@wireapp/core 27.4.2 → 28.0.0

package/CHANGELOG.md

@@ -3,6 +3,44 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [28.0.0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.6.0...@wireapp/core@28.0.0) (2022-07-01)
+
+
+### Features
+
+* Use mls config object ([#4307](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/issues/4307)) ([3d510d0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/commit/3d510d0e041a3d049282e6a312ffa880d9bafd89))
+
+
+### BREAKING CHANGES
+
+* the enableMLS flag has been removed in favor of a config object. If the config object is set, then MLS will be activated
+
+
+
+
+
+# [27.6.0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.5.0...@wireapp/core@27.6.0) (2022-06-30)
+
+
+### Features
+
+* Give proper database name to corecrypto db ([#4306](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/issues/4306)) ([50c7a7a](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/commit/50c7a7a6ca97a0e848a0bb7d9a781e5410909368))
+
+
+
+
+
+# [27.5.0](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.4.2...@wireapp/core@27.5.0) (2022-06-30)
+
+
+### Features
+
+* Add encrypted storage for coreCrypto database key [FS-565] ([#4302](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/issues/4302)) ([5c16877](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/commit/5c16877eae4a85eedfd876160446994d98bbcd85))
+
+
+
+
+
 ## [27.4.2](https://github.com/wireapp/wire-web-packages/tree/main/packages/core/compare/@wireapp/core@27.4.1...@wireapp/core@27.4.2) (2022-06-27)
 
 **Note:** Version bump only for package @wireapp/core

package/package.json

@@ -7,11 +7,12 @@
     "@otak/core-crypto": "0.2.0-beta-3",
     "@types/long": "4.0.1",
     "@types/node": "~14",
-    "@wireapp/api-client": "19.7.1",
+    "@wireapp/api-client": "19.7.2",
     "@wireapp/cryptobox": "12.8.0",
     "bazinga64": "5.10.0",
     "hash.js": "1.1.7",
     "http-status-codes": "2.1.4",
+    "idb": "7.0.2",
     "logdown": "3.3.1",
     "long": "4.0.0",
     "protobufjs": "6.11.3",
@@ -26,6 +27,7 @@
     "commander": "8.0.0",
     "cross-env": "7.0.3",
     "dotenv-defaults": "2.0.2",
+    "fake-indexeddb": "3.1.8",
     "faker": "5.5.3",
     "istanbul": "1.1.0-alpha.1",
     "jasmine": "3.8.0",
@@ -71,6 +73,6 @@
     "test:project": "yarn dist && yarn test",
     "test:node": "nyc jasmine --config=jasmine.json"
   },
-  "version": "27.4.2",
-  "gitHead": "bec7aeedec3675abc05ea68852ce5d26f7efd99d"
+  "version": "28.0.0",
+  "gitHead": "89c2a626f3f385edea215a96640c2805972a161a"
 }

