func (sec *AccountSecurity) ResetPassword(kms security.KMS, password string) (*AccountSecurity, error) {
kek := sec.SystemKey.Clone()
if err := kms.DecryptKey(&kek); err != nil {
return nil, fmt.Errorf("key decryption error: %s", err)
}
kek.IV = make([]byte, ClientKeyType.BlockSize())
copy(kek.IV, sec.Nonce)
clientKey := security.KeyFromPasscode([]byte(password), sec.Nonce, sec.UserKey.KeyType)
if err := kek.Encrypt(clientKey); err != nil {
return nil, fmt.Errorf("key encryption error: %s", err)
}
var (
mac [16]byte
key [32]byte
)
copy(key[:], clientKey.Plaintext)
poly1305.Sum(&mac, sec.Nonce, &key)
nsec := &AccountSecurity{
Nonce: sec.Nonce,
MAC: mac[:],
SystemKey: sec.SystemKey,
UserKey: kek,
KeyPair: sec.KeyPair,
}
return nsec, nil
}
func (pm *PM) transmitToAgent(kms security.KMS, client *Client) (*security.ManagedKey, error) {
if client.UserID() != pm.Receiver {
return nil, ErrAccessDenied
}
// Decrypt PM key
pmKey := pm.EncryptedSystemKey.Clone()
if err := kms.DecryptKey(&pmKey); err != nil {
return nil, err
}
// Verify ReceiverMAC
if err := pm.verifyKey(&pmKey); err != nil {
return nil, err
}
// Encrypt PM key for agent
encryptedPMKey := pmKey.Clone()
encryptedPMKey.IV = pm.IV
if err := encryptedPMKey.Encrypt(client.Authorization.ClientKey); err != nil {
return nil, err
}
pm.EncryptedReceiverKey = &encryptedPMKey
return &pmKey, nil
}
func (r *memRoom) GenerateMessageKey(ctx scope.Context, kms security.KMS) (proto.RoomMessageKey, error) {
nonce, err := kms.GenerateNonce(security.AES128.KeySize())
if err != nil {
return nil, err
}
mkey, err := kms.GenerateEncryptedKey(security.AES128, "room", r.name)
if err != nil {
return nil, err
}
kp := r.managerKey.KeyPair()
r.messageKey = &roomMessageKey{
GrantManager: &proto.GrantManager{
Capabilities: &capabilities{},
Managers: r.managerKey,
KeyEncryptingKey: &r.sec.KeyEncryptingKey,
SubjectKeyPair: &kp,
SubjectNonce: nonce,
},
timestamp: time.Now(),
nonce: nonce,
key: *mkey,
}
r.messageKey.id = fmt.Sprintf("%s", r.messageKey.timestamp)
return r.messageKey, nil
}
func (b *AccountManagerBinding) getOTP(db gorp.SqlExecutor, kms security.KMS, accountID snowflake.Snowflake) (*proto.OTP, error) {
encryptedOTP, err := b.getRawOTP(db, accountID)
if err != nil {
return nil, err
}
key := security.ManagedKey{
KeyType: OTPKeyType,
IV: encryptedOTP.IV,
Ciphertext: encryptedOTP.EncryptedKey,
ContextKey: "account",
ContextValue: accountID.String(),
}
if err := kms.DecryptKey(&key); err != nil {
return nil, err
}
uriBytes, err := security.DecryptGCM(&key, encryptedOTP.IV, encryptedOTP.Digest, encryptedOTP.EncryptedURI, nil)
if err != nil {
return nil, err
}
otp := &proto.OTP{
URI: string(uriBytes),
Validated: encryptedOTP.Validated,
}
return otp, nil
}
func (gs *GrantManager) StaffGrantToAccount(ctx scope.Context, kms security.KMS, target Account) error {
keyEncryptingKey := gs.KeyEncryptingKey.Clone()
if err := kms.DecryptKey(&keyEncryptingKey); err != nil {
return fmt.Errorf("key-encrypting-key decrypt error: %s", err)
}
subjectKeyPair := gs.SubjectKeyPair.Clone()
if err := subjectKeyPair.Decrypt(&keyEncryptingKey); err != nil {
return err
}
// TODO: customize public/private payloads
kp := target.KeyPair()
var payloadKey security.ManagedKey
if gs.PayloadKey == nil {
