;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief store file encryption key
*
2013-05-20 03:24:36 +04:00
* @param \OC_FilesystemView $view
* @param string $path relative path of the file, including filename
2013-05-20 03:24:36 +04:00
* @param $userId
* @param $catfile
* @internal param string $key
* @return bool true/false
2013-05-20 03:24:36 +04:00
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
2013-05-20 03:24:36 +04:00
public static function setFileKey(\OC_FilesystemView $view, $path, $userId, $catfile)
{
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
2013-05-20 03:24:36 +04:00
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($path);
$basePath = '/' . $owner . '/files_encryption/keyfiles';
2013-05-20 03:24:36 +04:00
$targetPath = self::keySetPreparation($view, $filename, $basePath, $owner);
if (!$view->is_dir($basePath . '/' . $targetPath)) {
// create all parent folders
2013-05-20 03:24:36 +04:00
$info = pathinfo($basePath . '/' . $targetPath);
$keyfileFolderName = $view->getLocalFolder($info['dirname']);
if (!file_exists($keyfileFolderName)) {
mkdir($keyfileFolderName, 0750, true);
}
}
2013-04-27 22:18:57 +04:00
// try reusing key file if part file
2013-05-20 03:24:36 +04:00
if (self::isPartialFilePath($targetPath)) {
$result = $view->file_put_contents($basePath . '/' . self::fixPartialFilePath($targetPath) . '.key', $catfile);
} else {
2013-05-20 03:24:36 +04:00
$result = $view->file_put_contents($basePath . '/' . $targetPath . '.key', $catfile);
}
2013-05-20 03:24:36 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-05-20 03:24:36 +04:00
return $result;
2013-05-20 03:24:36 +04:00
}
2013-04-27 22:18:57 +04:00
/**
* @brief Remove .path extension from a file path
* @param string $path Path that may identify a .part file
* @return string File path without .part extension
* @note this is needed for reusing keys
*/
2013-05-20 03:24:36 +04:00
public static function fixPartialFilePath($path)
{
if (preg_match('/\.part$/', $path)) {
2013-04-27 22:18:57 +04:00
$newLength = strlen($path) - 5;
$fPath = substr($path, 0, $newLength);
2013-04-27 22:18:57 +04:00
return $fPath;
2013-05-20 03:24:36 +04:00
} else {
2013-04-27 22:18:57 +04:00
return $path;
2013-04-27 22:18:57 +04:00
}
2013-04-27 22:18:57 +04:00
}
2013-04-27 22:18:57 +04:00
/**
* @brief Check if a path is a .part file
* @param string $path Path that may identify a .part file
* @return bool
*/
2013-05-20 03:24:36 +04:00
public static function isPartialFilePath($path)
{
if (preg_match('/\.part$/', $path)) {
return true;
2013-05-20 03:24:36 +04:00
} else {
2013-05-20 03:24:36 +04:00
return false;
2013-05-20 03:24:36 +04:00
}
2013-04-27 22:18:57 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief retrieve keyfile for an encrypted file
2013-02-09 21:01:38 +04:00
* @param \OC_FilesystemView $view
* @param $userId
* @param $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
* @note The keyfile returned is asymmetrically encrypted. Decryption
* of the keyfile must be performed by client code
*/
2013-05-20 03:24:36 +04:00
public static function getFileKey(\OC_FilesystemView $view, $userId, $filePath)
{
2013-04-27 22:18:57 +04:00
// try reusing key file if part file
2013-05-20 03:24:36 +04:00
if (self::isPartialFilePath($filePath)) {
$result = self::getFileKey($view, $userId, self::fixPartialFilePath($filePath));
if ($result) {
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
}
2013-04-27 22:18:57 +04:00
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($filePath);
2013-05-20 03:24:36 +04:00
$filePath_f = ltrim($filename, '/');
2013-04-27 22:18:57 +04:00
$keyfilePath = '/' . $owner . '/files_encryption/keyfiles/' . $filePath_f . '.key';
2013-04-25 16:56:11 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
2013-05-20 03:24:36 +04:00
if ($view->file_exists($keyfilePath)) {
$result = $view->file_get_contents($keyfilePath);
} else {
2013-05-20 03:24:36 +04:00
$result = false;
}
2013-05-20 03:24:36 +04:00
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-05-20 03:24:36 +04:00
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief Delete a keyfile
*
2013-05-20 03:24:36 +04:00
* @param \OC_FilesystemView $view
2013-02-09 21:01:38 +04:00
* @param string $userId username
* @param string $path path of the file the key belongs to
* @return bool Outcome of unlink operation
* @note $path must be relative to data/user/files. e.g. mydoc.txt NOT
* /data/admin/files/mydoc.txt
*/
