Merge branch 'release/2.6.6'

Author: infeo

README.md

@@ -15,7 +15,7 @@
 
 ### Security Architecture
 
-For more information on the security details, visit [cryptomator.org](https://cryptomator.org/architecture/).
+For more information on the security details, visit [docs.cryptomator.org](https://docs.cryptomator.org/en/latest/security/architecture/).
 
 ## Audits
 
@@ -33,9 +33,14 @@ For more information on the security details, visit [cryptomator.org](https://cr
 ```java
 Path storageLocation = Paths.get("/home/cryptobot/vault");
 Files.createDirectories(storageLocation);
-CryptoFileSystemProvider.initialize(storageLocation, "masterkey.cryptomator", "password");
+Masterkey masterkey = Masterkey.generate(csprng));
+MasterkeyLoader loader = ignoredUri -> masterkey.copy(); //create a copy because the key handed over to init() method will be destroyed
+CryptoFileSystemProperties fsProps = CryptoFileSystemProperties.cryptoFileSystemProperties().withKeyLoader(loader).build();
+CryptoFileSystemProvider.initialize(storageLocation, fsProps, "myKeyId");
 ```
 
+The key material used for initialization and later de- & encryption is given by the [org.cryptomator.cryptolib.api.Masterkeyloader](https://github.com/cryptomator/cryptolib/blob/2.1.2/src/main/java/org/cryptomator/cryptolib/api/MasterkeyLoader.java) interface.
+
 ### Obtaining a FileSystem Instance
 
 You have the option to use the convenience method `CryptoFileSystemProvider#newFileSystem` as follows:  
@@ -44,7 +49,7 @@ You have the option to use the convenience method `CryptoFileSystemProvider#newF
 FileSystem fileSystem = CryptoFileSystemProvider.newFileSystem(
 	storageLocation,
 	CryptoFileSystemProperties.cryptoFileSystemProperties()
-		.withPassphrase("password")
+		.withKeyLoader(ignoredUri -> masterkey.copy())
 		.withFlags(FileSystemFlags.READONLY) // readonly flag is optional of course
 		.build());
 ```
@@ -56,7 +61,7 @@ URI uri = CryptoFileSystemUri.create(storageLocation);
 FileSystem fileSystem = FileSystems.newFileSystem(
 		uri,
 		CryptoFileSystemProperties.cryptoFileSystemProperties()
-			.withPassphrase("password")
+            .withKeyLoader(ignoredUri -> masterkey.copy())
 			.withFlags(FileSystemFlags.READONLY) // readonly flag is optional of course
 			.build());
 ```

pom.xml

@@ -2,7 +2,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptofs</artifactId>
-	<version>2.6.5</version>
+	<version>2.6.6</version>
 	<name>Cryptomator Crypto Filesystem</name>
 	<description>This library provides the Java filesystem provider used by Cryptomator.</description>
 	<url>https://github.com/cryptomator/cryptofs</url>
@@ -19,7 +19,7 @@
 
 		<!-- dependencies -->
 		<cryptolib.version>2.1.2</cryptolib.version>
-		<jwt.version>4.3.0</jwt.version>
+		<jwt.version>4.4.0</jwt.version>
 		<dagger.version>2.44.2</dagger.version>
 		<guava.version>32.0.0-jre</guava.version>
 		<caffeine.version>3.1.4</caffeine.version>

src/main/java/org/cryptomator/cryptofs/CryptoFileSystemImpl.java

@@ -599,7 +599,7 @@ private void moveFile(CryptoPath cleartextSource, CryptoPath cleartextTarget, Co
 		CiphertextFilePath ciphertextTarget = cryptoPathMapper.getCiphertextFilePath(cleartextTarget);
 		try (OpenCryptoFiles.TwoPhaseMove twoPhaseMove = openCryptoFiles.prepareMove(ciphertextSource.getRawPath(), ciphertextTarget.getRawPath())) {
 			if (ciphertextTarget.isShortened()) {
-				Files.createDirectory(ciphertextTarget.getRawPath());
+				Files.createDirectories(ciphertextTarget.getRawPath());
 				ciphertextTarget.persistLongFileName();
 			}
 			Files.move(ciphertextSource.getFilePath(), ciphertextTarget.getFilePath(), options);

src/test/java/org/cryptomator/cryptofs/CryptoFileSystemProviderIntegrationTest.java