payloadKey = keyEncryptingKey
} else {
payloadKey = gs.PayloadKey.Clone()
if err := kms.DecryptKey(&payloadKey); err != nil {
return fmt.Errorf("payload-key decrypt error: %s", err)
}
}
c, err := security.GrantPublicKeyCapability(
kms, gs.SubjectNonce, &subjectKeyPair, &kp, nil, payloadKey.Plaintext)
if err != nil {
return err
}
return gs.Capabilities.Save(ctx, target, c)
}
func (r *roomManagerKey) StaffUnlock(kms security.KMS) (*security.ManagedKeyPair, error) {
kek := r.RoomSecurity.KeyEncryptingKey.Clone()
if err := kms.DecryptKey(&kek); err != nil {
return nil, err
}
kp := r.KeyPair()
if err := kp.Decrypt(&kek); err != nil {
return nil, err
}
return &kp, nil
}
func (pm *PM) transmitToAccount(kms security.KMS, pmKey *security.ManagedKey, receiver Account) (*PM, error) {
userKey := receiver.SystemKey()
if err := kms.DecryptKey(&userKey); err != nil {
return nil, err
}
encryptedReceiverKey := pmKey.Clone()
encryptedReceiverKey.IV = pm.IV
if err := encryptedReceiverKey.Encrypt(&userKey); err != nil {
return nil, err
}
pm.EncryptedReceiverKey = &encryptedReceiverKey
return pm, nil
}
func (pm *PM) upgradeToAccountReceiver(ctx scope.Context, b Backend, kms security.KMS, client *Client) (*security.ManagedKey, error) {
// Verify that client and receiver agent share the same account.
_, id := pm.Receiver.Parse()
agent, err := b.AgentTracker().Get(ctx, id)
if err != nil {
return nil, err
}
if agent.AccountID != client.Account.ID().String() {
return nil, ErrAccessDenied
}
// Unlock PM and verify Receiver.
pmKey := pm.EncryptedSystemKey.Clone()
if err := kms.DecryptKey(&pmKey); err != nil {
return nil, err
}
if err := pm.verifyKey(&pmKey); err != nil {
return nil, err
}
// Re-encrypt PM key for account.
pm.Receiver = UserID(fmt.Sprintf("account:%s", client.Account.ID()))
var (
mac [16]byte
key [32]byte
)
copy(key[:], pmKey.Plaintext)
poly1305.Sum(&mac, []byte(pm.Receiver), &key)
pm.ReceiverMAC = mac[:]
userKey := client.Account.UserKey()
if err := userKey.Decrypt(client.Authorization.ClientKey); err != nil {
return nil, err
}
encryptedReceiverKey := pmKey.Clone()
encryptedReceiverKey.IV = pm.IV
if err := encryptedReceiverKey.Encrypt(&userKey); err != nil {
return nil, err
}
pm.EncryptedReceiverKey = &encryptedReceiverKey
if err := pm.verifyKey(&pmKey); err != nil {
return nil, err
}
return &pmKey, nil
}
func (rmkb *RoomManagerKeyBinding) StaffUnlock(kms security.KMS) (*security.ManagedKeyPair, error) {
kek := security.ManagedKey{
KeyType: proto.RoomManagerKeyType,
Ciphertext: rmkb.Room.EncryptedManagementKey,
ContextKey: "room",
ContextValue: rmkb.Room.Name,
}
if err := kms.DecryptKey(&kek); err != nil {
return nil, err
}
kp := rmkb.KeyPair()
if err := kp.Decrypt(&kek); err != nil {
return nil, err
}
return &kp, nil
}
func CheckEmailVerificationToken(kms security.KMS, account Account, email string, token []byte) error {
systemKey := account.SystemKey()
if err := kms.DecryptKey(&systemKey); err != nil {
return err
}
expected, err := emailVerificationToken(&systemKey, email)
if err != nil {
return err
}
if !hmac.Equal(token, expected) {
return ErrInvalidVerificationToken
}
return nil
}
func (e *etcdCluster) setSecret(kms security.KMS, name string, bytes int) ([]byte, error) {
// Generate our own key.
