Inherit from UVFVault.

Author: ylangisc

hub/src/main/java/ch/iterate/hub/crypto/uvf/UvfMetadataPayload.java

@@ -8,11 +8,9 @@
 import ch.cyberduck.core.AlphanumericRandomStringService;
 import ch.cyberduck.core.cryptomator.random.FastSecureRandomProvider;
 
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.macs.HMac;
-import org.bouncycastle.crypto.params.KeyParameter;
-import org.bouncycastle.util.encoders.Base32;
+import org.cryptomator.cryptolib.api.Cryptor;
+import org.cryptomator.cryptolib.api.CryptorProvider;
+import org.cryptomator.cryptolib.api.UVFMasterkey;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.openapitools.jackson.nullable.JsonNullableModule;
 
@@ -27,7 +25,6 @@
 import java.util.Objects;
 import java.util.UUID;
 
-import at.favre.lib.hkdf.HKDF;
 import ch.iterate.hub.crypto.exceptions.NotECKeyException;
 import ch.iterate.hub.model.JWEPayload;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -93,8 +90,14 @@ public static UvfMetadataPayload fromJWE(final String jwe) throws JsonProcessing
         return mapper.readValue(jwe, UvfMetadataPayload.class);
     }
 
+    public String toJSON() throws JsonProcessingException {
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.registerModule(new JsonNullableModule());
+        return mapper.writeValueAsString(this);
+    }
+
     public static UvfMetadataPayload create() {
-        final String kid = new AlphanumericRandomStringService(4).random();
+        final String kid = Base64URL.encode(new AlphanumericRandomStringService(4).random()).toString();
         final byte[] rawSeed = new byte[32];
         FastSecureRandomProvider.get().provide().nextBytes(rawSeed);
         final byte[] kdfSalt = new byte[32];
@@ -103,28 +106,21 @@ public static UvfMetadataPayload create() {
                 .withFileFormat("AES-256-GCM-32k")
                 .withNameFormat("AES-SIV-512-B64URL")
                 .withSeeds(new HashMap<String, String>() {{
-                    put(kid, Base64URL.encode(rawSeed).toString());
+                    put(kid, Base64.getEncoder().encodeToString(rawSeed));
                 }})
                 .withLatestSeed(kid)
                 .withinitialSeed(kid)
                 .withKdf("HKDF-SHA512")
-                .withKdfSalt(Base64URL.encode(kdfSalt).toString());
-    }
-
-    public byte[] computeRootDirId() {
-        return HKDF.fromHmacSha512().extractAndExpand(Base64URL.from(kdfSalt()).decode(), Base64URL.from(seeds().get(initialSeed())).decode(), "rootDirId".getBytes(), 256 / 8);
+                .withKdfSalt(Base64.getEncoder().encodeToString(kdfSalt));
     }
 
-    public String computeRootDirIdHash(final byte[] rootDirId) {
-        final byte[] hmacKey = HKDF.fromHmacSha512()
-                .extractAndExpand(Base64URL.from(kdfSalt()).decode(), Base64URL.from(seeds().get(initialSeed())).decode(), "hmac".getBytes(), 512 / 8);
-        final Digest digest = new SHA256Digest();
-        final HMac hMac = new HMac(digest);
-        hMac.init(new KeyParameter(hmacKey));
-        hMac.update(rootDirId, 0, rootDirId.length);
-        final byte[] hmacOut = new byte[hMac.getMacSize()];
-        hMac.doFinal(hmacOut, 0);
-        return Base32.toBase32String(Arrays.copyOfRange(hmacOut, 0, 20));
+    public String computeRootDirIdHash() throws JsonProcessingException {
+        final UVFMasterkey masterKey = UVFMasterkey.fromDecryptedPayload(this.toJSON());
+        final CryptorProvider provider = CryptorProvider.forScheme(CryptorProvider.Scheme.UVF_DRAFT);
+        final Cryptor cryptor = provider.provide(masterKey, FastSecureRandomProvider.get().provide());
+        final byte[] rootDirId = masterKey.rootDirId();
+        final String hashedRootDirId = cryptor.fileNameCryptor(masterKey.firstRevision()).hashDirectoryId(rootDirId);
+        return hashedRootDirId;
     }
 
