Add JWKCallback to decrypt keys.

ylangisc · dkocher · commit 84cccd4d315c · 2025-11-04T16:26:26.000+01:00
diff --git a/core/pom.xml b/core/pom.xml
@@ -23,6 +23,10 @@
     <artifactId>core</artifactId>
     <packaging>jar</packaging>
 
+    <properties>
+        <nimbus-jose.version>10.5</nimbus-jose.version>
+    </properties>
+
     <build>
         <plugins>
             <plugin>
@@ -144,6 +148,11 @@
             <artifactId>auto-service-annotations</artifactId>
             <version>1.1.1</version>
         </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${nimbus-jose.version}</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
diff --git a/core/src/main/java/ch/cyberduck/core/features/Vault.java b/core/src/main/java/ch/cyberduck/core/features/Vault.java
@@ -47,7 +47,7 @@ public interface Vault {
      * @throws BackgroundException    Failure reading master key from server
      * @throws NotfoundException      No master key file in home
      */
-    Vault load(Session<?> session, PasswordCallback prompt) throws BackgroundException;
+    Vault load(Session<?> session, PasswordCallback prompt, VaultMetadataProvider provider) throws BackgroundException;
 
     /**
      * Close vault
diff --git a/core/src/main/java/ch/cyberduck/core/vault/DisabledVault.java b/core/src/main/java/ch/cyberduck/core/vault/DisabledVault.java
@@ -42,7 +42,7 @@ public Vault create(final Session<?> session, final String region, final VaultMe
     }
 
     @Override
-    public Vault load(final Session<?> session, final PasswordCallback prompt) {
+    public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) {
         return this;
     }
 
diff --git a/core/src/main/java/ch/cyberduck/core/vault/JWKCallback.java b/core/src/main/java/ch/cyberduck/core/vault/JWKCallback.java
@@ -0,0 +1,36 @@
+package ch.cyberduck.core.vault;
+
+/*
+ * Copyright (c) 2002-2025 iterate GmbH. All rights reserved.
+ * https://cyberduck.io/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+import ch.cyberduck.core.Host;
+import ch.cyberduck.core.LoginOptions;
+import ch.cyberduck.core.PasswordCallback;
+import ch.cyberduck.core.exception.LoginCanceledException;
+
+public interface JWKCallback extends PasswordCallback {
+
+    @Override
+    JWKCredentials prompt(Host bookmark, String title, String reason, LoginOptions options) throws LoginCanceledException;
+
+    static JWKCallback cast(PasswordCallback callback) {
+        if(callback instanceof JWKCallback) {
+            return (JWKCallback) callback;
+        }
+        else {
+            throw new IllegalArgumentException("Unsupported metadata type " + callback.getClass());
+        }
+    }
+}
diff --git a/core/src/main/java/ch/cyberduck/core/vault/JWKCredentials.java b/core/src/main/java/ch/cyberduck/core/vault/JWKCredentials.java
@@ -0,0 +1,32 @@
+package ch.cyberduck.core.vault;
+
+/*
+ * Copyright (c) 2002-2025 iterate GmbH. All rights reserved.
+ * https://cyberduck.io/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+import com.nimbusds.jose.jwk.JWK;
+
+public class JWKCredentials extends VaultCredentials {
+
+    private final JWK key;
+
+    public JWKCredentials(final JWK key) {
+        super(null);
+        this.key = key;
+    }
+
+    public JWK getKey() {
+        return key;
+    }
+}
diff --git a/core/src/main/java/ch/cyberduck/core/vault/LoadingVaultLookupListener.java b/core/src/main/java/ch/cyberduck/core/vault/LoadingVaultLookupListener.java
@@ -43,7 +43,9 @@ public Vault load(final Session session, final VaultMetadata metadata) throws Va
             log.info("Loading vault for session {}", session);
             final Vault vault = VaultProviderFactory.get(session).provide(session, metadata);
             try {
-                registry.add(vault.load(session, prompt));
+                // TODO provide correct metadata provider
+                registry.add(vault.load(session, prompt, new VaultMetadataProvider() {
+                }));
                 return vault;
             }
             catch(BackgroundException e) {
diff --git a/core/src/main/java/ch/cyberduck/core/vault/VaultMetadataProvider.java b/core/src/main/java/ch/cyberduck/core/vault/VaultMetadataProvider.java
@@ -16,8 +16,5 @@
  */
 
