func (e *loginProvision) fetchLKS(ctx *Context, encKey libkb.GenericKey) error {
gen, clientLKS, err := fetchLKS(ctx, e.G(), encKey)
if err != nil {
return err
}
e.lks = libkb.NewLKSecWithClientHalf(clientLKS, gen, e.arg.User.GetUID(), e.G())
return nil
}
func (e *PaperKeyGen) push(ctx *Context) error {
if e.arg.SkipPush {
return nil
}
// Create a new paper key device. Need the passphrase prefix
// for the paper device name. This is the first two words in
// the passphrase. There is sufficient entropy to cover this...
backupDev, err := libkb.NewPaperDevice(e.arg.Passphrase.Prefix())
if err != nil {
return err
}
// create lks halves for this device. Note that they aren't used for
// local, encrypted storage of the paper keys, but just for recovery
// purposes.
foundStream := false
var ppgen libkb.PassphraseGeneration
var clientHalf []byte
if ctx.LoginContext != nil {
stream := ctx.LoginContext.PassphraseStreamCache().PassphraseStream()
if stream != nil {
foundStream = true
ppgen = stream.Generation()
clientHalf = stream.LksClientHalf()
}
} else {
e.G().LoginState().Account(func(a *libkb.Account) {
stream := a.PassphraseStream()
if stream == nil {
return
}
foundStream = true
ppgen = stream.Generation()
clientHalf = stream.LksClientHalf()
}, "BackupKeygen - push")
}
// stream was nil, so we must have loaded lks from the secret
// store.
if !foundStream {
clientHalf, ppgen, err = e.getClientHalfFromSecretStore()
if err != nil {
return err
}
}
backupLks := libkb.NewLKSecWithClientHalf(clientHalf, ppgen, e.arg.Me.GetUID(), e.G())
// Set the server half to be empty, as we don't need it.
backupLks.SetServerHalf(make([]byte, len(clientHalf)))
ctext, err := backupLks.EncryptClientHalfRecovery(e.encKey)
if err != nil {
return err
}
// post them to the server.
var sr libkb.SessionReader
if ctx.LoginContext != nil {
sr = ctx.LoginContext.LocalSession()
}
if err := libkb.PostDeviceLKS(sr, backupDev.ID, libkb.DeviceTypePaper, backupLks.GetServerHalf(), backupLks.Generation(), ctext, e.encKey.GetKID()); err != nil {
return err
}
// push the paper signing key
sigDel := libkb.Delegator{
NewKey: e.sigKey,
DelegationType: libkb.SibkeyType,
Expire: libkb.NaclEdDSAExpireIn,
ExistingKey: e.arg.SigningKey,
Me: e.arg.Me,
Device: backupDev,
Contextified: libkb.NewContextified(e.G()),
}
// push the paper encryption key
sigEnc := libkb.Delegator{
NewKey: e.encKey,
DelegationType: libkb.SubkeyType,
Expire: libkb.NaclDHExpireIn,
ExistingKey: e.sigKey,
Me: e.arg.Me,
Device: backupDev,
Contextified: libkb.NewContextified(e.G()),
}
return libkb.DelegatorAggregator(ctx.LoginContext, []libkb.Delegator{sigDel, sigEnc})
}