package/src/main/Account.d.ts

@@ -55,7 +55,24 @@ export interface Account {
     on(event: TOPIC.ERROR, listener: (payload: CoreError) => void): this;
 }
 export declare type CreateStoreFn = (storeName: string, context: Context) => undefined | Promise<CRUDEngine | undefined>;
-interface AccountOptions {
+declare type SecretCrypto<T> = {
+    encrypt: (value: Uint8Array) => Promise<T>;
+    decrypt: (payload: T) => Promise<Uint8Array>;
+};
+interface MLSConfig<T = any> {
+    /**
+     * encrypt/decrypt function pair that will be called before storing/fetching secrets in the secrets database.
+     * If not provided will use the built in encryption mechanism
+     */
+    secretsCrypto?: SecretCrypto<T>;
+    /**
+     * path on the public server to the core crypto wasm file.
+     * This file will be downloaded lazily when corecrypto is needed.
+     * It, thus, needs to know where, on the server, the file can be found
+     */
+    coreCrypoWasmFilePath: string;
+}
+interface AccountOptions<T> {
     /** Used to store info in the database (will create a inMemory engine if returns undefined) */
     createStore?: CreateStoreFn;
     /** Number of prekeys to generate when creating a new device (defaults to 2)
@@ -68,15 +85,18 @@ interface AccountOptions {
      *    - make it likely that all prekeys get consumed while the device is offline and the last resort prekey will be used to create new session
      */
     nbPrekeys?: number;
-    enableMLS?: boolean;
+    /**
+     * Config for MLS devices. Will not load corecrypt or create MLS devices if undefined
+     */
+    mlsConfig?: MLSConfig<T>;
 }
-export declare class Account extends EventEmitter {
+export declare class Account<T = unknown> extends EventEmitter {
     private readonly apiClient;
     private readonly logger;
     private readonly createStore;
     private storeEngine?;
     private readonly nbPrekeys;
-    private readonly enableMLS;
+    private readonly mlsConfig?;
     private coreCryptoClient?;
     static readonly TOPIC: typeof TOPIC;
     service?: {
@@ -97,9 +117,9 @@ export declare class Account extends EventEmitter {
     backendFeatures: BackendFeatures;
     /**
      * @param apiClient The apiClient instance to use in the core (will create a new new one if undefined)
-     * @param storeEngineProvider
+     * @param accountOptions
      */
-    constructor(apiClient?: APIClient, { createStore, nbPrekeys, enableMLS }?: AccountOptions);
+    constructor(apiClient?: APIClient, { createStore, nbPrekeys, mlsConfig }?: AccountOptions<T>);
     private persistCookie;
     get clientId(): string;
     get userId(): string;
@@ -189,6 +209,7 @@ export declare class Account extends EventEmitter {
          */
         dryRun?: boolean;
     }): Promise<() => void>;
+    private generateDbName;
     private initEngine;
 }
 export {};

