Blame view
sources/apps/files_encryption/lib/keymanager.php
14.2 KB
03e52840d
Init
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
<?php
/**
* ownCloud
*
* @author Bjoern Schiessle
* @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Encryption;
/**
* @brief Class to manage storage and retrieval of encryption keys
* @note Where a method requires a view object, it's root must be '/'
*/
class Keymanager {
/**
* @brief retrieve the ENCRYPTED private key from a user
*
* @param \OC_FilesystemView $view
* @param string $user
* @return string private key or false (hopefully)
* @note the key returned by this method must be decrypted before use
*/
public static function getPrivateKey(\OC_FilesystemView $view, $user) {
$path = '/' . $user . '/' . 'files_encryption' . '/' . $user . '.private.key';
$key = false;
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if ($view->file_exists($path)) {
$key = $view->file_get_contents($path);
}
\OC_FileProxy::$enabled = $proxyStatus;
return $key;
}
/**
* @brief retrieve public key for a specified user
* @param \OC_FilesystemView $view
* @param $userId
* @return string public key or false
*/
public static function getPublicKey(\OC_FilesystemView $view, $userId) {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$result = $view->file_get_contents('/public-keys/' . $userId . '.public.key');
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @brief Retrieve a user's public and private key
* @param \OC_FilesystemView $view
* @param $userId
* @return array keys: privateKey, publicKey
*/
public static function getUserKeys(\OC_FilesystemView $view, $userId) {
return array(
'publicKey' => self::getPublicKey($view, $userId),
'privateKey' => self::getPrivateKey($view, $userId)
);
}
/**
* @brief Retrieve public keys for given users
* @param \OC_FilesystemView $view
* @param array $userIds
* @return array of public keys for the specified users
*/
public static function getPublicKeys(\OC_FilesystemView $view, array $userIds) {
$keys = array();
foreach ($userIds as $userId) {
$keys[$userId] = self::getPublicKey($view, $userId);
}
return $keys;
}
/**
* @brief store file encryption key
*
* @param \OC_FilesystemView $view
|
|
31b7f2792
Upgrade to ownclo...
|
115 |
* @param \OCA\Encryption\Util $util |
|
03e52840d
Init
|
116 |
* @param string $path relative path of the file, including filename |
|
31b7f2792
Upgrade to ownclo...
|
117 |
* @param string $catfile keyfile content |
|
03e52840d
Init
|
118 119 120 121 |
* @return bool true/false * @note The keyfile is not encrypted here. Client code must * asymmetrically encrypt the keyfile before passing it to this method */ |
|
31b7f2792
Upgrade to ownclo...
|
122 |
public static function setFileKey(\OC_FilesystemView $view, $util, $path, $catfile) {
|
|
03e52840d
Init
|
123 124 125 |
$proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; |
|
03e52840d
Init
|
126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 |
list($owner, $filename) = $util->getUidAndFilename($path);
// in case of system wide mount points the keys are stored directly in the data directory
if ($util->isSystemWideMountPoint($filename)) {
$basePath = '/files_encryption/keyfiles';
} else {
$basePath = '/' . $owner . '/files_encryption/keyfiles';
}
$targetPath = self::keySetPreparation($view, $filename, $basePath, $owner);
if (!$view->is_dir($basePath . '/' . $targetPath)) {
// create all parent folders
$info = pathinfo($basePath . '/' . $targetPath);
$keyfileFolderName = $view->getLocalFolder($info['dirname']);
if (!file_exists($keyfileFolderName)) {
mkdir($keyfileFolderName, 0750, true);
}
}
// try reusing key file if part file
|
|
31b7f2792
Upgrade to ownclo...
|
151 |
if (Helper::isPartialFilePath($targetPath)) {
|
|
03e52840d
Init
|
152 153 |
$result = $view->file_put_contents( |
|
31b7f2792
Upgrade to ownclo...
|
154 |
$basePath . '/' . Helper::stripPartialFileExtension($targetPath) . '.key', $catfile); |
|
03e52840d
Init
|
155 156 157 158 159 160 161 162 163 164 165 166 167 168 |
} else {
$result = $view->file_put_contents($basePath . '/' . $targetPath . '.key', $catfile);
}
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
|
|
03e52840d
Init
|
169 170 |
* @brief retrieve keyfile for an encrypted file * @param \OC_FilesystemView $view |
|
31b7f2792
Upgrade to ownclo...
|
171 |
* @param \OCA\Encryption\Util $util |
|
03e52840d
Init
|
172 173 174 175 176 177 |
* @param $filePath * @internal param \OCA\Encryption\file $string name * @return string file key or false * @note The keyfile returned is asymmetrically encrypted. Decryption * of the keyfile must be performed by client code */ |
|
31b7f2792
Upgrade to ownclo...
|
178 |
public static function getFileKey($view, $util, $filePath) {
|
|
03e52840d
Init
|
179 |
|
|
03e52840d
Init
|
180 181 |
list($owner, $filename) = $util->getUidAndFilename($filePath); |
|
31b7f2792
Upgrade to ownclo...
