@wireapp/core 27.4.0 → 27.5.0

package/CHANGELOG.md

@@ -3,6 +3,33 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [27.5.0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.4.2...@wireapp/core@27.5.0) (2022-06-30)
+
+
+### Features
+
+* Add encrypted storage for coreCrypto database key [FS-565] ([#4302](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/issues/4302)) ([5c16877](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/commit/5c16877eae4a85eedfd876160446994d98bbcd85))
+
+
+
+
+
+## [27.4.2](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.4.1...@wireapp/core@27.4.2) (2022-06-27)
+
+**Note:** Version bump only for package @wireapp/core
+
+
+
+
+
+## [27.4.1](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.4.0...@wireapp/core@27.4.1) (2022-06-21)
+
+**Note:** Version bump only for package @wireapp/core
+
+
+
+
+
 # [27.4.0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.3.9...@wireapp/core@27.4.0) (2022-06-17)
 
 

package/package.json

@@ -7,11 +7,12 @@
     "@otak/core-crypto": "0.2.0-beta-3",
     "@types/long": "4.0.1",
     "@types/node": "~14",
-    "@wireapp/api-client": "19.6.4",
+    "@wireapp/api-client": "19.7.2",
     "@wireapp/cryptobox": "12.8.0",
     "bazinga64": "5.10.0",
     "hash.js": "1.1.7",
     "http-status-codes": "2.1.4",
+    "idb": "7.0.2",
     "logdown": "3.3.1",
     "long": "4.0.0",
     "protobufjs": "6.11.3",
@@ -26,6 +27,7 @@
     "commander": "8.0.0",
     "cross-env": "7.0.3",
     "dotenv-defaults": "2.0.2",
+    "fake-indexeddb": "3.1.8",
     "faker": "5.5.3",
     "istanbul": "1.1.0-alpha.1",
     "jasmine": "3.8.0",
@@ -71,6 +73,6 @@
     "test:project": "yarn dist && yarn test",
     "test:node": "nyc jasmine --config=jasmine.json"
   },
-  "version": "27.4.0",
-  "gitHead": "18a1691d5401d6f3b9fbd279213fd4a30fea7845"
+  "version": "27.5.0",
+  "gitHead": "6a092d1dd292a463e4af4b21f09e8748e5c90a77"
 }

package/src/main/Account.d.ts

@@ -55,9 +55,17 @@ export interface Account {
     on(event: TOPIC.ERROR, listener: (payload: CoreError) => void): this;
 }
 export declare type CreateStoreFn = (storeName: string, context: Context) => undefined | Promise<CRUDEngine | undefined>;
-interface AccountOptions {
+declare type SecretCrypto<T> = {
+    encrypt: (value: Uint8Array) => Promise<T>;
+    decrypt: (payload: T) => Promise<Uint8Array>;
+};
+interface AccountOptions<T> {
     /** Used to store info in the database (will create a inMemory engine if returns undefined) */
     createStore?: CreateStoreFn;
+    /** encrypt/decrypt function pair that will be called before storing/fetching secrets in the secrets database.
+     * If not provided will use the built in encryption mechanism
+     */
+    secretsCrypto?: SecretCrypto<T>;
     /** Number of prekeys to generate when creating a new device (defaults to 2)
      * Prekeys are Diffie-Hellmann public keys which allow offline initiation of a secure Proteus session between two devices.
      * Having a high value will:
@@ -70,11 +78,12 @@ interface AccountOptions {
     nbPrekeys?: number;
     enableMLS?: boolean;
 }
-export declare class Account extends EventEmitter {
+export declare class Account<T = unknown> extends EventEmitter {
     private readonly apiClient;
     private readonly logger;
     private readonly createStore;
     private storeEngine?;
+    private readonly secretsCrypto?;
     private readonly nbPrekeys;
     private readonly enableMLS;
     private coreCryptoClient?;
@@ -97,9 +106,9 @@ export declare class Account extends EventEmitter {
     backendFeatures: BackendFeatures;
     /**
      * @param apiClient The apiClient instance to use in the core (will create a new new one if undefined)
-     * @param storeEngineProvider
+     * @param accountOptions
      */
-    constructor(apiClient?: APIClient, { createStore, nbPrekeys, enableMLS }?: AccountOptions);
+    constructor(apiClient?: APIClient, { createStore, nbPrekeys, secretsCrypto, enableMLS }?: AccountOptions<T>);
     private persistCookie;
     get clientId(): string;
     get userId(): string;
@@ -189,6 +198,7 @@ export declare class Account extends EventEmitter {
          */
         dryRun?: boolean;
     }): Promise<() => void>;
+    private generateDbName;
     private initEngine;
 }
 export {};