package/src/main/Account.js

@@ -70,6 +70,8 @@ const team_1 = require("./team/");
 const user_1 = require("./user/");
 const account_1 = require("./account/");
 const linkPreview_1 = require("./linkPreview");
+const encryptedStore_1 = require("./util/encryptedStore");
+const bazinga64_1 = require("bazinga64");
 var TOPIC;
 (function (TOPIC) {
     TOPIC["ERROR"] = "Account.TOPIC.ERROR";
@@ -82,15 +84,15 @@ const coreDefaultClient = {
 class Account extends events_1.EventEmitter {
     /**
      * @param apiClient The apiClient instance to use in the core (will create a new new one if undefined)
-     * @param storeEngineProvider
+     * @param accountOptions
      */
-    constructor(apiClient = new api_client_1.APIClient(), { createStore = () => undefined, nbPrekeys = 2, enableMLS = false } = {}) {
+    constructor(apiClient = new api_client_1.APIClient(), { createStore = () => undefined, nbPrekeys = 2, mlsConfig } = {}) {
         super();
         this.apiClient = apiClient;
         this.backendFeatures = this.apiClient.backendFeatures;
+        this.mlsConfig = this.mlsConfig;
         this.nbPrekeys = nbPrekeys;
         this.createStore = createStore;
-        this.enableMLS = enableMLS;
         apiClient.on(api_client_1.APIClient.TOPIC.COOKIE_REFRESH, async (cookie) => {
             if (cookie && this.storeEngine) {
                 try {
@@ -257,17 +259,27 @@ class Account extends events_1.EventEmitter {
         const loadedClient = await this.service.client.getLocalClient();
         await this.apiClient.api.client.getClient(loadedClient.id);
         this.apiClient.context.clientId = loadedClient.id;
-        if (this.enableMLS) {
-            this.coreCryptoClient = await this.createMLSClient(loadedClient);
+        if (this.mlsConfig) {
+            this.coreCryptoClient = await this.createMLSClient(loadedClient, this.apiClient.context, this.mlsConfig);
         }
         return loadedClient;
     }
-    async createMLSClient(client) {
+    async createMLSClient(client, context, mlsConfig) {
+        const coreCryptoKeyId = 'corecrypto-key';
         const { CoreCrypto } = await Promise.resolve().then(() => __importStar(require('@otak/core-crypto')));
+        const dbName = `secrets-${this.generateDbName(context)}`;
+        const secretStore = mlsConfig.secretsCrypto
+            ? await (0, encryptedStore_1.createCustomEncryptedStore)(dbName, mlsConfig.secretsCrypto)
+            : await (0, encryptedStore_1.createEncryptedStore)(dbName);
+        let key = await secretStore.getsecretValue(coreCryptoKeyId);
+        if (!key) {
+            key = window.crypto.getRandomValues(new Uint8Array(16));
+            await secretStore.saveSecretValue(coreCryptoKeyId, key);
+        }
         const { userId, domain } = this.apiClient.context;
         return CoreCrypto.init({
-            path: 'path/to/database',
-            key: 'a root identity key (i.e. enclaved encryption key for this device)',
+            path: `corecrypto-${this.generateDbName(context)}`,
+            key: bazinga64_1.Encoder.toBase64(key).asString,
             clientId: `${userId}:${client.id}@${domain}`,
         });
     }
@@ -275,10 +287,10 @@ class Account extends events_1.EventEmitter {
         if (!this.service) {
             throw new Error('Services are not set.');
         }
-        this.logger.info(`Creating new client {mls: ${!!this.enableMLS}}`);
+        this.logger.info(`Creating new client {mls: ${!!this.mlsConfig}}`);
         const registeredClient = await this.service.client.register(loginData, clientInfo, entropyData);
-        if (this.enableMLS) {
-            this.coreCryptoClient = await this.createMLSClient(registeredClient);
+        if (this.mlsConfig) {
+            this.coreCryptoClient = await this.createMLSClient(registeredClient, this.apiClient.context, this.mlsConfig);
             await this.service.client.uploadMLSPublicKeys(this.coreCryptoClient.clientPublicKey(), registeredClient.id);
             await this.service.client.uploadMLSKeyPackages(this.coreCryptoClient.clientKeypackages(this.nbPrekeys), registeredClient.id);
         }
@@ -365,9 +377,12 @@ class Account extends events_1.EventEmitter {
             this.apiClient.disconnect();
         };
     }
-    async initEngine(context) {
+    generateDbName(context) {
         const clientType = context.clientType === client_1.ClientType.NONE ? '' : `@${context.clientType}`;
-        const dbName = `wire@${this.apiClient.config.urls.name}@${context.userId}${clientType}`;
+        return `wire@${this.apiClient.config.urls.name}@${context.userId}${clientType}`;
+    }
+    async initEngine(context) {
+        const dbName = this.generateDbName(context);
         this.logger.log(`Initialising store with name "${dbName}"...`);
         const openDb = async () => {
             const initializedDb = await this.createStore(dbName, context);

package/src/main/util/encryptedStore.d.ts

@@ -0,0 +1,44 @@
+import { DBSchema, IDBPDatabase } from 'idb';
+interface DefaultEncryptedPayload {
+    iv: Uint8Array;
+    value: Uint8Array;
+}
+interface EncryptedDB<EncryptedPayload> extends DBSchema {
+    key: {
+        key: string;
+        value: CryptoKey;
+    };
+    secrets: {
+        key: string;
+        value: EncryptedPayload;
+    };
+}
+declare type DecryptFn<EncryptedPayload> = (payload: EncryptedPayload) => Promise<Uint8Array>;
+declare type EncryptFn<EncryptedPayload> = (value: Uint8Array) => Promise<EncryptedPayload>;
+declare type EncryptedStoreConfig<EncryptedPayload> = {
+    encrypt: EncryptFn<EncryptedPayload>;
+    decrypt: DecryptFn<EncryptedPayload>;
+};
+declare class EncryptedStore<EncryptedPayload> {
+    #private;
+    private readonly db;
+    constructor(db: IDBPDatabase<EncryptedDB<EncryptedPayload>>, { encrypt, decrypt }: EncryptedStoreConfig<EncryptedPayload>);
+    saveSecretValue(primaryKey: string, value: Uint8Array): Promise<void>;
+    getsecretValue(primaryKey: string): Promise<Uint8Array | undefined>;
+}
+/**
+ * Will create a database that uses the built in encryption/decryption functions.
+ * The master key will be created and stored inside the database
+ *
+ * @param dbName the name of the database to create
+ */
+export declare function createEncryptedStore(dbName: string): Promise<EncryptedStore<DefaultEncryptedPayload>>;
+/**
+ * Will create a database that uses a custom encryption method. It needs the encrypt and decrypt function to be able to process the values stored.
+ * It's the responsability of the consumer to store the encryption key
+ *
+ * @param dbName the name of the database to create
+ * @param config contains the encrypt and decrypt methods
+ */
+export declare function createCustomEncryptedStore<EncryptedPayload>(dbName: string, config: EncryptedStoreConfig<EncryptedPayload>): Promise<EncryptedStore<EncryptedPayload>>;
+export {};