|
182 |
$filename = Helper::stripPartialFileExtension($filename); |
|
03e52840d
Init
|
183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 |
$filePath_f = ltrim($filename, '/');
// in case of system wide mount points the keys are stored directly in the data directory
if ($util->isSystemWideMountPoint($filename)) {
$keyfilePath = '/files_encryption/keyfiles/' . $filePath_f . '.key';
} else {
$keyfilePath = '/' . $owner . '/files_encryption/keyfiles/' . $filePath_f . '.key';
}
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if ($view->file_exists($keyfilePath)) {
$result = $view->file_get_contents($keyfilePath);
} else {
$result = false;
}
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @brief Delete a keyfile
*
* @param \OC_FilesystemView $view
|
|
03e52840d
Init
|
215 216 217 218 219 |
* @param string $path path of the file the key belongs to * @return bool Outcome of unlink operation * @note $path must be relative to data/user/files. e.g. mydoc.txt NOT * /data/admin/files/mydoc.txt */ |
|
31b7f2792
Upgrade to ownclo...
|
220 |
public static function deleteFileKey(\OC_FilesystemView $view, $path) {
|
|
03e52840d
Init
|
221 222 |
$trimmed = ltrim($path, '/'); |
|
31b7f2792
Upgrade to ownclo...
|
223 224 |
$userId = Helper::getUser($path); $util = new Util($view, $userId); |
|
03e52840d
Init
|
225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 |
if($util->isSystemWideMountPoint($path)) {
$keyPath = '/files_encryption/keyfiles/' . $trimmed;
} else {
$keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed;
}
$result = false;
if ($view->is_dir($keyPath)) {
$result = $view->unlink($keyPath);
} else {
if ($view->file_exists($keyPath . '.key')) {
$result = $view->unlink($keyPath . '.key');
}
}
if (!$result) {
\OCP\Util::writeLog('Encryption library',
'Could not delete keyfile; does not exist: "' . $keyPath, \OCP\Util::ERROR);
}
return $result;
}
/**
* @brief store private key from the user
* @param string $key
* @return bool
* @note Encryption of the private key must be performed by client code
* as no encryption takes place here
*/
public static function setPrivateKey($key) {
$user = \OCP\User::getUser();
$view = new \OC_FilesystemView('/' . $user . '/files_encryption');
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if (!$view->file_exists(''))
$view->mkdir('');
$result = $view->file_put_contents($user . '.private.key', $key);
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @brief store share key
*
* @param \OC_FilesystemView $view
* @param string $path where the share key is stored
* @param $shareKey
* @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
private static function setShareKey(\OC_FilesystemView $view, $path, $shareKey) {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$result = $view->file_put_contents($path, $shareKey);
\OC_FileProxy::$enabled = $proxyStatus;
if (is_int($result) && $result > 0) {
return true;
} else {
return false;
}
}
/**
* @brief store multiple share keys for a single file
* @param \OC_FilesystemView $view
|
|
31b7f2792
Upgrade to ownclo...
|
313 314 |
* @param \OCA\Encryption\Util $util * @param string $path |
|
03e52840d
Init
|
315 316 317 |
* @param array $shareKeys * @return bool */ |
|
31b7f2792
Upgrade to ownclo...
|
318 |
public static function setShareKeys(\OC_FilesystemView $view, $util, $path, array $shareKeys) {
|
|
03e52840d
Init
|
319 320 321 |
// $shareKeys must be an array with the following format: // [userId] => [encrypted key] |
|
03e52840d
Init
|
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 |
list($owner, $filename) = $util->getUidAndFilename($path);
// in case of system wide mount points the keys are stored directly in the data directory
if ($util->isSystemWideMountPoint($filename)) {
$basePath = '/files_encryption/share-keys';
} else {
$basePath = '/' . $owner . '/files_encryption/share-keys';
}
$shareKeyPath = self::keySetPreparation($view, $filename, $basePath, $owner);
$result = true;
foreach ($shareKeys as $userId => $shareKey) {
// try reusing key file if part file
|
|
31b7f2792
Upgrade to ownclo...
|
339 340 |
if (Helper::isPartialFilePath($shareKeyPath)) {
$writePath = $basePath . '/' . Helper::stripPartialFileExtension($shareKeyPath) . '.' . $userId . '.shareKey';
|
|
03e52840d
Init
|
341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 |
} else {
$writePath = $basePath . '/' . $shareKeyPath . '.' . $userId . '.shareKey';
}
if (!self::setShareKey($view, $writePath, $shareKey)) {
// If any of the keys are not set, flag false
$result = false;
}
}
// Returns false if any of the keys weren't set
return $result;
}
/**
* @brief retrieve shareKey for an encrypted file
* @param \OC_FilesystemView $view
* @param string $userId
|
|
31b7f2792
Upgrade to ownclo...
|
360 |
* @param \OCA\Encryption\Util $util |
|
03e52840d
Init
|
361 |
* @param string $filePath |
|
03e52840d
Init
|
362 363 364 365 |
* @return string file key or false * @note The sharekey returned is encrypted. Decryption * of the keyfile must be performed by client code */ |
|
31b7f2792
Upgrade to ownclo...
