Shared encrypted files now readable by both sharer and sharee
This commit is contained in:
Sam Tuke
parent
ca1b94d890
commit
4550ae6a69
|
|
@ -391,6 +391,8 @@ class Crypt {
|
||||||
|
|
||||||
if( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) {
|
if( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) {
|
||||||
|
|
||||||
|
// trigger_error("SEALED = $sealed");
|
||||||
|
|
||||||
$i = 0;
|
$i = 0;
|
||||||
|
|
||||||
// Ensure each shareKey is labelled with its
|
// Ensure each shareKey is labelled with its
|
||||||
|
|
|
||||||
|
|
@ -105,6 +105,8 @@ class Keymanager {
|
||||||
*/
|
*/
|
||||||
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
|
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
|
||||||
|
|
||||||
|
\OC_FileProxy::$enabled = false;
|
||||||
|
|
||||||
\OC\Files\Filesystem::initMountPoints($userId);
|
\OC\Files\Filesystem::initMountPoints($userId);
|
||||||
$basePath = '/' . $userId . '/files_encryption/keyfiles';
|
$basePath = '/' . $userId . '/files_encryption/keyfiles';
|
||||||
|
|
||||||
|
|
@ -112,15 +114,19 @@ class Keymanager {
|
||||||
|
|
||||||
if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
|
if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
|
||||||
|
|
||||||
|
// FIXME: write me
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
// Save the keyfile in parallel directory
|
// Save the keyfile in parallel directory
|
||||||
return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
|
$result = $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
\OC_FileProxy::$enabled = true;
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -140,16 +146,22 @@ class Keymanager {
|
||||||
|
|
||||||
$keyfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
|
$keyfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
|
||||||
|
|
||||||
|
\OC_FileProxy::$enabled = false;
|
||||||
|
|
||||||
if ( $view->file_exists( $keyfilePath ) ) {
|
if ( $view->file_exists( $keyfilePath ) ) {
|
||||||
|
|
||||||
return $view->file_get_contents( $keyfilePath );
|
$result = $view->file_get_contents( $keyfilePath );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
return false;
|
$result = false;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
\OC_FileProxy::$enabled = true;
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -92,6 +92,7 @@ class Proxy extends \OC_FileProxy {
|
||||||
}
|
}
|
||||||
|
|
||||||
public function preFile_put_contents( $path, &$data ) {
|
public function preFile_put_contents( $path, &$data ) {
|
||||||
|
|
||||||
// TODO check for existing key file and reuse it if possible to avoid problems with versioning etc.
|
// TODO check for existing key file and reuse it if possible to avoid problems with versioning etc.
|
||||||
if ( self::shouldEncrypt( $path ) ) {
|
if ( self::shouldEncrypt( $path ) ) {
|
||||||
|
|
||||||
|
|
@ -204,22 +205,22 @@ class Proxy extends \OC_FileProxy {
|
||||||
// Get the encrypted keyfile
|
// Get the encrypted keyfile
|
||||||
$encKeyfile = Keymanager::getFileKey( $view, $fileOwner, $relPath );
|
$encKeyfile = Keymanager::getFileKey( $view, $fileOwner, $relPath );
|
||||||
|
|
||||||
trigger_error("\$encKeyfile = ". var_export($encKeyfile, 1));
|
|
||||||
|
|
||||||
// Attempt to fetch the user's shareKey
|
// Attempt to fetch the user's shareKey
|
||||||
$shareKey = Keymanager::getShareKey( $view, $userId, $relPath );
|
$shareKey = Keymanager::getShareKey( $view, $userId, $relPath );
|
||||||
|
|
||||||
trigger_error("\$shareKey = ".var_export($shareKey, 1));
|
|
||||||
|
|
||||||
// Check if key is shared or not
|
// Check if key is shared or not
|
||||||
if ( $shareKey ) {
|
if ( $shareKey ) {
|
||||||
|
|
||||||
\OC_FileProxy::$enabled = false;
|
\OC_FileProxy::$enabled = false;
|
||||||
|
|
||||||
|
