* * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE * License as published by the Free Software Foundation; either * version 3 of the License, or any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU AFFERO GENERAL PUBLIC LICENSE for more details. * * You should have received a copy of the GNU Affero General Public * License along with this library. If not, see . * */ namespace OCA\Encryption; /** * This class provides basic operations to read/write encryption keys from/to the filesystem */ class Keymanager { # TODO: make all dependencies (including static classes) explicit, such as ocfsview objects, by adding them as method arguments (dependency injection) /** * @brief retrieve the ENCRYPTED private key from a user * * @return string private key or false * @note the key returned by this method must be decrypted before use */ public static function getPrivateKey( $user, $view ) { $view->chroot( '/' . $user . '/' . 'files_encryption' ); return $view->file_get_contents( '/' . $user.'.private.key' ); } /** * @brief retrieve public key for a specified user * @return string public key or false */ public static function getPublicKey( $userId = NULL ) { // If the username wasn't specified, fetch it if ( ! $userId ) { $userId = \OCP\User::getUser(); } // Create new view with the right $view = new \OC_FilesystemView( '/public-keys/' ); return $view->file_get_contents( '/' . $userId . '.public.key' ); } /** * @brief retrieve both keys from a user (private and public) * * @return string private key or false */ public static function getUserKeys() { return array( 'privatekey' => self::getPrivateKey(), 'publickey' => self::getPublicKey(), ); } /** * @brief retrieve a list of the public key from all users with access to the file * * @param string path to file * @return array of public keys for the given file */ public static function getPublicKeys( $path ) { $userId = \OCP\User::getUser(); $path = ltrim( $path, '/' ); $filepath = '/'.$userId.'/files/'.$path; // Check if sharing is enabled if ( OC_App::isEnabled( 'files_sharing' ) ) { // // Check if file was shared with other users // $query = \OC_DB::prepare( " // SELECT // uid_owner // , source // , target // , uid_shared_with // FROM // `*PREFIX*sharing` // WHERE // ( target = ? AND uid_shared_with = ? ) // OR source = ? // " ); // // $result = $query->execute( array ( $filepath, $userId, $filepath ) ); // // $users = array(); // // if ( $row = $result->fetchRow() ) // { // $source = $row['source']; // $owner = $row['uid_owner']; // $users[] = $owner; // // get the uids of all user with access to the file // $query = \OC_DB::prepare( "SELECT source, uid_shared_with FROM `*PREFIX*sharing` WHERE source = ?" ); // $result = $query->execute( array ($source)); // while ( ($row = $result->fetchRow()) ) { // $users[] = $row['uid_shared_with']; // // } // // } } else { // check if it is a file owned by the user and not shared at all $userview = new \OC_FilesystemView( '/'.$userId.'/files/' ); if ( $userview->file_exists( $path ) ) { $users[] = $userId; } } $view = new \OC_FilesystemView( '/public-keys/' ); $keylist = array(); $count = 0; foreach ( $users as $user ) { $keylist['key'.++$count] = $view->file_get_contents( $user.'.public.key' ); } return $keylist; } /** * @brief retrieve keyfile for an encrypted file * * @param string file name * @return string file key or false * @note The keyfile returned is asymmetrically encrypted. Decryption * of the keyfile must be performed by client code */ public static function getFileKey( $path, $staticUserClass = 'OCP\User' ) { $keypath = ltrim( $path, '/' ); $user = $staticUserClass::getUser(); // // update $keypath and $user if path point to a file shared by someone else // $query = \OC_DB::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" ); // // $result = $query->execute( array ('/'.$user.'/files/'.$keypath, $user)); // // if ($row = $result->fetchRow()) { // // $keypath = $row['source']; // $keypath_parts = explode( '/', $keypath ); // $user = $keypath_parts[1]; // $keypath = str_replace( '/' . $user . '/files/', '', $keypath ); // // } $view = new \OC_FilesystemView('/'.$user.'