2013-05-20 03:24:36 +04:00
public static function deleteFileKey(\OC_FilesystemView $view, $userId, $path)
{
$trimmed = ltrim($path, '/');
$keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed;
$result = false;
2013-05-20 03:24:36 +04:00
if ($view->is_dir($keyPath)) {
$result = $view->unlink($keyPath);
2013-05-20 03:24:36 +04:00
} else if ($view->file_exists($keyPath . '.key')) {
2013-05-20 03:24:36 +04:00
$result = $view->unlink($keyPath . '.key');
}
2013-05-20 03:24:36 +04:00
if (!$result) {
\OC_Log::write('Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR);
}
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief store private key from the user
2013-05-20 03:24:36 +04:00
* @param string $key
* @return bool
* @note Encryption of the private key must be performed by client code
* as no encryption takes place here
*/
2013-05-20 03:24:36 +04:00
public static function setPrivateKey($key)
{
$user = \OCP\User::getUser();
2013-05-20 03:24:36 +04:00
$view = new \OC_FilesystemView('/' . $user . '/files_encryption');
2013-04-25 16:56:11 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
2013-05-20 03:24:36 +04:00
if (!$view->file_exists('')) $view->mkdir('');
$result = $view->file_put_contents($user . '.private.key', $key);
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief store share key
2013-02-09 21:01:38 +04:00
*
2013-05-20 03:24:36 +04:00
* @param \OC_FilesystemView $view
2013-02-09 21:01:38 +04:00
* @param string $path relative path of the file, including filename
2013-05-20 03:24:36 +04:00
* @param $userId
* @param $shareKey
* @internal param string $key
* @internal param string $dbClassName
2013-02-09 21:01:38 +04:00
* @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
2013-05-20 03:24:36 +04:00
public static function setShareKey(\OC_FilesystemView $view, $path, $userId, $shareKey)
{
// Here we need the currently logged in user, while userId can be a different user
2013-05-20 03:24:36 +04:00
$util = new Util($view, \OCP\User::getUser());
2013-05-20 03:24:36 +04:00
list($owner, $filename) = $util->getUidAndFilename($path);
$basePath = '/' . $owner . '/files_encryption/share-keys';
2013-05-20 03:24:36 +04:00
$shareKeyPath = self::keySetPreparation($view, $filename, $basePath, $owner);
2013-04-27 22:18:57 +04:00
// try reusing key file if part file
2013-05-20 03:24:36 +04:00
if (self::isPartialFilePath($shareKeyPath)) {
$writePath = $basePath . '/' . self::fixPartialFilePath($shareKeyPath) . '.' . $userId . '.shareKey';
2013-05-20 03:24:36 +04:00
} else {
2013-05-20 03:24:36 +04:00
$writePath = $basePath . '/' . $shareKeyPath . '.' . $userId . '.shareKey';
2013-05-20 03:24:36 +04:00
}
2013-04-25 16:56:11 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
2013-05-20 03:24:36 +04:00
$result = $view->file_put_contents($writePath, $shareKey);
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-04-25 16:56:11 +04:00
2013-05-20 03:24:36 +04:00
if (
is_int($result)
&& $result > 0
) {
2013-05-20 03:24:36 +04:00
return true;
2013-05-20 03:24:36 +04:00
} else {
2013-05-20 03:24:36 +04:00
return false;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief store multiple share keys for a single file
2013-05-20 03:24:36 +04:00
* @param \OC_FilesystemView $view
* @param $path
* @param array $shareKeys
* @return bool
*/
2013-05-20 03:24:36 +04:00
public static function setShareKeys(\OC_FilesystemView $view, $path, array $shareKeys)
{
// $shareKeys must be an array with the following format:
// [userId] => [encrypted key]
2013-05-20 03:24:36 +04:00
$result = true;
2013-05-20 03:24:36 +04:00
foreach ($shareKeys as $userId => $shareKey) {
if (!self::setShareKey($view, $path, $userId, $shareKey)) {
// If any of the keys are not set, flag false
$result = false;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
// Returns false if any of the keys weren't set
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
/**
* @brief retrieve shareKey for an encrypted file
* @param \OC_FilesystemView $view
* @param string $userId
* @param string $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
* @note The sharekey returned is encrypted. Decryption
* of the keyfile must be performed by client code
*/
2013-05-20 03:24:36 +04:00
public static function getShareKey(\OC_FilesystemView $view, $userId, $filePath)
{
2013-04-25 16:56:11 +04:00
// try reusing key file if part file
2013-05-20 03:24:36 +04:00
if (self::isPartialFilePath($filePath)) {