 public interface VaultMetadataProvider {
-
-    //Map<Path, byte[]> metadataFiles() throws BackgroundException;
-
-    //String dirPath();
+    // Marker interface
 }
diff --git a/cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/CryptoVault.java b/cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/CryptoVault.java
@@ -15,7 +15,6 @@
  * GNU General Public License for more details.
  */
 
-import ch.cyberduck.core.LocaleFactory;
 import ch.cyberduck.core.LoginOptions;
 import ch.cyberduck.core.PasswordCallback;
 import ch.cyberduck.core.Path;
@@ -38,9 +37,12 @@
 import ch.cyberduck.core.features.Write;
 import ch.cyberduck.core.preferences.PreferencesFactory;
 import ch.cyberduck.core.transfer.TransferStatus;
+import ch.cyberduck.core.vault.JWKCallback;
+import ch.cyberduck.core.vault.VaultException;
 import ch.cyberduck.core.vault.VaultMetadata;
 import ch.cyberduck.core.vault.VaultMetadataProvider;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.cryptomator.cryptolib.api.Cryptor;
@@ -51,12 +53,16 @@
 import org.cryptomator.cryptolib.api.RevolvingMasterkey;
 import org.cryptomator.cryptolib.api.UVFMasterkey;
 
-import java.text.MessageFormat;
+import java.nio.charset.StandardCharsets;
+import java.text.ParseException;
 import java.util.EnumSet;
 import java.util.Objects;
 import java.util.regex.Pattern;
 
 import com.google.auto.service.AutoService;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEObjectJSON;
+import com.nimbusds.jose.crypto.MultiDecrypter;
 
 @AutoService(Vault.class)
 public class CryptoVault extends AbstractVault {
@@ -123,16 +129,18 @@ public AbstractVault create(final Session<?> session, final String region, final
 
     // load -> unlock -> open
     @Override
-    public CryptoVault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
-        masterKey = UVFMasterkey.fromDecryptedPayload(prompt.prompt(session.getHost(),
-                LocaleFactory.localizedString("Unlock Vault", "Cryptomator"),
-                MessageFormat.format(LocaleFactory.localizedString("Provide your passphrase to unlock the Cryptomator Vault {0}", "Cryptomator"), home.getName()),
-                new LoginOptions()
-                        .save(false)
-                        .user(false)
-                        .anonymous(false)
-                        .icon("cryptomator.tiff")
-                        .passwordPlaceholder(LocaleFactory.localizedString("Passphrase", "Cryptomator"))).getPassword());
+    public CryptoVault load(final Session<?> session, final PasswordCallback callback, final VaultMetadataProvider metadata) throws BackgroundException {
+        final JWKCallback jwk = JWKCallback.cast(callback);
+        final VaultMetadataUVFProvider metadataProvider = VaultMetadataUVFProvider.cast(metadata);
+        final JWEObjectJSON jweObject;
+        try {
+            jweObject = JWEObjectJSON.parse(new String(metadataProvider.getMetadata(), StandardCharsets.US_ASCII));
+            jweObject.decrypt(new MultiDecrypter(jwk.prompt(session.getHost(), StringUtils.EMPTY, StringUtils.EMPTY, new LoginOptions()).getKey()));
+        }
+        catch(ParseException | JOSEException e) {
+            throw new VaultException("Failure retrieving key material", e);
+        }
+        masterKey = UVFMasterkey.fromDecryptedPayload(jweObject.getPayload().toString());
         final CryptorProvider provider = CryptorProvider.forScheme(CryptorProvider.Scheme.UVF_DRAFT);
         log.debug("Initialized crypto provider {}", provider);
         this.cryptor = provider.provide(masterKey, FastSecureRandomProvider.get().provide());
diff --git a/cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/v8/CryptoVault.java b/cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/v8/CryptoVault.java
@@ -279,7 +279,7 @@ private static VaultConfig parseVaultConfigFromMasterKey(final MasterkeyFile mas
     }
 
     @Override
-    public Vault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
+    public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) throws BackgroundException {
         final Host bookmark = session.getHost();
         String passphrase = keychain.getPassword(String.format("Cryptomator Passphrase (%s)", bookmark.getCredentials().getUsername()),
                 new DefaultUrlProvider(bookmark).toUrl(masterkeyPath, EnumSet.of(DescriptiveUrl.Type.provider)).find(DescriptiveUrl.Type.provider).getUrl());
diff --git a/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/features/CryptoReadFeatureTest.java b/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/features/CryptoReadFeatureTest.java
@@ -29,6 +29,7 @@
 import ch.cyberduck.core.features.Read;
 import ch.cyberduck.core.transfer.TransferStatus;
 import ch.cyberduck.core.vault.VaultCredentials;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.IOUtils;
 import org.cryptomator.cryptolib.api.CryptorProvider;
@@ -87,6 +88,7 @@ public Credentials prompt(final Host bookmark, final String title, final String
                                               final LoginOptions options) {
                         return new VaultCredentials("vault");
                     }
+                }, new VaultMetadataProvider() {
                 }).
 
                 getHome());
@@ -162,6 +164,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault");
             }
+        }, new VaultMetadataProvider() {
         }).getHome());
         CryptoReadFeature read = new CryptoReadFeature(null, null, vault);
         {
diff --git a/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/impl/CryptoDirectoryV8ProviderTest.java b/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/impl/CryptoDirectoryV8ProviderTest.java
@@ -31,6 +31,7 @@
 import ch.cyberduck.core.features.Read;
 import ch.cyberduck.core.transfer.TransferStatus;
 import ch.cyberduck.core.vault.VaultCredentials;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.IOUtils;
 import org.cryptomator.cryptolib.api.CryptorProvider;
@@ -111,6 +112,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault123");
             }
+        }, new VaultMetadataProvider() {
         });
         final CryptoDirectory provider = new CryptoDirectoryV8Provider(vault, new CryptoFilenameV7Provider());
         assertNotNull(provider.toEncrypted(session, home));
diff --git a/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/impl/v8/CryptoVaultTest.java b/cryptomator/src/test/java/ch/cyberduck/core/cryptomator/impl/v8/CryptoVaultTest.java
@@ -41,6 +41,7 @@
 import ch.cyberduck.core.vault.DefaultVaultRegistry;
 import ch.cyberduck.core.vault.VaultCredentials;
 import ch.cyberduck.core.vault.VaultMetadata;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.IOUtils;
 import org.cryptomator.cryptolib.api.CryptorProvider;
@@ -111,6 +112,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault123");
             }
+        }, new VaultMetadataProvider() {
         });
         assertTrue(vault.getFileContentCryptor().getClass().getName().contains("v2"));
         assertTrue(vault.getFileHeaderCryptor().getClass().getName().contains("v2"));
@@ -195,6 +197,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault123");
             }
+        }, new VaultMetadataProvider() {
         }).getHome());
         assertTrue(vault.getFileContentCryptor().getClass().getName().contains("v2"));
         assertTrue(vault.getFileHeaderCryptor().getClass().getName().contains("v2"));
@@ -246,6 +249,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault123");
             }
+        }, new VaultMetadataProvider() {
         }).getHome());
         assertEquals(Vault.State.open, vault.getState());
         assertEquals(home, new PathDictionary<>().deserialize(home.serialize(SerializerFactory.get())));
@@ -305,6 +309,7 @@ public Credentials prompt(final Host bookmark, final String title, final String
                         throw new LoginCanceledException();
                     }
                 }
+            }, new VaultMetadataProvider() {
             });
             fail();
         }
@@ -355,6 +360,7 @@ public boolean offset(final Path file) {
                 public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) throws LoginCanceledException {
                     throw new LoginCanceledException();
                 }
+            }, new VaultMetadataProvider() {
             });
             fail();
         }
@@ -404,6 +410,7 @@ public boolean offset(final Path file) {
                 public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                     return new VaultCredentials(null);
                 }
+            }, new VaultMetadataProvider() {
             });
             fail();
         }
diff --git a/s3/src/test/java/ch/cyberduck/core/cryptomator/UVFIntegrationTest.java b/s3/src/test/java/ch/cyberduck/core/cryptomator/UVFIntegrationTest.java
@@ -36,6 +36,7 @@
 import ch.cyberduck.core.transfer.TransferItem;
 import ch.cyberduck.core.transfer.TransferStatus;
 import ch.cyberduck.core.vault.DefaultVaultRegistry;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 import ch.cyberduck.core.vault.VaultRegistry;
 import ch.cyberduck.core.worker.DeleteWorker;
 import ch.cyberduck.test.TestcontainerTest;
@@ -142,6 +143,7 @@ public void listMinio() throws BackgroundException, IOException {
                     public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                         return new Credentials().setPassword(jwe);
                     }
+                }, new VaultMetadataProvider() {
                 }));
                 final PathAttributes attr = storage.getFeature(AttributesFinder.class).find(vault.getHome());
                 storage.withRegistry(vaults);
diff --git a/ssh/src/test/java/ch/cyberduck/core/cryptomator/SFTPCryptomatorInteroperabilityTest.java b/ssh/src/test/java/ch/cyberduck/core/cryptomator/SFTPCryptomatorInteroperabilityTest.java
@@ -40,6 +40,7 @@
 import ch.cyberduck.core.vault.DefaultVaultRegistry;
 import ch.cyberduck.core.vault.VaultCredentials;
 import ch.cyberduck.core.vault.VaultMetadata;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.IOUtils;
@@ -154,6 +155,7 @@ public void testCryptomatorInteroperabilityLongFilename() throws Exception {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials(passphrase);
             }
+        }, new VaultMetadataProvider() {
         });
         session.withRegistry(new DefaultVaultRegistry(new DisabledPasswordCallback(), cryptomator));
         Path p = new Path(new Path(vaultPath, targetFolder.getFileName().toString(), EnumSet.of(Path.Type.directory)), targetFile.getFileName().toString(), EnumSet.of(Path.Type.file));
@@ -189,6 +191,7 @@ public void testCryptomatorInteroperability() throws Exception {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials(passphrase);
             }
+        }, new VaultMetadataProvider() {
         });
         session.withRegistry(new DefaultVaultRegistry(new DisabledPasswordCallback(), cryptomator));
         Path p = new Path(new Path(vaultPath, targetFolder.getFileName().toString(), EnumSet.of(Path.Type.directory)), targetFile.getFileName().toString(), EnumSet.of(Path.Type.file));