/files_encryption/keyfiles/'); return $view->file_get_contents( $keypath . '.key' ); } /** * @brief retrieve file encryption key * * @param string file name * @return string file key or false */ public static function deleteFileKey( $path, $staticUserClass = 'OCP\User' ) { $keypath = ltrim( $path, '/' ); $user = $staticUserClass::getUser(); // update $keypath and $user if path point to a file shared by someone else // $query = \OC_DB::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" ); // // $result = $query->execute( array ('/'.$user.'/files/'.$keypath, $user)); // // if ($row = $result->fetchRow()) { // // $keypath = $row['source']; // $keypath_parts = explode( '/', $keypath ); // $user = $keypath_parts[1]; // $keypath = str_replace( '/' . $user . '/files/', '', $keypath ); // // } $view = new \OC_FilesystemView('/'.$user.'/files_encryption/keyfiles/'); return $view->unlink( $keypath . '.key' ); } /** * @brief store private key from the user * @param string key * @return bool * @note Encryption of the private key must be performed by client code * as no encryption takes place here */ public static function setPrivateKey( $key ) { $user = \OCP\User::getUser(); $view = new \OC_FilesystemView( '/' . $user . '/files_encryption' ); \OC_FileProxy::$enabled = false; if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); return $view->file_put_contents( $user . '.private.key', $key ); \OC_FileProxy::$enabled = true; } /** * @brief store private keys from the user * * @param string privatekey * @param string publickey * @return bool true/false */ public static function setUserKeys($privatekey, $publickey) { return (self::setPrivateKey($privatekey) && self::setPublicKey($publickey)); } /** * @brief store public key of the user * * @param string key * @return bool true/false */ public static function setPublicKey( $key ) { $view = new \OC_FilesystemView( '/public-keys' ); \OC_FileProxy::$enabled = false; if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key ); \OC_FileProxy::$enabled = true; } /** * @brief store file encryption key * * @param string $path relative path of the file, including filename * @param string $key * @return bool true/false * @note The keyfile is not encrypted here. Client code must * asymmetrically encrypt the keyfile before passing it to this method */ public static function setFileKey( $path, $key, $view = Null, $dbClassName = '\OC_DB') { $targetPath = ltrim( $path, '/' ); $user = \OCP\User::getUser(); // // update $keytarget and $user if key belongs to a file shared by someone else // $query = $dbClassName::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" ); // // $result = $query->execute( array ( '/'.$user.'/files/'.$targetPath, $user ) ); // // if ( $row = $result->fetchRow( ) ) { // // $targetPath = $row['source']; // // $targetPath_parts = explode( '/', $targetPath ); // // $user = $targetPath_parts[1]; // // $rootview = new \OC_FilesystemView( '/' ); // // if ( ! $rootview->is_writable( $targetPath ) ) { // // \OC_Log::write( 'Encryption library', "File Key not updated because you don't have write access for the corresponding file", \OC_Log::ERROR ); // // return false; // // } // // $targetPath = str_replace( '/'.$user.'/files/', '', $targetPath ); // // //TODO: check for write permission on shared file once the new sharing API is in place // // } $path_parts = pathinfo( $targetPath ); if ( !$view ) { $view = new \OC_FilesystemView( '/' ); } $view->chroot( '/' . $user . '/files_encryption/keyfiles' ); // If the file resides within a subdirectory, create it if ( isset( $path_parts['dirname'] ) && ! $view->file_exists( $path_parts['dirname'] ) ) { $view->mkdir( $path_parts['dirname'] ); } // Save the keyfile in parallel directory return $view->file_put_contents( '/' . $targetPath . '.key', $key ); } /** * @brief change password of private encryption key * * @param string $oldpasswd old password * @param string $newpasswd new password * @return bool true/false */ public static function changePasswd($oldpasswd, $newpasswd) { if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) { return Crypt::changekeypasscode($oldpasswd, $newpasswd); } return false; } /** * @brief Fetch the legacy encryption key from user files * @param string $login used to locate the legacy key * @param string $passphrase used to decrypt the legacy key * @return true / false * * if the key is left out, the default handeler will be used */ public function getLegacyKey() { $user = \OCP\User::getUser(); $view = new \OC_FilesystemView( '/' . $user ); return $view->file_get_contents( 'encryption.key' ); } }