secret, err := kms.GenerateNonce(bytes)
if err != nil {
return nil, err
}
// Try to stake our claim on this secret.
if _, err := e.c.Create(e.key("/secrets/%s", name), hex.EncodeToString(secret), 0); err != nil {
if etcdErr, ok := err.(*etcd.EtcdError); ok && etcdErr.ErrorCode == 105 {
// Lost the race, try to use GetSecret again.
return e.GetSecret(kms, name, bytes)
}
return nil, err
}
return secret, nil
}
func (r *Room) generateMessageKey(b *Backend, kms security.KMS) (*RoomMessageKeyBinding, error) {
// Generate unique ID for storing new key in DB.
keyID, err := snowflake.New()
if err != nil {
return nil, err
}
// Use KMS to generate nonce and key.
nonce, err := kms.GenerateNonce(proto.RoomManagerKeyType.KeySize())
if err != nil {
return nil, err
}
mkey, err := kms.GenerateEncryptedKey(proto.RoomManagerKeyType, "room", r.Name)
if err != nil {
return nil, err
}
return NewRoomMessageKeyBinding(r.Bind(b), keyID, mkey, nonce), nil
}
func NewPM(kms security.KMS, client *Client, initiatorNick string, receiver UserID, receiverNick string) (
*PM, *security.ManagedKey, error) {
if client.Account == nil {
return nil, nil, ErrAccessDenied
}
pmID, err := snowflake.New()
if err != nil {
return nil, nil, err
}
iv, err := kms.GenerateNonce(RoomMessageKeyType.BlockSize())
if err != nil {
return nil, nil, err
}
encryptedSystemKey, err := kms.GenerateEncryptedKey(RoomMessageKeyType, "pm", pmID.String())
if err != nil {
return nil, nil, err
}
pmKey := encryptedSystemKey.Clone()
if err := kms.DecryptKey(&pmKey); err != nil {
return nil, nil, fmt.Errorf("pm key decrypt: %s", err)
}
//pmKey.IV = iv
userKey := client.Account.UserKey()
if err := userKey.Decrypt(client.Authorization.ClientKey); err != nil {
return nil, nil, fmt.Errorf("initiator account key decrypt: %s", err)
}
encryptedInitiatorKey := pmKey.Clone()
encryptedInitiatorKey.IV = iv
if err := encryptedInitiatorKey.Encrypt(&userKey); err != nil {
return nil, nil, fmt.Errorf("initiator pm key encrypt: %s", err)
}
var (
mac [16]byte
key [32]byte
)
copy(key[:], pmKey.Plaintext)
poly1305.Sum(&mac, []byte(receiver), &key)
pm := &PM{
ID: pmID,
Initiator: client.Account.ID(),
InitiatorNick: initiatorNick,
Receiver: receiver,
ReceiverNick: receiverNick,
ReceiverMAC: mac[:],
IV: iv,
EncryptedSystemKey: encryptedSystemKey,
EncryptedInitiatorKey: &encryptedInitiatorKey,
}
return pm, &pmKey, nil
}
func (tc *TestCluster) GetSecret(kms security.KMS, name string, bytes int) ([]byte, error) {
tc.Lock()
defer tc.Unlock()
if secret, ok := tc.secrets[name]; ok {
if len(secret) != bytes {
return nil, fmt.Errorf("secret inconsistent: expected %d bytes, got %d", bytes, len(secret))
}
return secret, nil
}
secret, err := kms.GenerateNonce(bytes)
if err != nil {
return nil, err
}
if tc.secrets == nil {
tc.secrets = map[string][]byte{name: secret}
} else {
tc.secrets[name] = secret
}
return secret, nil
}
func GeneratePasswordResetRequest(
kms security.KMS, accountID snowflake.Snowflake) (*PasswordResetRequest, error) {
id, err := snowflake.New()
if err != nil {
return nil, err
}
key, err := kms.GenerateNonce(sha256.BlockSize)
if err != nil {
return nil, err
}
now := time.Now()
req := &PasswordResetRequest{
ID: id,
AccountID: accountID,
Key: key,
Requested: now,
Expires: now.Add(PasswordResetRequestLifetime),
}
return req, nil
}
func NewRoomSecurity(kms security.KMS, roomName string) (*RoomSecurity, error) {
kpType := security.Curve25519
// Use one KMS request to obtain all the randomness we need:
// - key-encrypting-key IV
// - private key for grants to accounts
// - nonce for manager grants to accounts
randomData, err := kms.GenerateNonce(
RoomManagerKeyType.BlockSize() + kpType.PrivateKeySize() + kpType.NonceSize())
if err != nil {
return nil, fmt.Errorf("rng error: %s", err)
}
randomReader := bytes.NewReader(randomData)
// Generate IV with random data.