 

hub/src/main/java/ch/iterate/hub/protocols/hub/HubCryptoVault.java

@@ -8,12 +8,11 @@
 import ch.cyberduck.core.AbstractPath;
 import ch.cyberduck.core.DisabledListProgressListener;
 import ch.cyberduck.core.ListService;
-import ch.cyberduck.core.LoginOptions;
-import ch.cyberduck.core.PasswordCallback;
 import ch.cyberduck.core.Path;
+import ch.cyberduck.core.PathAttributes;
 import ch.cyberduck.core.Session;
 import ch.cyberduck.core.cryptomator.ContentWriter;
-import ch.cyberduck.core.cryptomator.CryptoVault;
+import ch.cyberduck.core.cryptomator.UVFVault;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.features.Directory;
 import ch.cyberduck.core.preferences.PreferencesFactory;
@@ -22,47 +21,50 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.cryptomator.cryptolib.api.CryptorProvider;
-import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.UVFMasterkey;
 
 import java.nio.charset.StandardCharsets;
-import java.util.Base64;
 import java.util.EnumSet;
 
 /**
  * Cryptomator vault implementation for Cipherduck (without masterkey file).
  */
-public class HubCryptoVault extends CryptoVault {
+public class HubCryptoVault extends UVFVault {
     private static final Logger log = LogManager.getLogger(HubCryptoVault.class);
+    private final String decryptedPayload;
 
-    // See https://github.com/cryptomator/hub/blob/develop/frontend/src/common/vaultconfig.ts
-    //const jwtPayload: VaultConfigPayload = {
-    //    jti: vaultId,
-    //    format: 8,
-    //    cipherCombo: 'SIV_GCM',
-    //    shorteningThreshold: 220
-    //};
-    //const header = JSON.stringify({
-    //    kid: kid,
-    //    typ: 'jwt',
-    //    alg: 'HS256',
-    //    hub: hubConfig
-    //});
-    private static final VaultConfig VAULT_CONFIG = new VaultConfig(8, 220, CryptorProvider.Scheme.SIV_GCM, "HS256", null);
 
     public HubCryptoVault(final Path home) {
-        super(home);
+        this(home, null, null, null); // TODO cleanup
     }
 
-    public HubCryptoVault(final Path home, final String masterkey, final String config, final byte[] pepper) {
-        super(home);
+    public HubCryptoVault(final Path home, final String decryptedPayload, final String config, final byte[] pepper) {
+        super(home, decryptedPayload, config, pepper);
+        this.decryptedPayload = decryptedPayload;
     }
 
+    public Path encrypt(Session<?> session, Path file, byte[] directoryId, boolean metadata) throws BackgroundException {
+        log.debug("HubCryptoVault.encrypt. Use directory ID '{}' for folder {}", directoryId, file);
+        return super.encrypt(session, file, directoryId, metadata);
+    }
+
+
+    @Override
+    public Path getHome() {
+        final Path home = super.getHome();
+        final UVFMasterkey masterKey = UVFMasterkey.fromDecryptedPayload(this.decryptedPayload);
+        byte[] directoryId = masterKey.rootDirId();
+        assert directoryId != null;
+        home.attributes().setDirectoryId(directoryId);
+        return home;
+    }
+
+
     /**
      * Upload vault template into existing bucket (permanent credentials)
      */
     // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 review @dko check method signature?
-    public synchronized Path create(final Session<?> session, final String region, final VaultCredentials credentials, final int version, final String metadata, final String rootDirHash) throws BackgroundException {
+    public synchronized Path create(final Session<?> session, final String region, final VaultCredentials credentials, final int version, final String metadata, final String hashedRootDirId) throws BackgroundException {
         final Path home = new Path(session.getHost().getDefaultPath(), EnumSet.of(AbstractPath.Type.directory));
         log.debug("Uploading vault template {} in {} ", home, session.getHost());
 
@@ -75,11 +77,11 @@ public synchronized Path create(final Session<?> session, final String region, f
         //        zip.file('vault.cryptomator', this.vaultConfigToken);
         //        zip.folder('d')?.folder(this.rootDirHash.substring(0, 2))?.folder(this.rootDirHash.substring(2));
         (new ContentWriter(session)).write(new Path(home, PreferencesFactory.get().getProperty("cryptomator.vault.config.filename"), EnumSet.of(AbstractPath.Type.file, AbstractPath.Type.vault)), metadata.getBytes(StandardCharsets.US_ASCII));
-        Directory<?> directory = (Directory) session._getFeature(Directory.class);
+        Directory<?> directory = (Directory<?>) session._getFeature(Directory.class);
 
         // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 implement CryptoDirectory for uvf
         //        Path secondLevel = this.directoryProvider.toEncrypted(session, this.home.attributes().getDirectoryId(), this.home);
-        final Path secondLevel = new Path(String.format("/%s/d/%s/%s/", session.getHost().getDefaultPath(), rootDirHash.substring(0, 2), rootDirHash.substring(2)), EnumSet.of(AbstractPath.Type.directory));
+        final Path secondLevel = new Path(String.format("/%s/d/%s/%s/", session.getHost().getDefaultPath(), hashedRootDirId.substring(0, 2), hashedRootDirId.substring(2)), EnumSet.of(AbstractPath.Type.directory));
         final Path firstLevel = secondLevel.getParent();
         final Path dataDir = firstLevel.getParent();
         log.debug("Create vault root directory at {}", secondLevel);
@@ -91,19 +93,6 @@ public synchronized Path create(final Session<?> session, final String region, f
         return home;
     }
 