package/src/main/util/encryptedStore.js

@@ -0,0 +1,112 @@
+"use strict";
+/*
+ * Wire
+ * Copyright (C) 2022 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ *
+ */
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EncryptedStore_decrypt, _EncryptedStore_encrypt;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCustomEncryptedStore = exports.createEncryptedStore = void 0;
+const idb_1 = require("idb");
+class EncryptedStore {
+    constructor(db, { encrypt, decrypt }) {
+        this.db = db;
+        _EncryptedStore_decrypt.set(this, void 0);
+        _EncryptedStore_encrypt.set(this, void 0);
+        __classPrivateFieldSet(this, _EncryptedStore_encrypt, encrypt, "f");
+        __classPrivateFieldSet(this, _EncryptedStore_decrypt, decrypt, "f");
+    }
+    async saveSecretValue(primaryKey, value) {
+        const encrypted = await __classPrivateFieldGet(this, _EncryptedStore_encrypt, "f").call(this, value);
+        await this.db.put('secrets', encrypted, primaryKey);
+    }
+    async getsecretValue(primaryKey) {
+        const result = await this.db.get('secrets', primaryKey);
+        if (!result) {
+            return undefined;
+        }
+        return __classPrivateFieldGet(this, _EncryptedStore_decrypt, "f").call(this, result);
+    }
+}
+_EncryptedStore_decrypt = new WeakMap(), _EncryptedStore_encrypt = new WeakMap();
+async function generateKey() {
+    return crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, false, //whether the key is extractable (i.e. can be used in exportKey)
+    ['encrypt', 'decrypt']);
+}
+async function defaultDecrypt({ value, iv }, key) {
+    const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, value);
+    return new Uint8Array(decrypted);
+}
+async function defaultEncrypt(data, key) {
+    const iv = await crypto.getRandomValues(new Uint8Array(12));
+    return {
+        iv,
+        value: await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, data),
+    };
+}
+/**
+ * Will create a database that uses the built in encryption/decryption functions.
+ * The master key will be created and stored inside the database
+ *
+ * @param dbName the name of the database to create
+ */
+async function createEncryptedStore(dbName) {
+    const db = await (0, idb_1.openDB)(dbName, 1, {
+        upgrade: async (database) => {
+            database.createObjectStore('key');
+            database.createObjectStore('secrets');
+        },
+    });
+    const keyPrimaryKey = 'dbKey';
+    let key = await db.get('key', keyPrimaryKey);
+    if (!key) {
+        key = await generateKey();
+        await db.put('key', key, keyPrimaryKey);
+    }
+    return new EncryptedStore(db, {
+        encrypt: value => defaultEncrypt(value, key),
+        decrypt: payload => defaultDecrypt(payload, key),
+    });
+}
+exports.createEncryptedStore = createEncryptedStore;
+/**
+ * Will create a database that uses a custom encryption method. It needs the encrypt and decrypt function to be able to process the values stored.
+ * It's the responsability of the consumer to store the encryption key
+ *
+ * @param dbName the name of the database to create
+ * @param config contains the encrypt and decrypt methods
+ */
+async function createCustomEncryptedStore(dbName, config) {
+    const db = await (0, idb_1.openDB)(dbName, 1, {
+        upgrade: async (database) => {
+            database.createObjectStore('secrets');
+        },
+    });
+    return new EncryptedStore(db, config);
+}
+exports.createCustomEncryptedStore = createCustomEncryptedStore;
+//# sourceMappingURL=encryptedStore.js.map