// trigger_error("\$encKeyfile = $encKeyfile, \$shareKey = $shareKey, \$privateKey = $privateKey");
|
||||||
|
|
||||||
// Decrypt keyfile with shareKey
|
// Decrypt keyfile with shareKey
|
||||||
$plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
|
$plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
|
||||||
|
|
||||||
trigger_error("PROXY plainkeyfile = ". var_export($plainKeyfile, 1));
|
// $plainKeyfile = $encKeyfile;
|
||||||
|
|
||||||
|
// trigger_error("PROXY plainkeyfile = ". var_export($plainKeyfile, 1));
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
|
|
@ -230,6 +231,8 @@ class Proxy extends \OC_FileProxy {
|
||||||
|
|
||||||
$plainData = Crypt::symmetricDecryptFileContent( $data, $plainKeyfile );
|
$plainData = Crypt::symmetricDecryptFileContent( $data, $plainKeyfile );
|
||||||
|
|
||||||
|
// trigger_error("PLAINDATA = ". var_export($plainData, 1));
|
||||||
|
|
||||||
} elseif (
|
} elseif (
|
||||||
Crypt::mode() == 'server'
|
Crypt::mode() == 'server'
|
||||||
&& isset( $_SESSION['legacyenckey'] )
|
&& isset( $_SESSION['legacyenckey'] )
|
||||||
|
|
|
||||||
|
|
@ -21,17 +21,28 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// Todo:
|
# Bugs
|
||||||
|
# ----
|
||||||
|
# Sharing a file to a user without encryption set up will not provide them with access but won't notify the sharer
|
||||||
|
# Deleting files if keyfile is missing fails
|
||||||
|
# When encryption app is disabled files become unreadable
|
||||||
|
# Timeouts on first login due to encryption of very large files
|
||||||
|
# MultiKeyEncrypt() may be failing
|
||||||
|
|
||||||
|
|
||||||
|
# Missing features
|
||||||
|
# ----------------
|
||||||
|
# Unshare a file
|
||||||
|
# Re-use existing keyfiles so they don't need version control
|
||||||
|
# Make sure user knows if large files weren't encrypted
|
||||||
|
# Trashbin support
|
||||||
|
|
||||||
|
|
||||||
|
// Old Todo:
|
||||||
// - Crypt/decrypt button in the userinterface
|
// - Crypt/decrypt button in the userinterface
|
||||||
// - Setting if crypto should be on by default
|
// - Setting if crypto should be on by default
|
||||||
// - Add a setting "Don´t encrypt files larger than xx because of performance
|
// - Add a setting "Don´t encrypt files larger than xx because of performance
|
||||||
// reasons"
|
// reasons"
|
||||||
// - Transparent decrypt/encrypt in filesystem.php. Autodetect if a file is
|
|
||||||
// encrypted (.encrypted extension)
|
|
||||||
// - Don't use a password directly as encryption key. but a key which is
|
|
||||||
// stored on the server and encrypted with the user password. -> password
|
|
||||||
// change faster
|
|
||||||
// - IMPORTANT! Check if the block lenght of the encrypted data stays the same
|
|
||||||
|
|
||||||
namespace OCA\Encryption;
|
namespace OCA\Encryption;
|
||||||
|
|
||||||
|
|
@ -663,10 +674,14 @@ class Util {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Re-enc keyfile to (additional) sharekeys
|
// Re-enc keyfile to (additional) sharekeys
|
||||||
$newShareKeys = Crypt::multiKeyEncrypt( $plainKeyfile, $userPubKeys );
|
$multiEncKey = Crypt::multiKeyEncrypt( $plainKeyfile, $userPubKeys );
|
||||||
|
|
||||||
// Save new sharekeys to all necessary user folders
|
// Save the recrypted key to it's owner's keyfiles directory
|
||||||
if ( ! Keymanager::setShareKeys( $this->view, $filePath, $newShareKeys['keys'] ) ) {
|
// Save new sharekeys to all necessary user directory
|
||||||
|
if (
|
||||||
|
! Keymanager::setFileKey( $this->view, $filePath, $fileOwner, $multiEncKey['data'] )
|
||||||
|
|| ! Keymanager::setShareKeys( $this->view, $filePath, $multiEncKey['keys'] )
|
||||||
|
) {
|
||||||
|
|
||||||
trigger_error( "SET Share keys failed" );
|
trigger_error( "SET Share keys failed" );
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue