@protontech/drive-sdk 0.6.1 → 0.7.0

package/src/internal/nodes/cryptoService.test.ts

@@ -1,7 +1,14 @@
 import { DriveCrypto, PrivateKey, SessionKey, VERIFICATION_STATUS } from '../../crypto';
 import { MemberRole, ProtonDriveAccount, ProtonDriveTelemetry, RevisionState } from '../../interface';
 import { getMockTelemetry } from '../../tests/telemetry';
-import { DecryptedNode, DecryptedNodeKeys, DecryptedUnparsedNode, EncryptedNode, SharesService } from './interface';
+import {
+    DecryptedNode,
+    DecryptedNodeKeys,
+    DecryptedUnparsedNode,
+    EncryptedNode,
+    NodeSigningKeys,
+    SharesService,
+} from './interface';
 import { NodesCryptoService } from './cryptoService';
 import { NodesCryptoReporter } from './cryptoReporter';
 
@@ -250,6 +257,48 @@ describe('nodesCryptoService', () => {
                 });
             });
 
+            it('on older node name ignores NOT_SIGNED', async () => {
+                encryptedNode.creationTime = new Date('2020-12-31');
+                driveCrypto.decryptNodeName = jest.fn(async () =>
+                    Promise.resolve({
+                        name: 'name',
+                        verified: VERIFICATION_STATUS.NOT_SIGNED,
+                        verificationErrors: [new Error('missing signature')],
+                    }),
+                );
+
+                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                verifyResult(result, {
+                    nameAuthor: {
+                        ok: true,
+                        value: 'nameSignatureEmail',
+                    },
+                });
+                expect(telemetry.recordMetric).not.toHaveBeenCalled();
+            });
+
+            it('on newer node name does not ignore NOT_SIGNED', async () => {
+                encryptedNode.creationTime = new Date('2021-01-01');
+                driveCrypto.decryptNodeName = jest.fn(async () =>
+                    Promise.resolve({
+                        name: 'name',
+                        verified: VERIFICATION_STATUS.NOT_SIGNED,
+                        verificationErrors: [new Error('missing signature')],
+                    }),
+                );
+
+                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                verifyResult(result, {
+                    nameAuthor: {
+                        ok: false,
+                        error: {
+                            claimedAuthor: 'nameSignatureEmail',
+                            error: 'Missing signature for name',
+                        },
+                    },
+                });
+            });
+
             it('on hash key', async () => {
                 driveCrypto.decryptNodeHashKey = jest.fn(async () =>
                     Promise.resolve({
@@ -275,6 +324,48 @@ describe('nodesCryptoService', () => {
                 });
             });
 
+            it('on older node hash key ignores NOT_SIGNED', async () => {
+                encryptedNode.creationTime = new Date('2021-07-31');
+                driveCrypto.decryptNodeHashKey = jest.fn(async () =>
+                    Promise.resolve({
+                        hashKey: new Uint8Array(),
+                        verified: VERIFICATION_STATUS.NOT_SIGNED,
+                        verificationErrors: [new Error('missing signature')],
+                    }),
+                );
+
+                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                verifyResult(result, {
+                    keyAuthor: {
+                        ok: true,
+                        value: 'signatureEmail',
+                    },
+                });
+                expect(telemetry.recordMetric).not.toHaveBeenCalled();
+            });
+
+            it('on newer node hash key does not ignore NOT_SIGNED', async () => {
+                encryptedNode.creationTime = new Date('2021-08-01');
+                driveCrypto.decryptNodeHashKey = jest.fn(async () =>
+                    Promise.resolve({
+                        hashKey: new Uint8Array(),
+                        verified: VERIFICATION_STATUS.NOT_SIGNED,
+                        verificationErrors: [new Error('missing signature')],
+                    }),
+                );
+
+                const result = await cryptoService.decryptNode(encryptedNode, parentKey);
+                verifyResult(result, {
+                    keyAuthor: {
+                        ok: false,
+                        error: {
+                            claimedAuthor: 'signatureEmail',
+                            error: 'Missing signature for hash key',
+                        },
+                    },
+                });
+            });
+
             it('on node key and hash key reports error from node key', async () => {
                 driveCrypto.decryptKey = jest.fn(async () =>
                     Promise.resolve({
@@ -985,24 +1076,239 @@ describe('nodesCryptoService', () => {
         });
     });
 
+    describe('createFolder', () => {
+        let parentKeys: any;
+
+        beforeEach(() => {
+            parentKeys = {
+                key: 'parentKey' as any,
+                hashKey: new Uint8Array([1, 2, 3]),
+            };
+            driveCrypto.generateKey = jest.fn().mockResolvedValue({
+                encrypted: {
+                    armoredKey: 'encryptedNodeKey',
+                    armoredPassphrase: 'encryptedPassphrase',
+                    armoredPassphraseSignature: 'passphraseSignature',
+                },
+                decrypted: {
+                    key: 'nodeKey' as any,
+                    passphrase: 'nodePassphrase',
+                    passphraseSessionKey: 'passphraseSessionKey' as any,
+                },
+            });
+            driveCrypto.encryptNodeName = jest.fn().mockResolvedValue({
+                armoredNodeName: 'encryptedNodeName',
+            });
+            driveCrypto.generateLookupHash = jest.fn().mockResolvedValue('lookupHash');
+            driveCrypto.generateHashKey = jest.fn().mockResolvedValue({
+                armoredHashKey: 'encryptedHashKey',
+                hashKey: new Uint8Array([4, 5, 6]),
+            });
+            driveCrypto.encryptExtendedAttributes = jest.fn().mockResolvedValue({
+                armoredExtendedAttributes: 'encryptedAttributes',
+            });
+        });
+
+        it('should encrypt new folder with account key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            const result = await cryptoService.createFolder(
+                parentKeys,
+                signingKeys,
+                'New Folder',
+                '{"modificationTime": 1234567890}',
+            );
+
+            expect(result).toEqual({
+                encryptedCrypto: {
+                    encryptedName: 'encryptedNodeName',
+                    hash: 'lookupHash',
+                    armoredKey: 'encryptedNodeKey',
+                    armoredNodePassphrase: 'encryptedPassphrase',
+                    armoredNodePassphraseSignature: 'passphraseSignature',
+                    folder: {
+                        armoredExtendedAttributes: 'encryptedAttributes',
+                        armoredHashKey: 'encryptedHashKey',
+                    },
+                    signatureEmail: 'test@example.com',
+                    nameSignatureEmail: 'test@example.com',
+                },
+                keys: {
+                    passphrase: 'nodePassphrase',
+                    key: 'nodeKey',
+                    passphraseSessionKey: 'passphraseSessionKey',
+                    hashKey: new Uint8Array([4, 5, 6]),
+                },
+            });
+
+            expect(driveCrypto.generateKey).toHaveBeenCalledWith([parentKeys.key], signingKeys.key);
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'New Folder',
+                undefined,
+                parentKeys.key,
+                signingKeys.key,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('New Folder', parentKeys.hashKey);
+            expect(driveCrypto.generateHashKey).toHaveBeenCalledWith('nodeKey');
+            expect(driveCrypto.encryptExtendedAttributes).toHaveBeenCalledWith(
+                '{"modificationTime": 1234567890}',
+                'nodeKey',
+                signingKeys.key,
+            );
+        });
+
+        it('should encrypt new folder with node key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'nodeKey',
+                nodeKey: 'nodeSigningKey' as any,
+                parentNodeKey: 'parentNodeKey' as any,
+            };
+
+            const result = await cryptoService.createFolder(
+                parentKeys,
+                signingKeys,
+                'New Folder',
+                '{"modificationTime": 1234567890}',
+            );
+
+            expect(result).toEqual({
+                encryptedCrypto: {
+                    encryptedName: 'encryptedNodeName',
+                    hash: 'lookupHash',
+                    armoredKey: 'encryptedNodeKey',
+                    armoredNodePassphrase: 'encryptedPassphrase',
+                    armoredNodePassphraseSignature: 'passphraseSignature',
+                    folder: {
+                        armoredExtendedAttributes: 'encryptedAttributes',
+                        armoredHashKey: 'encryptedHashKey',
+                    },
+                    signatureEmail: null,
+                    nameSignatureEmail: null,
+                },
+                keys: {
+                    passphrase: 'nodePassphrase',