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ public Vault create(final Session<?> session, final String region, final VaultMe`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`@Override`
`45`		`- public Vault load(final Session<?> session, final PasswordCallback prompt) {`
	`45`	`+ public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) {`
`46`	`46`	`return this;`
`47`	`47`	`}`
`48`	`48`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,5 @@`
`16`	`16`	`*/`
`17`	`17`
`18`	`18`	`public interface VaultMetadataProvider {`
`19`		`-`
`20`		`- //Map<Path, byte[]> metadataFiles() throws BackgroundException;`
`21`		`-`
`22`		`- //String dirPath();`
	`19`	`+ // Marker interface`
`23`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -279,7 +279,7 @@ private static VaultConfig parseVaultConfigFromMasterKey(final MasterkeyFile mas`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`@Override`
`282`		`- public Vault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {`
	`282`	`+ public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) throws BackgroundException {`
`283`	`283`	`final Host bookmark = session.getHost();`
`284`	`284`	`String passphrase = keychain.getPassword(String.format("Cryptomator Passphrase (%s)", bookmark.getCredentials().getUsername()),`
`285`	`285`	`new DefaultUrlProvider(bookmark).toUrl(masterkeyPath, EnumSet.of(DescriptiveUrl.Type.provider)).find(DescriptiveUrl.Type.provider).getUrl());`