-    @Override
-    public HubCryptoVault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
-        // no-interactive prompt in Cipherduck
-        final String masterkey = prompt.prompt(session.getHost(), "", "", new LoginOptions()).getPassword();
-        try {
-            this.open(VAULT_CONFIG, new Masterkey(Base64.getDecoder().decode(masterkey)));
-        }
-        catch(IllegalArgumentException e) {
-            throw new BackgroundException(e);
-        }
-        return this;
-    }
-
     public Path getMasterkey() {
         // No master key in vault
         return null;

hub/src/main/java/ch/iterate/hub/protocols/s3/S3AutoLoadVaultSession.java

@@ -44,8 +44,7 @@
 import ch.iterate.hub.workflows.VaultServiceImpl;
 import ch.iterate.hub.workflows.exceptions.AccessException;
 import ch.iterate.hub.workflows.exceptions.SecurityFailure;
-import com.google.common.primitives.Bytes;
-import com.nimbusds.jose.util.Base64URL;
+import com.fasterxml.jackson.core.JsonProcessingException;
 
 public class S3AutoLoadVaultSession extends S3AssumeRoleSession {
     private static final Logger log = LogManager.getLogger(S3AutoLoadVaultSession.class);
@@ -83,23 +82,19 @@ public void login(final LoginCallback prompt, final CancelCallback cancel) throw
             super.login(prompt, cancel);
             final Path home = new DelegatingHomeFeature(new DefaultPathHomeFeature(host)).find();
             log.debug("Attempting to locate vault in {}", home);
-            final Vault vault = VaultFactory.get(home);
-            // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MUST NEVER BE RELEASED LIKE THIS
-            // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 use rawFileKey,rawNameKey as vault key for now (going into cryptolib's Masterkey)
             final UvfMetadataPayload vaultMetadata = new VaultServiceImpl(backend).getVaultMetadataJWE(
                     UUID.fromString(host.getUuid()), new UserKeysServiceImpl(backend).getUserKeys(backend.getHost(), FirstLoginDeviceSetupCallbackFactory.get()));
-            final byte[] rawFileKey = Base64URL.from(vaultMetadata.seeds().get(vaultMetadata.latestSeed())).decode();
-            final byte[] rawNameKey = Base64URL.from(vaultMetadata.seeds().get(vaultMetadata.latestSeed())).decode();
-            final byte[] vaultKey = Bytes.concat(rawFileKey, rawNameKey);
+            final String decryptedPayload = vaultMetadata.toJSON();
+            final Vault vault = VaultFactory.get(home, decryptedPayload, "", new byte[0]);
             registry.add(vault.load(this, new DisabledPasswordCallback() {
                 @Override
                 public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
-                    return new VaultCredentials(Base64.getEncoder().encodeToString(vaultKey));
+                    return new VaultCredentials(decryptedPayload);
                 }
             }));
             backend.close();
         }
-        catch(ApiException | SecurityFailure | AccessException e) {
+        catch(ApiException | SecurityFailure | AccessException | JsonProcessingException e) {
             throw new LoginFailureException(LocaleFactory.localizedString("Login failed", "Credentials"), e);
         }
     }

hub/src/main/java/ch/iterate/hub/workflows/CreateVaultService.java

@@ -12,13 +12,19 @@
 import ch.cyberduck.core.HostUrlProvider;
 import ch.cyberduck.core.Path;
 import ch.cyberduck.core.TemporaryAccessTokens;
+import ch.cyberduck.core.cryptomator.CryptorCache;
+import ch.cyberduck.core.cryptomator.random.FastSecureRandomProvider;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.proxy.DisabledProxyFinder;
 import ch.cyberduck.core.s3.S3Session;
 
 import org.apache.commons.io.IOUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.cryptomator.cryptolib.api.Cryptor;
+import org.cryptomator.cryptolib.api.CryptorProvider;
+import org.cryptomator.cryptolib.api.UVFMasterkey;
+import org.cryptomator.cryptolib.common.HKDFHelper;
 import org.joda.time.DateTime;
 
 import java.io.IOException;
@@ -74,7 +80,7 @@ public void createVault(final StorageProfileDtoWrapper storageProfileWrapper, fi
                     hubSession.getHost(), FirstLoginDeviceSetupCallbackFactory.get());
 