+                    key: 'nodeKey',
+                    passphraseSessionKey: 'passphraseSessionKey',
+                    hashKey: new Uint8Array([4, 5, 6]),
+                },
+            });
+
+            expect(driveCrypto.generateKey).toHaveBeenCalledWith([parentKeys.key], signingKeys.parentNodeKey);
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'New Folder',
+                undefined,
+                parentKeys.key,
+                signingKeys.parentNodeKey,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('New Folder', parentKeys.hashKey);
+            expect(driveCrypto.generateHashKey).toHaveBeenCalledWith('nodeKey');
+            expect(driveCrypto.encryptExtendedAttributes).toHaveBeenCalledWith(
+                '{"modificationTime": 1234567890}',
+                'nodeKey',
+                signingKeys.nodeKey,
+            );
+        });
+    });
+
+    describe('encryptNewName', () => {
+        let parentKeys: any;
+        let nodeNameSessionKey: SessionKey;
+
+        beforeEach(() => {
+            parentKeys = {
+                key: 'parentKey' as any,
+                hashKey: new Uint8Array([1, 2, 3]),
+            };
+            nodeNameSessionKey = 'nameSessionKey' as any;
+            driveCrypto.encryptNodeName = jest.fn().mockResolvedValue({
+                armoredNodeName: 'encryptedNewNodeName',
+            });
+            driveCrypto.generateLookupHash = jest.fn().mockResolvedValue('newHash');
+        });
+
+        it('should encrypt new name with account key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            const result = await cryptoService.encryptNewName(
+                parentKeys,
+                nodeNameSessionKey,
+                signingKeys,
+                'Renamed File.txt',
+            );
+
+            expect(result).toEqual({
+                signatureEmail: 'test@example.com',
+                armoredNodeName: 'encryptedNewNodeName',
+                hash: 'newHash',
+            });
+
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'Renamed File.txt',
+                nodeNameSessionKey,
+                parentKeys.key,
+                signingKeys.key,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('Renamed File.txt', parentKeys.hashKey);
+        });
+
+        it('should encrypt new name with node key', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'nodeKey',
+                nodeKey: 'nodeSigningKey' as any,
+                parentNodeKey: 'parentNodeKey' as any,
+            };
+
+            const result = await cryptoService.encryptNewName(
+                parentKeys,
+                nodeNameSessionKey,
+                signingKeys,
+                'Renamed File.txt',
+            );
+
+            expect(result).toEqual({
+                signatureEmail: null,
+                armoredNodeName: 'encryptedNewNodeName',
+                hash: 'newHash',
+            });
+
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'Renamed File.txt',
+                nodeNameSessionKey,
+                parentKeys.key,
+                signingKeys.parentNodeKey,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('Renamed File.txt', parentKeys.hashKey);
+        });
+    });
+
     describe('encryptNodeWithNewParent', () => {
-        it('should encrypt node data for move operation', async () => {
-            const node = {
+        let node: DecryptedNode;
+        let keys: any;
+        let parentKeys: any;
+
+        beforeEach(() => {
+            node = {
                 name: { ok: true, value: 'testFile.txt' },
             } as DecryptedNode;
-            const keys = {
+            keys = {
                 passphrase: 'nodePassphrase',
                 passphraseSessionKey: 'nodePassphraseSessionKey',
                 nameSessionKey: 'nameSessionKey' as any,
             };
-            const parentKeys = {
+            parentKeys = {
                 key: 'newParentKey' as any,
                 hashKey: new Uint8Array([1, 2, 3]),
             };
-            const address = {
-                email: 'test@example.com',
-                addressKey: 'addressKey' as any,
-            };
             driveCrypto.encryptNodeName = jest.fn().mockResolvedValue({
                 armoredNodeName: 'encryptedNodeName',
             });
@@ -1011,8 +1317,17 @@ describe('nodesCryptoService', () => {
                 armoredPassphrase: 'encryptedPassphrase',
                 armoredPassphraseSignature: 'passphraseSignature',
             });
+        });
 
-            const result = await cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, address);
+        it('should encrypt node data for move operation with account key (logged in context)', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
+                email: 'test@example.com',
+                addressId: 'addressId',
+                key: 'addressKey' as any,
+            };
+
+            const result = await cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, signingKeys);
 
             expect(result).toEqual({
                 encryptedName: 'encryptedNodeName',
@@ -1027,14 +1342,47 @@ describe('nodesCryptoService', () => {
                 'testFile.txt',
                 keys.nameSessionKey,
                 parentKeys.key,
-                address.addressKey,
+                signingKeys.key,
+            );
+            expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('testFile.txt', parentKeys.hashKey);
+            expect(driveCrypto.encryptPassphrase).toHaveBeenCalledWith(
+                keys.passphrase,
+                keys.passphraseSessionKey,
+                [parentKeys.key],
+                signingKeys.key,
+            );
+        });
+
+        it('should encrypt node data for move operation with node key (anonymous context)', async () => {
+            const signingKeys: NodeSigningKeys = {
+                type: 'nodeKey',
+                nodeKey: 'addressKey' as any,
+                parentNodeKey: 'parentNodeKey' as any,
+            };
+
+            const result = await cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, signingKeys);
+
+            expect(result).toEqual({
+                encryptedName: 'encryptedNodeName',
+                hash: 'newHash',
+                armoredNodePassphrase: 'encryptedPassphrase',
+                armoredNodePassphraseSignature: 'passphraseSignature',
+                signatureEmail: null,
+                nameSignatureEmail: null,
+            });
+
+            expect(driveCrypto.encryptNodeName).toHaveBeenCalledWith(
+                'testFile.txt',
+                keys.nameSessionKey,
+                parentKeys.key,
+                signingKeys.nodeKey,
             );
             expect(driveCrypto.generateLookupHash).toHaveBeenCalledWith('testFile.txt', parentKeys.hashKey);
             expect(driveCrypto.encryptPassphrase).toHaveBeenCalledWith(
                 keys.passphrase,
                 keys.passphraseSessionKey,
                 [parentKeys.key],
-                address.addressKey,
+                signingKeys.nodeKey,
             );
         });
 
@@ -1051,13 +1399,15 @@ describe('nodesCryptoService', () => {
                 key: 'newParentKey' as any,
                 hashKey: undefined,
             } as any;
-            const address = {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
                 email: 'test@example.com',
-                addressKey: 'addressKey' as any,
+                addressId: 'addressId',
+                key: 'addressKey' as any,
             };
 
             await expect(
-                cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, address),
+                cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, signingKeys),
             ).rejects.toThrow('Moving item to a non-folder is not allowed');
         });
 
@@ -1074,13 +1424,15 @@ describe('nodesCryptoService', () => {
                 key: 'newParentKey' as any,
                 hashKey: new Uint8Array([1, 2, 3]),
             };
-            const address = {
+            const signingKeys: NodeSigningKeys = {
+                type: 'userAddress',
                 email: 'test@example.com',
-                addressKey: 'addressKey' as any,
+                addressId: 'addressId',
+                key: 'addressKey' as any,
             };
 
             await expect(
-                cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, address),
+                cryptoService.encryptNodeWithNewParent(node, keys as any, parentKeys, signingKeys),
             ).rejects.toThrow('Cannot move item without a valid name, please rename the item first');
         });
     });

package/src/internal/nodes/cryptoService.ts

@@ -24,6 +24,7 @@ import {
     DecryptedNodeKeys,
     EncryptedRevision,
     DecryptedUnparsedRevision,
+    NodeSigningKeys,
 } from './interface';
 