package/src/main/Account.js

@@ -70,6 +70,7 @@ const team_1 = require("./team/");
 const user_1 = require("./user/");
 const account_1 = require("./account/");
 const linkPreview_1 = require("./linkPreview");
+const encryptedStore_1 = require("./util/encryptedStore");
 var TOPIC;
 (function (TOPIC) {
     TOPIC["ERROR"] = "Account.TOPIC.ERROR";
@@ -82,12 +83,13 @@ const coreDefaultClient = {
 class Account extends events_1.EventEmitter {
     /**
      * @param apiClient The apiClient instance to use in the core (will create a new new one if undefined)
-     * @param storeEngineProvider
+     * @param accountOptions
      */
-    constructor(apiClient = new api_client_1.APIClient(), { createStore = () => undefined, nbPrekeys = 2, enableMLS = false } = {}) {
+    constructor(apiClient = new api_client_1.APIClient(), { createStore = () => undefined, nbPrekeys = 2, secretsCrypto, enableMLS = false } = {}) {
         super();
         this.apiClient = apiClient;
         this.backendFeatures = this.apiClient.backendFeatures;
+        this.secretsCrypto = secretsCrypto;
         this.nbPrekeys = nbPrekeys;
         this.createStore = createStore;
         this.enableMLS = enableMLS;
@@ -258,16 +260,26 @@ class Account extends events_1.EventEmitter {
         await this.apiClient.api.client.getClient(loadedClient.id);
         this.apiClient.context.clientId = loadedClient.id;
         if (this.enableMLS) {
-            this.coreCryptoClient = await this.createMLSClient(loadedClient);
+            this.coreCryptoClient = await this.createMLSClient(loadedClient, this.apiClient.context);
         }
         return loadedClient;
     }
-    async createMLSClient(client) {
+    async createMLSClient(client, context) {
+        const coreCryptoKeyId = 'corecrypto-key';
         const { CoreCrypto } = await Promise.resolve().then(() => __importStar(require('@otak/core-crypto')));
+        const dbName = `secrets-${this.generateDbName(context)}`;
+        const secretStore = this.secretsCrypto
+            ? await (0, encryptedStore_1.createCustomEncryptedStore)(dbName, this.secretsCrypto)
+            : await (0, encryptedStore_1.createEncryptedStore)(dbName);
+        let key = await secretStore.getsecretValue(coreCryptoKeyId);
+        if (!key) {
+            key = window.crypto.getRandomValues(new Uint8Array(16));
+            await secretStore.saveSecretValue(coreCryptoKeyId, key);
+        }
         const { userId, domain } = this.apiClient.context;
         return CoreCrypto.init({
             path: 'path/to/database',
-            key: 'a root identity key (i.e. enclaved encryption key for this device)',
+            key: new TextDecoder().decode(key),
             clientId: `${userId}:${client.id}@${domain}`,
         });
     }
@@ -278,7 +290,7 @@ class Account extends events_1.EventEmitter {
         this.logger.info(`Creating new client {mls: ${!!this.enableMLS}}`);
         const registeredClient = await this.service.client.register(loginData, clientInfo, entropyData);
         if (this.enableMLS) {
-            this.coreCryptoClient = await this.createMLSClient(registeredClient);
+            this.coreCryptoClient = await this.createMLSClient(registeredClient, this.apiClient.context);
             await this.service.client.uploadMLSPublicKeys(this.coreCryptoClient.clientPublicKey(), registeredClient.id);
             await this.service.client.uploadMLSKeyPackages(this.coreCryptoClient.clientKeypackages(this.nbPrekeys), registeredClient.id);
         }
@@ -365,9 +377,12 @@ class Account extends events_1.EventEmitter {
             this.apiClient.disconnect();
         };
     }
-    async initEngine(context) {
+    generateDbName(context) {
         const clientType = context.clientType === client_1.ClientType.NONE ? '' : `@${context.clientType}`;
-        const dbName = `wire@${this.apiClient.config.urls.name}@${context.userId}${clientType}`;
+        return `wire@${this.apiClient.config.urls.name}@${context.userId}${clientType}`;
+    }
+    async initEngine(context) {
+        const dbName = this.generateDbName(context);
         this.logger.log(`Initialising store with name "${dbName}"...`);
         const openDb = async () => {
             const initializedDb = await this.createStore(dbName, context);

package/src/main/util/encryptedStore.d.ts

@@ -0,0 +1,44 @@
+import { DBSchema, IDBPDatabase } from 'idb';
+interface DefaultEncryptedPayload {
+    iv: Uint8Array;
+    value: Uint8Array;
+}
+interface EncryptedDB<EncryptedPayload> extends DBSchema {
+    key: {
+        key: string;
+        value: CryptoKey;
+    };
+    secrets: {
+        key: string;
+        value: EncryptedPayload;
+    };
+}
+declare type DecryptFn<EncryptedPayload> = (payload: EncryptedPayload) => Promise<Uint8Array>;
+declare type EncryptFn<EncryptedPayload> = (value: Uint8Array) => Promise<EncryptedPayload>;
+declare type EncryptedStoreConfig<EncryptedPayload> = {
+    encrypt: EncryptFn<EncryptedPayload>;
+    decrypt: DecryptFn<EncryptedPayload>;
+};
+declare class EncryptedStore<EncryptedPayload> {
+    #private;
+    private readonly db;
+    constructor(db: IDBPDatabase<EncryptedDB<EncryptedPayload>>, { encrypt, decrypt }: EncryptedStoreConfig<EncryptedPayload>);
+    saveSecretValue(primaryKey: string, value: Uint8Array): Promise<void>;
+    getsecretValue(primaryKey: string): Promise<Uint8Array | undefined>;
+}
+/**
+ * Will create a database that uses the built in encryption/decryption functions.
+ * The master key will be created and stored inside the database
+ *
+ * @param dbName the name of the database to create
+ */
+export declare function createEncryptedStore(dbName: string): Promise<EncryptedStore<DefaultEncryptedPayload>>;
+/**
+ * Will create a database that uses a custom encryption method. It needs the encrypt and decrypt function to be able to process the values stored.
+ * It's the responsability of the consumer to store the encryption key
+ *
+ * @param dbName the name of the database to create
+ * @param config contains the encrypt and decrypt methods
+ */
+export declare function createCustomEncryptedStore<EncryptedPayload>(dbName: string, config: EncryptedStoreConfig<EncryptedPayload>): Promise<EncryptedStore<EncryptedPayload>>;
+export {};

package/src/main/util/encryptedStore.js

@@ -0,0 +1,112 @@
+"use strict";
+/*
+ * Wire
+ * Copyright (C) 2022 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ *
+ */
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EncryptedStore_decrypt, _EncryptedStore_encrypt;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCustomEncryptedStore = exports.createEncryptedStore = void 0;
+const idb_1 = require("idb");
+class EncryptedStore {
+    constructor(db, { encrypt, decrypt }) {
+        this.db = db;
+        _EncryptedStore_decrypt.set(this, void 0);
+        _EncryptedStore_encrypt.set(this, void 0);
+        __classPrivateFieldSet(this, _EncryptedStore_encrypt, encrypt, "f");
+        __classPrivateFieldSet(this, _EncryptedStore_decrypt, decrypt, "f");
+    }
+    async saveSecretValue(primaryKey, value) {
+        const encrypted = await __classPrivateFieldGet(this, _EncryptedStore_encrypt, "f").call(this, value);
+        await this.db.put('secrets', encrypted, primaryKey);
+    }
+    async getsecretValue(primaryKey) {
+        const result = await this.db.get('secrets', primaryKey);
+        if (!result) {
+            return undefined;
+        }
+        return __classPrivateFieldGet(this, _EncryptedStore_decrypt, "f").call(this, result);
+    }
+}
+_EncryptedStore_decrypt = new WeakMap(), _EncryptedStore_encrypt = new WeakMap();
+async function generateKey() {
+    return crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, false, //whether the key is extractable (i.e. can be used in exportKey)
+    ['encrypt', 'decrypt']);
+}
+async function defaultDecrypt({ value, iv }, key) {
+    const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, value);
+    return new Uint8Array(decrypted);
+}
+async function defaultEncrypt(data, key) {
+    const iv = await crypto.getRandomValues(new Uint8Array(12));
+    return {
+        iv,
+        value: await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, data),
+    };
+}
+/**
+ * Will create a database that uses the built in encryption/decryption functions.
+ * The master key will be created and stored inside the database
+ *
+ * @param dbName the name of the database to create
+ */
+async function createEncryptedStore(dbName) {
+    const db = await (0, idb_1.openDB)(dbName, 1, {
+        upgrade: async (database) => {
+            database.createObjectStore('key');
+            database.createObjectStore('secrets');
+        },
+    });
+    const keyPrimaryKey = 'dbKey';
+    let key = await db.get('key', keyPrimaryKey);
+    if (!key) {
+        key = await generateKey();
+        await db.put('key', key, keyPrimaryKey);
+    }
+    return new EncryptedStore(db, {
+        encrypt: value => defaultEncrypt(value, key),
+        decrypt: payload => defaultDecrypt(payload, key),
+    });
+}
+exports.createEncryptedStore = createEncryptedStore;
+/**
+ * Will create a database that uses a custom encryption method. It needs the encrypt and decrypt function to be able to process the values stored.
+ * It's the responsability of the consumer to store the encryption key
+ *
+ * @param dbName the name of the database to create
+ * @param config contains the encrypt and decrypt methods
+ */
+async function createCustomEncryptedStore(dbName, config) {
+    const db = await (0, idb_1.openDB)(dbName, 1, {
+        upgrade: async (database) => {
+            database.createObjectStore('secrets');
+        },
+    });
+    return new EncryptedStore(db, config);
+}
+exports.createCustomEncryptedStore = createCustomEncryptedStore;
+//# sourceMappingURL=encryptedStore.js.map