             final UvfMetadataPayload.UniversalVaultFormatJWKS jwks = UvfMetadataPayload.createKeys();
-            final UvfMetadataPayload metadataJWE = UvfMetadataPayload.create()
+            final UvfMetadataPayload metadataPayload = UvfMetadataPayload.create()
                     .withStorage(new VaultMetadataJWEBackendDto()
                             .provider(storageProfileWrapper.getId().toString())
                             .defaultPath(storageProfileWrapper.getStsEndpoint() != null ? storageProfileWrapper.getBucketPrefix() + vaultModel.vaultId() : vaultModel.bucketName())
@@ -85,39 +91,40 @@ public void createVault(final StorageProfileDtoWrapper storageProfileWrapper, fi
                             .enabled(vaultModel.automaticAccessGrant())
                             .maxWotDepth(vaultModel.maxWotLevel())
                     );
-            log.debug("Created metadata JWE {}", metadataJWE);
-            final String uvfMetadataFile = metadataJWE.encrypt(
+            log.debug("Created metadata JWE {}", metadataPayload);
+            final String uvfMetadataFile = metadataPayload.encrypt(
                     String.format("%s/api", new HostUrlProvider(false, true).get(hubSession.getHost())),
                     vaultModel.vaultId(),
                     jwks.toJWKSet()
             );
             final VaultDto vaultDto = new VaultDto()
                     .id(vaultModel.vaultId())
-                    .name(metadataJWE.storage().getNickname())
+                    .name(metadataPayload.storage().getNickname())
                     .description(vaultModel.vaultDescription())
                     .archived(false)
                     .creationTime(DateTime.now())
                     .uvfMetadataFile(uvfMetadataFile)
                     .uvfKeySet(jwks.serializePublicRecoverykey());
+
+            final String hashedRootDirId = metadataPayload.computeRootDirIdHash();
             final CreateS3STSBucketDto storageDto = new CreateS3STSBucketDto()
                     .vaultId(vaultModel.vaultId().toString())
                     .storageConfigId(storageProfileWrapper.getId())
-                    // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 do we need to store here as well? Only in VaultDto?
                     .vaultUvf(uvfMetadataFile)
-                    // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 do we need to store here?
-                    .rootDirHash(metadataJWE.computeRootDirIdHash(metadataJWE.computeRootDirId()))
-                    .region(metadataJWE.storage().getRegion());
+                    .rootDirHash(hashedRootDirId)
+                    .region(metadataPayload.storage().getRegion());
             log.debug("Created storage dto {}", storageDto);
-            final Host bookmark = HubStorageVaultSyncSchedulerService.toBookmark(hubSession.getHost(), vaultDto.getId(), metadataJWE.storage());
+            final Host bookmark = HubStorageVaultSyncSchedulerService.toBookmark(hubSession.getHost(), vaultDto.getId(), metadataPayload.storage());
             if(storageProfileWrapper.getStsEndpoint() == null) {
-                // permanent: template upload into existing bucket
+                // permanent: template upload into existing bucket from client (not backend)
                 // TODO https://github.com/shift7-ch/cipherduck-hub/issues/19 review @dko
                 final S3Session session = new S3Session(bookmark);
                 session.open(new DisabledProxyFinder(), new DisabledHostKeyCallback(), new DisabledLoginCallback(), new DisabledCancelCallback());
                 session.login(new DisabledLoginCallback(), new DisabledCancelCallback());
+
                 // upload vault template
-                new HubCryptoVault(new Path(metadataJWE.storage().getDefaultPath(), EnumSet.of(AbstractPath.Type.directory, AbstractPath.Type.vault)))
-                        .create(session, metadataJWE.storage().getRegion(), null, 42, storageDto.getVaultUvf(), storageDto.getRootDirHash());
+                new HubCryptoVault(new Path(metadataPayload.storage().getDefaultPath(), EnumSet.of(AbstractPath.Type.directory, AbstractPath.Type.vault)))
+                        .create(session, metadataPayload.storage().getRegion(), null, 42, storageDto.getVaultUvf(), hashedRootDirId);
                 session.close();
             }
             else {
@@ -153,6 +160,7 @@ public void createVault(final StorageProfileDtoWrapper storageProfileWrapper, fi
         }
     }
 
+
     private static TemporaryAccessTokens getSTSTokensFromAccessTokenWithCreateBucketInlinePoliy(final String token, final String roleArn, final String roleSessionName, final String stsEndpoint, final String bucketName, final Boolean bucketAcceleration) throws IOException {
         log.debug("Get STS tokens from {} to pass to backend {} with role {} and session name {}", token, stsEndpoint, roleArn, roleSessionName);