 export interface NodesCryptoReporter {
@@ -33,7 +34,7 @@ export interface NodesCryptoReporter {
         signatureType: string,
         verified: VERIFICATION_STATUS,
         verificationErrors?: Error[],
-        claimedAuthor?: string,
+        claimedAuthor?: string | AnonymousUser,
         notAvailableVerificationKeys?: boolean,
     ): Promise<Author>;
     reportDecryptionError(node: NodesCryptoReporterNode, field: MetricsDecryptionErrorField, error: unknown): void;
@@ -336,11 +337,19 @@ export class NodesCryptoService {
         const nameSignatureEmail = node.encryptedCrypto.nameSignatureEmail;
 
         try {
-            const { name, verified, verificationErrors } = await this.driveCrypto.decryptNodeName(
-                node.encryptedName,
-                parentKey,
-                verificationKeys,
-            );
+            const {
+                name,
+                verified: verificationStatus,
+                verificationErrors,
+            } = await this.driveCrypto.decryptNodeName(node.encryptedName, parentKey, verificationKeys);
+
+            let verified = verificationStatus;
+            // The name was not signed until Drive web Beta 3.
+            // It is decided to ignore this and consider it signed.
+            // The problem will be gone with migration to new crypto model.
+            if (verificationStatus === VERIFICATION_STATUS.NOT_SIGNED && node.creationTime < new Date(2021, 0, 1)) {
+                verified = VERIFICATION_STATUS.SIGNED_AND_VALID;
+            }
 
             return {
                 name: resultOk(name),
@@ -438,11 +447,19 @@ export class NodesCryptoService {
             throw new Error('Node is not a folder');
         }
 
-        const { hashKey, verified, verificationErrors } = await this.driveCrypto.decryptNodeHashKey(
-            node.encryptedCrypto.folder.armoredHashKey,
-            nodeKey,
-            addressKeys,
-        );
+        const {
+            hashKey,
+            verified: verificationStatus,
+            verificationErrors,
+        } = await this.driveCrypto.decryptNodeHashKey(node.encryptedCrypto.folder.armoredHashKey, nodeKey, addressKeys);
+
+        let verified = verificationStatus;
+        // The hash was not signed until Drive web Beta 17.
+        // It is decided to ignore this and consider it signed.
+        // The problem will be gone with migration to new crypto model.
+        if (verificationStatus === VERIFICATION_STATUS.NOT_SIGNED && node.creationTime < new Date(2021, 7, 1)) {
+            verified = VERIFICATION_STATUS.SIGNED_AND_VALID;
+        }
 
         return {
             hashKey,
@@ -490,7 +507,7 @@ export class NodesCryptoService {
         encryptedExtendedAttributes: string | undefined,
         nodeKey: PrivateKey,
         addressKeys: PublicKey[],
-        signatureEmail?: string,
+        signatureEmail?: string | AnonymousUser,
     ): Promise<{
         extendedAttributes?: string;
         author: Author;
@@ -522,31 +539,44 @@ export class NodesCryptoService {
 
     async createFolder(
         parentKeys: { key: PrivateKey; hashKey: Uint8Array },
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
         name: string,
         extendedAttributes?: string,
     ): Promise<{
-        encryptedCrypto: EncryptedNodeFolderCrypto & {
+        encryptedCrypto: Omit<EncryptedNodeFolderCrypto, 'signatureEmail' | 'nameSignatureEmail'> & {
+            signatureEmail: string | AnonymousUser;
+            nameSignatureEmail: string | AnonymousUser;
             armoredNodePassphraseSignature: string;
-            // signatureEmail and nameSignatureEmail are not optional.
-            signatureEmail: string;
-            nameSignatureEmail: string;
             encryptedName: string;
             hash: string;
         };
         keys: DecryptedNodeKeys;
     }> {
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameAndPassprhaseSigningKey =
+            signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.parentNodeKey;
+        if (!nameAndPassprhaseSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot create new node without a name and passphrase signing key');
+        }
+
         const [nodeKeys, { armoredNodeName }, hash] = await Promise.all([
-            this.driveCrypto.generateKey([parentKeys.key], addressKey),
-            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, addressKey),
+            this.driveCrypto.generateKey([parentKeys.key], nameAndPassprhaseSigningKey),
+            this.driveCrypto.encryptNodeName(name, undefined, parentKeys.key, nameAndPassprhaseSigningKey),
             this.driveCrypto.generateLookupHash(name, parentKeys.hashKey),
         ]);
 
         const { armoredHashKey, hashKey } = await this.driveCrypto.generateHashKey(nodeKeys.decrypted.key);
 