iv := make([]byte, RoomManagerKeyType.BlockSize())
if _, err := io.ReadFull(randomReader, iv); err != nil {
return nil, fmt.Errorf("rng error: %s", err)
}
// Generate private key using randomReader.
keyPair, err := kpType.Generate(randomReader)
if err != nil {
return nil, fmt.Errorf("keypair generation error: %s", err)
}
// Generate nonce with random data.
nonce := make([]byte, kpType.NonceSize())
if _, err := io.ReadFull(randomReader, nonce); err != nil {
return nil, fmt.Errorf("rng error: %s", err)
}
// Generate key-encrypting-key. This will be returned encrypted, using the
// name of the room as its context.
encryptedKek, err := kms.GenerateEncryptedKey(RoomManagerKeyType, "room", roomName)
if err != nil {
return nil, fmt.Errorf("key generation error: %s", err)
}
// Decrypt key-encrypting-key so we can encrypt keypair.
kek := encryptedKek.Clone()
if err = kms.DecryptKey(&kek); err != nil {
return nil, fmt.Errorf("key decryption error: %s", err)
}
// Encrypt private key.
keyPair.IV = iv
if err = keyPair.Encrypt(&kek); err != nil {
return nil, fmt.Errorf("keypair encryption error: %s", err)
}
// Generate message authentication code, for verifying a given key-encryption-key.
var (
mac [16]byte
key [32]byte
)
copy(key[:], kek.Plaintext)
poly1305.Sum(&mac, iv, &key)
sec := &RoomSecurity{
Nonce: nonce,
MAC: mac[:],
KeyEncryptingKey: *encryptedKek,
KeyPair: *keyPair,
}
return sec, nil
}
func (b *AccountManagerBinding) GenerateOTP(ctx scope.Context, heim *proto.Heim, kms security.KMS, account proto.Account) (*proto.OTP, error) {
encryptedKey, err := kms.GenerateEncryptedKey(OTPKeyType, "account", account.ID().String())
if err != nil {
return nil, err
}
key := encryptedKey.Clone()
if err := kms.DecryptKey(&key); err != nil {
return nil, err
}
iv, err := kms.GenerateNonce(OTPKeyType.BlockSize())
if err != nil {
return nil, err
}
t, err := b.DbMap.Begin()
if err != nil {
return nil, err
}
rawOTP, err := b.getRawOTP(t, account.ID())
if err != nil && err != proto.ErrOTPNotEnrolled {
rollback(ctx, t)
return nil, err
}
if err == nil {
if rawOTP.Validated {
rollback(ctx, t)
return nil, proto.ErrOTPAlreadyEnrolled
}
row := &OTP{AccountID: account.ID().String()}
if _, err := t.Delete(row); err != nil {
rollback(ctx, t)
return nil, err
}
}
otp, err := heim.NewOTP(account)
if err != nil {
rollback(ctx, t)
return nil, err
}
digest, encryptedURI, err := security.EncryptGCM(&key, iv, []byte(otp.URI), nil)
if err != nil {
rollback(ctx, t)
return nil, err
}
row := &OTP{
AccountID: account.ID().String(),
IV: iv,
EncryptedKey: encryptedKey.Ciphertext,
Digest: digest,
EncryptedURI: encryptedURI,
}
if err := t.Insert(row); err != nil {
// TODO: this could fail in the case of a race condition
// by the time that matters we should be on postgres 9.5 and using a proper upsert
rollback(ctx, t)
return nil, err
}
if err := t.Commit(); err != nil {
return nil, err
}
return otp, nil
}
func NewRoom(
ctx scope.Context, kms security.KMS, private bool, name, version string, managers ...proto.Account) (
proto.ManagedRoom, error) {
sec, err := proto.NewRoomSecurity(kms, name)
if err != nil {
return nil, err
}
managerKey := sec.KeyEncryptingKey.Clone()