@@ -62,7 +62,9 @@
 import java.nio.file.attribute.BasicFileAttributes;
 import java.nio.file.attribute.DosFileAttributeView;
 import java.util.Arrays;
+import java.util.Comparator;
 import java.util.EnumSet;
+import java.util.Set;
 
 import static java.nio.file.Files.readAllBytes;
 import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
@@ -170,7 +172,7 @@ public void testCopyExceedingPathLengthLimit(String path) {
 	@Nested
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
 	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
-	public class InMemory {
+	public class InMemoryOrdered {
 
 		private FileSystem tmpFs;
 		private MasterkeyLoader keyLoader1;
@@ -587,6 +589,68 @@ public void testMoveFileFromOneCryptoFileSystemToAnother() throws IOException {
 
 	}
 
+
+	@Nested
+	public class InMemory {
+
+		private static FileSystem tmpFs;
+		private static Path pathToVault;
+
+		@BeforeAll
+		public static void beforeAll() {
+			tmpFs = Jimfs.newFileSystem(Configuration.unix());
+			pathToVault = tmpFs.getPath("/vault");
+		}
+
+		@BeforeEach
+		public void beforeEach() throws IOException {
+			Files.createDirectory(pathToVault);
+		}
+
+		@AfterEach
+		public void afterEach() throws IOException {
+			try (var paths = Files.walk(pathToVault)) {
+				var nodes = paths.sorted(Comparator.reverseOrder()).toList();
+				for (var node : nodes) {
+					Files.delete(node);
+				}
+			}
+		}
+
+		@AfterAll
+		public static void afterAll() throws IOException {
+			tmpFs.close();
+		}
+
+		@Test
+		@DisplayName("Replace an existing, shortened file")
+		public void testReplaceExistingShortenedFile() throws IOException {
+			try (var fs = setupCryptoFs(50, 100, false)) {
+				var fiftyCharName2 = "/50char2_50char2_50char2_50char2_50char2_50char.txt"; //since filename encryption increases filename length, 50 cleartext chars are sufficient
+				var source = fs.getPath("/source.txt");
+				var target = fs.getPath(fiftyCharName2);
+				Files.createFile(source);
+				Files.createFile(target);
+
+				Assertions.assertDoesNotThrow(() -> Files.move(source, target, REPLACE_EXISTING));
+				Assertions.assertTrue(Files.notExists(source));
+				Assertions.assertTrue(Files.exists(target));
+			}
+		}
+
+		private FileSystem setupCryptoFs(int ciphertextShorteningThreshold, int maxCleartextFilename, boolean readonly) throws IOException {
+			byte[] key = new byte[64];
+			Arrays.fill(key, (byte) 0x55);
+			var keyLoader = Mockito.mock(MasterkeyLoader.class);
+			Mockito.when(keyLoader.loadKey(Mockito.any())).thenAnswer(ignored -> new Masterkey(key));
+			var properties = CryptoFileSystemProperties.cryptoFileSystemProperties().withKeyLoader(keyLoader).withShorteningThreshold(ciphertextShorteningThreshold).withMaxCleartextNameLength(maxCleartextFilename).withFlags(readonly ? Set.of(CryptoFileSystemProperties.FileSystemFlags.READONLY) : Set.of()).build();
+			CryptoFileSystemProvider.initialize(pathToVault, properties, URI.create("test:key"));
+			URI fsUri = CryptoFileSystemUri.create(pathToVault);
+			return FileSystems.newFileSystem(fsUri, cryptoFileSystemProperties().withKeyLoader(keyLoader).build());
+		}
+
+	}
+
 	@Nested
 	@EnabledOnOs({OS.MAC, OS.LINUX})
 	@TestInstance(TestInstance.Lifecycle.PER_CLASS)

suppression.xml

@@ -9,4 +9,13 @@
 		<cpe>cpe:/a:cryptomator:cryptomator</cpe>
 		<cve>CVE-2022-25366</cve>
 	</suppress>
+	<suppress>
+		<notes>
+			<![CDATA[
+		   file name: jackson-databind-2.14.2.jar
+		   ]]>
+		</notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
 </suppressions>