+        const extendedAttributesSigningKey =
+            signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.nodeKey || nodeKeys.decrypted.key;
+
         const { armoredExtendedAttributes } = extendedAttributes
-            ? await this.driveCrypto.encryptExtendedAttributes(extendedAttributes, nodeKeys.decrypted.key, addressKey)
+            ? await this.driveCrypto.encryptExtendedAttributes(
+                  extendedAttributes,
+                  nodeKeys.decrypted.key,
+                  extendedAttributesSigningKey,
+              )
             : { armoredExtendedAttributes: undefined };
 
         return {
@@ -575,20 +605,25 @@ export class NodesCryptoService {
     async encryptNewName(
         parentKeys: { key: PrivateKey; hashKey?: Uint8Array },
         nodeNameSessionKey: SessionKey,
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
         newName: string,
     ): Promise<{
-        signatureEmail: string;
+        signatureEmail: string | AnonymousUser;
         armoredNodeName: string;
         hash?: string;
     }> {
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameSigningKey = signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.parentNodeKey;
+        if (!nameSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot encrypt new node name without a name signing key');
+        }
 
         const { armoredNodeName } = await this.driveCrypto.encryptNodeName(
             newName,
             nodeNameSessionKey,
             parentKeys.key,
-            addressKey,
+            nameSigningKey,
         );
 
         const hash = parentKeys.hashKey
@@ -605,14 +640,14 @@ export class NodesCryptoService {
         node: Pick<DecryptedNode, 'name'>,
         keys: { passphrase: string; passphraseSessionKey: SessionKey; nameSessionKey: SessionKey },
         parentKeys: { key: PrivateKey; hashKey: Uint8Array },
-        address: { email: string; addressKey: PrivateKey },
+        signingKeys: NodeSigningKeys,
     ): Promise<{
         encryptedName: string;
         hash: string;
         armoredNodePassphrase: string;
         armoredNodePassphraseSignature: string;
-        signatureEmail: string;
-        nameSignatureEmail: string;
+        signatureEmail: string | AnonymousUser;
+        nameSignatureEmail: string | AnonymousUser;
     }> {
         if (!parentKeys.hashKey) {
             throw new ValidationError('Moving item to a non-folder is not allowed');
@@ -621,19 +656,25 @@ export class NodesCryptoService {
             throw new ValidationError('Cannot move item without a valid name, please rename the item first');
         }
 
-        const { email, addressKey } = address;
+        const email = signingKeys.type === 'userAddress' ? signingKeys.email : null;
+        const nameAndPassprhaseSigningKey = signingKeys.type === 'userAddress' ? signingKeys.key : signingKeys.nodeKey;
+        if (!nameAndPassprhaseSigningKey) {
+            // This is a bug within the SDK.
+            throw new Error('Cannot re-encrypt node without a name and passphrase signing key');
+        }
+
         const { armoredNodeName } = await this.driveCrypto.encryptNodeName(
             node.name.value,
             keys.nameSessionKey,
             parentKeys.key,
-            addressKey,
+            nameAndPassprhaseSigningKey,
         );
         const hash = await this.driveCrypto.generateLookupHash(node.name.value, parentKeys.hashKey);
         const { armoredPassphrase, armoredPassphraseSignature } = await this.driveCrypto.encryptPassphrase(
             keys.passphrase,
             keys.passphraseSessionKey,
             [parentKeys.key],
-            addressKey,
+            nameAndPassprhaseSigningKey,
         );
 
         return {
@@ -657,7 +698,7 @@ export class NodesCryptoService {
 }
 
 function getClaimedAuthor(
-    claimedAuthor?: string,
+    claimedAuthor?: string | AnonymousUser,
     notAvailableVerificationKeys = false,
 ): string | AnonymousUser | undefined {
     if (!claimedAuthor && notAvailableVerificationKeys) {