if err := kms.DecryptKey(&managerKey); err != nil {
return nil, err
}
roomKeyPair, err := sec.Unlock(&managerKey)
if err != nil {
return nil, err
}
room := &memRoom{
RoomBase: RoomBase{
name: name,
version: version,
log: newMemLog(),
agentBans: map[proto.UserID]time.Time{},
ipBans: map[string]time.Time{},
},
sec: sec,
managerKey: &roomManagerKey{
RoomSecurity: sec,
GrantManager: &proto.GrantManager{
Capabilities: &capabilities{},
KeyEncryptingKey: &sec.KeyEncryptingKey,
SubjectKeyPair: &sec.KeyPair,
SubjectNonce: sec.Nonce,
},
},
}
room.managerKey.GrantManager.Managers = room.managerKey
var (
roomMsgKey proto.RoomMessageKey
msgKey security.ManagedKey
)
if private {
roomMsgKey, err = room.GenerateMessageKey(ctx, kms)
if err != nil {
return nil, err
}
msgKey = roomMsgKey.ManagedKey()
if err := kms.DecryptKey(&msgKey); err != nil {
return nil, err
}
}
for _, manager := range managers {
kp := manager.KeyPair()
c, err := security.GrantPublicKeyCapability(
kms, sec.Nonce, roomKeyPair, &kp, nil, managerKey.Plaintext)
if err != nil {
return nil, err
}
room.managerKey.Capabilities.Save(ctx, manager, c)
if private {
c, err = security.GrantPublicKeyCapability(
kms, roomMsgKey.Nonce(), roomKeyPair, &kp, nil, msgKey.Plaintext)
if err != nil {
return nil, err
}
room.messageKey.Capabilities.Save(ctx, manager, c)
}
}
return room, nil
}
func (b *Backend) CreateRoom(
ctx scope.Context, kms security.KMS, private bool, name string, managers ...proto.Account) (
proto.ManagedRoom, error) {
sec, err := proto.NewRoomSecurity(kms, name)
if err != nil {
return nil, err
}
logging.Logger(ctx).Printf("creating room: %s", name)
room := &Room{
Name: name,
IV: sec.KeyPair.IV,
MAC: sec.MAC,
Nonce: sec.Nonce,
EncryptedManagementKey: sec.KeyEncryptingKey.Ciphertext,
EncryptedPrivateKey: sec.KeyPair.EncryptedPrivateKey,
PublicKey: sec.KeyPair.PublicKey,
}
var (
rmkb *RoomMessageKeyBinding
msgKey security.ManagedKey
)
if private {
rmkb, err = room.generateMessageKey(b, kms)
if err != nil {
return nil, err
}
msgKey = rmkb.ManagedKey()
if err := kms.DecryptKey(&msgKey); err != nil {
return nil, err
}
}
// Generate manager capabilities.
managerKey := sec.KeyEncryptingKey.Clone()
if err := kms.DecryptKey(&managerKey); err != nil {
return nil, fmt.Errorf("manager key decrypt error: %s", err)
}
roomKeyPair, err := sec.Unlock(&managerKey)
if err != nil {
return nil, fmt.Errorf("room security unlock error: %s", err)
}
managerCaps := make([]*security.PublicKeyCapability, len(managers))
for i, manager := range managers {
kp := manager.KeyPair()
c, err := security.GrantPublicKeyCapability(
kms, sec.Nonce, roomKeyPair, &kp, nil, managerKey.Plaintext)
if err != nil {
return nil, fmt.Errorf("manager grant error: %s", err)
}
managerCaps[i] = c
}
accessCaps := []*security.PublicKeyCapability{}
if private {
accessCaps = make([]*security.PublicKeyCapability, len(managers))
for i, manager := range managers {
kp := manager.KeyPair()
c, err := security.GrantPublicKeyCapability(
kms, rmkb.Nonce(), roomKeyPair, &kp, nil, msgKey.Plaintext)
if err != nil {
return nil, fmt.Errorf("access grant error: %s", err)
}
accessCaps[i] = c
}
}
// Insert data.