|
366 |
public static function getShareKey(\OC_FilesystemView $view, $userId, $util, $filePath) {
|
|
03e52840d
Init
|
367 368 369 370 |
// try reusing key file if part file $proxyStatus = \OC_FileProxy::$enabled; \OC_FileProxy::$enabled = false; |
|
03e52840d
Init
|
371 |
list($owner, $filename) = $util->getUidAndFilename($filePath); |
|
31b7f2792
Upgrade to ownclo...
|
372 |
$filename = Helper::stripPartialFileExtension($filename); |
|
03e52840d
Init
|
373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 |
// in case of system wide mount points the keys are stored directly in the data directory
if ($util->isSystemWideMountPoint($filename)) {
$shareKeyPath = '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey';
} else {
$shareKeyPath = '/' . $owner . '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey';
}
if ($view->file_exists($shareKeyPath)) {
$result = $view->file_get_contents($shareKeyPath);
} else {
$result = false;
}
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @brief delete all share keys of a given file
* @param \OC_FilesystemView $view
* @param string $userId owner of the file
* @param string $filePath path to the file, relative to the owners file dir
*/
public static function delAllShareKeys(\OC_FilesystemView $view, $userId, $filePath) {
$util = new util($view, $userId);
if ($util->isSystemWideMountPoint($filePath)) {
$baseDir = '/files_encryption/share-keys/';
} else {
$baseDir = $userId . '/files_encryption/share-keys/';
}
if ($view->is_dir($userId . '/files/' . $filePath)) {
$view->unlink($baseDir . $filePath);
} else {
$localKeyPath = $view->getLocalFile($baseDir . $filePath);
$escapedPath = Helper::escapeGlobPattern($localKeyPath);
$matches = glob($escapedPath . '*.shareKey');
foreach ($matches as $ma) {
$result = unlink($ma);
if (!$result) {
\OCP\Util::writeLog('Encryption library',
'Keyfile or shareKey could not be deleted for file "' . $filePath . '"', \OCP\Util::ERROR);
}
}
}
}
/**
* @brief Delete a single user's shareKey for a single file
*/
public static function delShareKey(\OC_FilesystemView $view, $userIds, $filePath) {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
|
|
31b7f2792
Upgrade to ownclo...
|
436 437 438 |
$userId = Helper::getUser($filePath); $util = new Util($view, $userId); |
|
03e52840d
Init
|
439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 |
list($owner, $filename) = $util->getUidAndFilename($filePath);
if ($util->isSystemWideMountPoint($filename)) {
$shareKeyPath = \OC\Files\Filesystem::normalizePath('/files_encryption/share-keys/' . $filename);
} else {
$shareKeyPath = \OC\Files\Filesystem::normalizePath('/' . $owner . '/files_encryption/share-keys/' . $filename);
}
if ($view->is_dir($shareKeyPath)) {
$localPath = \OC\Files\Filesystem::normalizePath($view->getLocalFolder($shareKeyPath));
self::recursiveDelShareKeys($localPath, $userIds);
} else {
foreach ($userIds as $userId) {
if (!$view->unlink($shareKeyPath . '.' . $userId . '.shareKey')) {
\OCP\Util::writeLog('Encryption library',
'Could not delete shareKey; does not exist: "' . $shareKeyPath . '.' . $userId
. '.shareKey"', \OCP\Util::ERROR);
}
}
}
\OC_FileProxy::$enabled = $proxyStatus;
}
/**
* @brief recursively delete share keys from given users
*
* @param string $dir directory
* @param array $userIds user ids for which the share keys should be deleted
*/
private static function recursiveDelShareKeys($dir, $userIds) {
foreach ($userIds as $userId) {
$extension = '.' . $userId . '.shareKey';
$escapedDir = Helper::escapeGlobPattern($dir);
$escapedExtension = Helper::escapeGlobPattern($extension);
$matches = glob($escapedDir . '/*' . $escapedExtension);
}
/** @var $matches array */
foreach ($matches as $ma) {
if (!unlink($ma)) {
\OCP\Util::writeLog('Encryption library',
'Could not delete shareKey; does not exist: "' . $ma . '"', \OCP\Util::ERROR);
}
}
$subdirs = $directories = glob($escapedDir . '/*', GLOB_ONLYDIR);
foreach ($subdirs as $subdir) {
self::recursiveDelShareKeys($subdir, $userIds);
}
}
/**
* @brief Make preparations to vars and filesystem for saving a keyfile
*/
public static function keySetPreparation(\OC_FilesystemView $view, $path, $basePath, $userId) {
$targetPath = ltrim($path, '/');
$path_parts = pathinfo($targetPath);
// If the file resides within a subdirectory, create it
if (
isset($path_parts['dirname'])
&& !$view->file_exists($basePath . '/' . $path_parts['dirname'])
) {
$sub_dirs = explode(DIRECTORY_SEPARATOR, $basePath . '/' . $path_parts['dirname']);
$dir = '';
foreach ($sub_dirs as $sub_dir) {
$dir .= '/' . $sub_dir;
if (!$view->is_dir($dir)) {
$view->mkdir($dir);
}
}
}
return $targetPath;
}
}
|