register: readd file key

2025-01-09 03:00:48 +03:00 · 2024-03-06 21:59:41 -03:00 · 2024-03-06 21:59:41 -03:00 · 77bac5e659
commit 77bac5e659
parent bf2c495e80
3 changed files with 28 additions and 5 deletions
--- a/kinode/src/keygen.rs
+++ b/kinode/src/keygen.rs
@ -2,7 +2,7 @@ use aes_gcm::{
    aead::{Aead, AeadCore, KeyInit, OsRng},
    Aes256Gcm, Key,
 };
-use digest::generic_array;
+use digest::generic_array::GenericArray;
 use lazy_static::__Deref;
 use ring::pbkdf2;
 use ring::pkcs8::Document;
@ -26,6 +26,7 @@ pub fn encode_keyfile(
    routers: Vec<String>,
    networking_key: &[u8],
    jwt: &[u8],
+    file_key: &[u8],
 ) -> Vec<u8> {
    let mut disk_key: DiskKey = [0u8; CREDENTIAL_LEN];

@ -46,9 +47,11 @@ pub fn encode_keyfile(

    let network_nonce = Aes256Gcm::generate_nonce(&mut OsRng); // 96-bits; unique per message
    let jwt_nonce = Aes256Gcm::generate_nonce(&mut OsRng);
+    let file_nonce = Aes256Gcm::generate_nonce(&mut OsRng);

    let keyciphertext: Vec<u8> = cipher.encrypt(&network_nonce, networking_key).unwrap();
    let jwtciphertext: Vec<u8> = cipher.encrypt(&jwt_nonce, jwt).unwrap();
+    let fileciphertext: Vec<u8> = cipher.encrypt(&file_nonce, file_key.as_ref()).unwrap();

    bincode::serialize(&(
        username.clone(),
@ -56,13 +59,14 @@ pub fn encode_keyfile(
        salt.to_vec(),
        [network_nonce.to_vec(), keyciphertext].concat(),
        [jwt_nonce.to_vec(), jwtciphertext].concat(),
+        [file_nonce.to_vec(), fileciphertext].concat(),
    ))
    .unwrap()
 }

 pub fn decode_keyfile(keyfile: &[u8], password: &str) -> Result<Keyfile, &'static str> {
-    let (username, routers, salt, key_enc, jwt_enc) =
-        bincode::deserialize::<(String, Vec<String>, Vec<u8>, Vec<u8>, Vec<u8>)>(keyfile)
+    let (username, routers, salt, key_enc, jwt_enc, file_enc) =
+        bincode::deserialize::<(String, Vec<String>, Vec<u8>, Vec<u8>, Vec<u8>, Vec<u8>)>(keyfile)
            .map_err(|_| "failed to deserialize keyfile")?;

    // rederive disk key
@ -78,8 +82,9 @@ pub fn decode_keyfile(keyfile: &[u8], password: &str) -> Result<Keyfile, &'stati
    let cipher_key = Key::<Aes256Gcm>::from_slice(&disk_key);
    let cipher = Aes256Gcm::new(cipher_key);

-    let net_nonce = generic_array::GenericArray::from_slice(&key_enc[..12]);
-    let jwt_nonce = generic_array::GenericArray::from_slice(&jwt_enc[..12]);
+    let net_nonce = GenericArray::from_slice(&key_enc[..12]);
+    let jwt_nonce = GenericArray::from_slice(&jwt_enc[..12]);
+    let file_nonce = GenericArray::from_slice(&file_enc[..12]);

    let serialized_networking_keypair: Vec<u8> = cipher
        .decrypt(net_nonce, &key_enc[12..])
@ -92,11 +97,16 @@ pub fn decode_keyfile(keyfile: &[u8], password: &str) -> Result<Keyfile, &'stati
        .decrypt(jwt_nonce, &jwt_enc[12..])
        .map_err(|_| "failed to decrypt jwt secret")?;

+    let file_key: Vec<u8> = cipher
+        .decrypt(file_nonce, &file_enc[12..])
+        .map_err(|_| "failed to decrypt file key")?;
+
    Ok(Keyfile {
        username,
        routers,
        networking_keypair,
        jwt_secret_bytes,
+        file_key,
    })
 }

@ -126,6 +136,14 @@ pub fn namehash(name: &str) -> Vec<u8> {
    node
 }

+/// randomly generated key to encrypt file chunks,
+pub fn generate_file_key() -> Vec<u8> {
+    let mut key = [0u8; 32];
+    let rng = SystemRandom::new();
+    rng.fill(&mut key).unwrap();
+    key.to_vec()
+}
+
 /// # Returns
 /// a pair of (public key (encoded as a hex string), serialized key as a pkcs8 Document)
 pub fn generate_networking_key() -> (String, Document) {
--- a/kinode/src/register.rs
+++ b/kinode/src/register.rs
@ -464,6 +464,7 @@ async fn handle_boot(
        networking_keypair: signature::Ed25519KeyPair::from_pkcs8(networking_keypair.as_ref())
            .unwrap(),
        jwt_secret_bytes: jwt_secret.to_vec(),
+        file_key: keygen::generate_file_key(),
    };

    let encoded_keyfile = keygen::encode_keyfile(
@ -472,6 +473,7 @@ async fn handle_boot(
        decoded_keyfile.routers.clone(),
        &networking_keypair,
        &decoded_keyfile.jwt_secret_bytes,
+        &decoded_keyfile.file_key,
    );

    success_response(sender, our, decoded_keyfile, encoded_keyfile).await
@ -638,6 +640,7 @@ async fn confirm_change_network_keys(
        networking_keypair: signature::Ed25519KeyPair::from_pkcs8(networking_keypair.as_ref())
            .unwrap(),
        jwt_secret_bytes: old_decoded_keyfile.jwt_secret_bytes,
+        file_key: old_decoded_keyfile.file_key,
    };

    let encoded_keyfile = keygen::encode_keyfile(
@ -646,6 +649,7 @@ async fn confirm_change_network_keys(
        decoded_keyfile.routers.clone(),
        &networking_keypair,
        &decoded_keyfile.jwt_secret_bytes,
+        &decoded_keyfile.file_key,
    );

    success_response(sender, our.clone(), decoded_keyfile, encoded_keyfile).await
--- a/lib/src/core.rs
+++ b/lib/src/core.rs
@ -763,6 +763,7 @@ pub struct Keyfile {
    pub routers: Vec<String>,
    pub networking_keypair: signature::Ed25519KeyPair,
    pub jwt_secret_bytes: Vec<u8>,
+    pub file_key: Vec<u8>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]