t, err := b.DbMap.Begin()
if err != nil {
return nil, err
}
rollback := func() {
if err := t.Rollback(); err != nil {
logging.Logger(ctx).Printf("rollback error: %s", err)
}
}
if err := t.Insert(room); err != nil {
logging.Logger(ctx).Printf("room creation error on %s: %s", name, err)
rollback()
return nil, err
}
if rmkb != nil {
if err := t.Insert(&rmkb.MessageKey, &rmkb.RoomMessageKey); err != nil {
logging.Logger(ctx).Printf("room creation error on %s (message key): %s", name, err)
rollback()
return nil, err
}
}
managerCapTable := RoomManagerCapabilities{
Room: room,
Executor: t,
}
for i, capability := range managerCaps {
if err := managerCapTable.Save(ctx, managers[i], capability); err != nil {
logging.Logger(ctx).Printf(
"room creation error on %s (manager %s): %s", name, managers[i].ID().String(), err)
rollback()
return nil, err
}
}
messageCapTable := RoomMessageCapabilities{
Room: room,
Executor: t,
}
for i, capability := range accessCaps {
if err := messageCapTable.Save(ctx, managers[i], capability); err != nil {
logging.Logger(ctx).Printf(
"room creation error on %s (access capability): %s", name, err)
rollback()
return nil, err
}
}
if err := t.Commit(); err != nil {
logging.Logger(ctx).Printf("room creation error on %s (commit): %s", name, err)
return nil, err
}
return room.Bind(b), nil
}
// NewAccountSecurity initializes the nonce and account secrets for a new account
// with the given password. Returns an encrypted key-encrypting-key, encrypted
// key-pair, nonce, and error.
func NewAccountSecurity(
kms security.KMS, password string) (*AccountSecurity, *security.ManagedKey, error) {
kpType := security.Curve25519
// Use one KMS request to obtain all the randomness we need:
// - nonce
// - private key
randomData, err := kms.GenerateNonce(kpType.NonceSize() + kpType.PrivateKeySize())
if err != nil {
return nil, nil, fmt.Errorf("rng error: %s", err)
}
randomReader := bytes.NewReader(randomData)
// Generate nonce with random data. Use to populate IV.
nonce := make([]byte, kpType.NonceSize())
if _, err := io.ReadFull(randomReader, nonce); err != nil {
return nil, nil, fmt.Errorf("rng error: %s", err)
}
iv := make([]byte, ClientKeyType.BlockSize())
copy(iv, nonce)
// Generate key-encrypting-key using KMS. This will be returned encrypted,
// using the base64 encoding of the nonce as its context.
nonceBase64 := base64.URLEncoding.EncodeToString(nonce)
systemKey, err := kms.GenerateEncryptedKey(ClientKeyType, "nonce", nonceBase64)
if err != nil {
return nil, nil, fmt.Errorf("key generation error: %s", err)
}
// Generate private key using randomReader.
keyPair, err := kpType.Generate(randomReader)
if err != nil {
return nil, nil, fmt.Errorf("keypair generation error: %s", err)
}
// Decrypt key-encrypting-key so we can encrypt keypair, and so we can re-encrypt
// it using the user's key.
kek := systemKey.Clone()
if err = kms.DecryptKey(&kek); err != nil {
return nil, nil, fmt.Errorf("key decryption error: %s", err)
}
// Encrypt private key.
keyPair.IV = iv
if err = keyPair.Encrypt(&kek); err != nil {
return nil, nil, fmt.Errorf("keypair encryption error: %s", err)
}
// Clone key-encrypting-key and encrypt with client key.
clientKey := security.KeyFromPasscode([]byte(password), nonce, ClientKeyType)
userKey := kek.Clone()
userKey.IV = iv
if err := userKey.Encrypt(clientKey); err != nil {
return nil, nil, fmt.Errorf("key encryption error: %s", err)
}
// Generate message authentication code, for verifying passwords.
var (
mac [16]byte
key [32]byte
)
copy(key[:], clientKey.Plaintext)
poly1305.Sum(&mac, nonce, &key)
sec := &AccountSecurity{
Nonce: nonce,
MAC: mac[:],
SystemKey: *systemKey,
UserKey: userKey,
KeyPair: *keyPair,
}
return sec, clientKey, nil
}