$result = self::getShareKey($view, $userId, self::fixPartialFilePath($filePath));
2013-05-20 03:24:36 +04:00
if ($result) {
return $result;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
}
2013-04-27 22:18:57 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
2013-05-20 03:24:36 +04:00
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($filePath);
$shareKeyPath = \OC\Files\Filesystem::normalizePath('/' . $owner . '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey');
2013-05-20 03:24:36 +04:00
if ($view->file_exists($shareKeyPath)) {
$result = $view->file_get_contents($shareKeyPath);
} else {
2013-05-20 03:24:36 +04:00
$result = false;
2013-05-20 03:24:36 +04:00
}
2013-05-20 03:24:36 +04:00
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-05-20 03:24:36 +04:00
return $result;
2013-05-20 03:24:36 +04:00
}
/**
* @brief delete all share keys of a given file
* @param \OC_FilesystemView $view
2013-05-20 03:24:36 +04:00
* @param string $userId owner of the file
* @param string $filePath path to the file, relative to the owners file dir
*/
2013-05-20 03:24:36 +04:00
public static function delAllShareKeys(\OC_FilesystemView $view, $userId, $filePath)
{
if ($view->is_dir($userId . '/files/' . $filePath)) {
$view->unlink($userId . '/files_encryption/share-keys/' . $filePath);
} else {
2013-05-20 03:24:36 +04:00
$localKeyPath = $view->getLocalFile($userId . '/files_encryption/share-keys/' . $filePath);
$matches = glob(preg_quote($localKeyPath) . '*.shareKey');
foreach ($matches as $ma) {
unlink($ma);
}
}
}
/**
* @brief Delete a single user's shareKey for a single file
*/
2013-05-20 03:24:36 +04:00
public static function delShareKey(\OC_FilesystemView $view, $userIds, $filePath)
{
2013-04-25 16:56:11 +04:00
2013-05-20 03:24:36 +04:00
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
2013-05-20 03:24:36 +04:00
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($filePath);
$shareKeyPath = \OC\Files\Filesystem::normalizePath('/' . $owner . '/files_encryption/share-keys/' . $filename);
2013-05-20 03:24:36 +04:00
if ($view->is_dir($shareKeyPath)) {
2013-05-20 23:24:39 +04:00
$localPath = \OC\Files\Filesystem::normalizePath($view->getLocalFolder($shareKeyPath));
self::recursiveDelShareKeys($localPath, $userIds);
} else {
foreach ($userIds as $userId) {
2013-05-20 03:24:36 +04:00
2013-05-20 23:24:39 +04:00
if (!$view->unlink($shareKeyPath . '.' . $userId . '.shareKey')) {
\OC_Log::write('Encryption library', 'Could not delete shareKey; does not exist: "' . $shareKeyPath . '.' . $userId . '.shareKey"', \OC_Log::ERROR);
}
2013-05-20 03:24:36 +04:00
2013-05-20 23:24:39 +04:00
}
}
2013-05-20 03:24:36 +04:00
2013-04-25 16:56:11 +04:00
\OC_FileProxy::$enabled = $proxyStatus;
2013-02-09 21:01:38 +04:00
}
/**
* @brief recursively delete share keys from given users
*
2013-05-20 03:24:36 +04:00
* @param string $dir directory
* @param array $userIds user ids for which the share keys should be deleted
*/
2013-05-20 03:24:36 +04:00
private static function recursiveDelShareKeys($dir, $userIds)
{
foreach ($userIds as $userId) {
2013-05-20 03:24:36 +04:00
$completePath = $dir . '/.*' . '.' . $userId . '.shareKey';
$matches = glob(preg_quote($dir) . '/*' . preg_quote('.' . $userId . '.shareKey'));
}
2013-05-20 03:24:36 +04:00
/** @var $matches array */
foreach ($matches as $ma) {
2013-05-20 23:24:39 +04:00
if (!unlink($ma)) {
\OC_Log::write('Encryption library', 'Could not delete shareKey; does not exist: "' . $ma . '"', \OC_Log::ERROR);
}
}
2013-05-20 03:24:36 +04:00
$subdirs = $directories = glob(preg_quote($dir) . '/*', GLOB_ONLYDIR);
foreach ($subdirs as $subdir) {
self::recursiveDelShareKeys($subdir, $userIds);
}
}
2013-02-09 21:01:38 +04:00
/**
* @brief Make preparations to vars and filesystem for saving a keyfile
*/
2013-05-20 03:24:36 +04:00
public static function keySetPreparation(\OC_FilesystemView $view, $path, $basePath, $userId)
{
$targetPath = ltrim($path, '/');
$path_parts = pathinfo($targetPath);
// If the file resides within a subdirectory, create it
2013-05-20 03:24:36 +04:00
if (
isset($path_parts['dirname'])
&& !$view->file_exists($basePath . '/' . $path_parts['dirname'])
) {
$sub_dirs = explode(DIRECTORY_SEPARATOR, $basePath . '/' . $path_parts['dirname']);
$dir = '';
foreach ($sub_dirs as $sub_dir) {
$dir .= '/' . $sub_dir;
if (!$view->is_dir($dir)) {
$view->mkdir($dir);
}
}
}
2013-05-20 03:24:36 +04:00
2013-02-09 21:01:38 +04:00
return $targetPath;
2013-05-20 03:24:36 +04:00
}
}