diff --git a/src/lib/hooks/gotoStateful.ts b/src/lib/hooks/gotoStateful.ts index 4c6e85a..47f1190 100644 --- a/src/lib/hooks/gotoStateful.ts +++ b/src/lib/hooks/gotoStateful.ts @@ -4,14 +4,12 @@ type Path = "/key/export"; interface KeyExportState { redirectPath: string; - encKeyPair: { - pubKeyBase64: string; - privKeyBase64: string; - }; - sigKeyPair: { - pubKeyBase64: string; - privKeyBase64: string; - }; + + encryptKeyBase64: string; + decryptKeyBase64: string; + signKeyBase64: string; + verifyKeyBase64: string; + mekDraft: ArrayBuffer; } diff --git a/src/lib/indexedDB.ts b/src/lib/indexedDB.ts index 41576ea..1282314 100644 --- a/src/lib/indexedDB.ts +++ b/src/lib/indexedDB.ts @@ -12,7 +12,7 @@ const keyStore = new Dexie("keyStore") as Dexie & { }; keyStore.version(1).stores({ - rsaKey: "usage, key", + rsaKey: "usage", }); export const getRSAKey = async (usage: RSAKeyUsage) => { @@ -21,11 +21,23 @@ export const getRSAKey = async (usage: RSAKeyUsage) => { }; export const storeRSAKey = async (key: CryptoKey, usage: RSAKeyUsage) => { - if ((usage === "encrypt" || usage === "verify") && !key.extractable) { - throw new Error("Public key must be extractable"); - } else if ((usage === "decrypt" || usage === "sign") && key.extractable) { - throw new Error("Private key must be non-extractable"); + switch (usage) { + case "encrypt": + case "verify": + if (key.type !== "public") { + throw new Error("Public key required"); + } else if (!key.extractable) { + throw new Error("Public key must be extractable"); + } + break; + case "decrypt": + case "sign": + if (key.type !== "private") { + throw new Error("Private key required"); + } else if (key.extractable) { + throw new Error("Private key must be non-extractable"); + } + break; } - await keyStore.rsaKey.put({ usage, key }); }; diff --git a/src/lib/services/auth.ts b/src/lib/services/auth.ts index 4ce69c3..865b056 100644 --- a/src/lib/services/auth.ts +++ b/src/lib/services/auth.ts @@ -6,10 +6,10 @@ import { } from "$lib/modules/crypto"; export const requestTokenUpgrade = async ( - encPubKeyBase64: string, - encPrivKey: CryptoKey, - sigPubKeyBase64: string, - sigPrivKey: CryptoKey, + encryptKeyBase64: string, + decryptKey: CryptoKey, + verifyKeyBase64: string, + signKey: CryptoKey, ) => { let res = await fetch("/api/auth/upgradeToken", { method: "POST", @@ -17,15 +17,15 @@ export const requestTokenUpgrade = async ( "Content-Type": "application/json", }, body: JSON.stringify({ - encPubKey: encPubKeyBase64, - sigPubKey: sigPubKeyBase64, + encPubKey: encryptKeyBase64, + sigPubKey: verifyKeyBase64, }), }); if (!res.ok) return false; const { challenge } = await res.json(); - const answer = await decryptRSACiphertext(decodeFromBase64(challenge), encPrivKey); - const sigAnswer = await signRSAMessage(answer, sigPrivKey); + const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey); + const sigAnswer = await signRSAMessage(answer, signKey); res = await fetch("/api/auth/upgradeToken/verify", { method: "POST", diff --git a/src/lib/services/key.ts b/src/lib/services/key.ts index 56b96e5..0183982 100644 --- a/src/lib/services/key.ts +++ b/src/lib/services/key.ts @@ -7,10 +7,10 @@ import { } from "$lib/modules/crypto"; export const requestClientRegistration = async ( - encPubKeyBase64: string, - encPrivKey: CryptoKey, - sigPubKeyBase64: string, - sigPrivKey: CryptoKey, + encryptKeyBase64: string, + decryptKey: CryptoKey, + verifyKeyBase64: string, + signKey: CryptoKey, ) => { let res = await callAPI("/api/client/register", { method: "POST", @@ -18,15 +18,15 @@ export const requestClientRegistration = async ( "Content-Type": "application/json", }, body: JSON.stringify({ - encPubKey: encPubKeyBase64, - sigPubKey: sigPubKeyBase64, + encPubKey: encryptKeyBase64, + sigPubKey: verifyKeyBase64, }), }); if (!res.ok) return false; const { challenge } = await res.json(); - const answer = await decryptRSACiphertext(decodeFromBase64(challenge), encPrivKey); - const sigAnswer = await signRSAMessage(answer, sigPrivKey); + const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey); + const sigAnswer = await signRSAMessage(answer, signKey); res = await callAPI("/api/client/verify", { method: "POST", diff --git a/src/lib/stores/key.ts b/src/lib/stores/key.ts index e37d19a..19cff13 100644 --- a/src/lib/stores/key.ts +++ b/src/lib/stores/key.ts @@ -1,9 +1,11 @@ import { writable } from "svelte/store"; -interface KeyPairs { - encKeyPair: CryptoKeyPair; - sigKeyPair: CryptoKeyPair; +export interface ClientKeys { + encryptKey: CryptoKey; + decryptKey: CryptoKey; + signKey: CryptoKey; + verifyKey: CryptoKey; } -export const keyPairsStore = writable(null); +export const clientKeyStore = writable(null); export const mekStore = writable>(new Map()); diff --git a/src/routes/(fullscreen)/auth/login/+page.svelte b/src/routes/(fullscreen)/auth/login/+page.svelte index fd5390d..556911f 100644 --- a/src/routes/(fullscreen)/auth/login/+page.svelte +++ b/src/routes/(fullscreen)/auth/login/+page.svelte @@ -5,7 +5,7 @@ import { TitleDiv, BottomDiv } from "$lib/components/divs"; import { TextInput } from "$lib/components/inputs"; import { refreshToken } from "$lib/hooks/callAPI"; - import { keyPairsStore } from "$lib/stores"; + import { clientKeyStore } from "$lib/stores"; import { requestLogin, requestTokenUpgrade } from "./service"; let { data } = $props(); @@ -19,14 +19,11 @@ try { if (!(await requestLogin(email, password))) throw new Error("Failed to login"); - if ( - $keyPairsStore && - !(await requestTokenUpgrade($keyPairsStore.encKeyPair, $keyPairsStore.sigKeyPair)) - ) + if ($clientKeyStore && !(await requestTokenUpgrade($clientKeyStore))) throw new Error("Failed to upgrade token"); await goto( - $keyPairsStore + $clientKeyStore ? data.redirectPath : "/key/generate?redirect=" + encodeURIComponent(data.redirectPath), ); diff --git a/src/routes/(fullscreen)/auth/login/service.ts b/src/routes/(fullscreen)/auth/login/service.ts index 0a7f7d9..091ebc8 100644 --- a/src/routes/(fullscreen)/auth/login/service.ts +++ b/src/routes/(fullscreen)/auth/login/service.ts @@ -1,6 +1,7 @@ import { exportRSAKeyToBase64 } from "$lib/modules/crypto"; import { requestTokenUpgrade as requestTokenUpgradeInternal } from "$lib/services/auth"; import { requestClientRegistration } from "$lib/services/key"; +import type { ClientKeys } from "$lib/stores"; export const requestLogin = async (email: string, password: string) => { const res = await fetch("/api/auth/login", { @@ -13,33 +14,24 @@ export const requestLogin = async (email: string, password: string) => { return res.ok; }; -export const requestTokenUpgrade = async (encKeyPair: CryptoKeyPair, sigKeyPair: CryptoKeyPair) => { - const encPubKeyBase64 = await exportRSAKeyToBase64(encKeyPair.publicKey, "public"); - const sigPubKeyBase64 = await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"); - if ( - await requestTokenUpgradeInternal( - encPubKeyBase64, - encKeyPair.privateKey, - sigPubKeyBase64, - sigKeyPair.privateKey, - ) - ) { +export const requestTokenUpgrade = async ({ + encryptKey, + decryptKey, + signKey, + verifyKey, +}: ClientKeys) => { + const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey, "public"); + const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey, "public"); + if (await requestTokenUpgradeInternal(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) { return true; } - if ( - await requestClientRegistration( - encPubKeyBase64, - encKeyPair.privateKey, - sigPubKeyBase64, - sigKeyPair.privateKey, - ) - ) { + if (await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) { return await requestTokenUpgradeInternal( - encPubKeyBase64, - encKeyPair.privateKey, - sigPubKeyBase64, - sigKeyPair.privateKey, + encryptKeyBase64, + decryptKey, + verifyKeyBase64, + signKey, ); } else { return false; diff --git a/src/routes/(fullscreen)/key/export/+page.svelte b/src/routes/(fullscreen)/key/export/+page.svelte index 75245cd..fb1ac30 100644 --- a/src/routes/(fullscreen)/key/export/+page.svelte +++ b/src/routes/(fullscreen)/key/export/+page.svelte @@ -3,13 +3,13 @@ import { goto } from "$app/navigation"; import { Button, TextButton } from "$lib/components/buttons"; import { BottomDiv } from "$lib/components/divs"; - import { keyPairsStore } from "$lib/stores"; + import { clientKeyStore } from "$lib/stores"; import BeforeContinueBottomSheet from "./BeforeContinueBottomSheet.svelte"; import BeforeContinueModal from "./BeforeContinueModal.svelte"; import { - makeKeyPairsSaveable, + exportClientKeys, requestClientRegistration, - storeKeyPairsPersistently, + storeClientKeys, requestTokenUpgrade, requestInitialMekRegistration, } from "./service"; @@ -22,9 +22,16 @@ let isBeforeContinueBottomSheetOpen = $state(false); const exportKeyPair = () => { - const keyPairsSaveable = makeKeyPairsSaveable(data.encKeyPair, data.sigKeyPair); - const keyPairsBlob = new Blob([JSON.stringify(keyPairsSaveable)], { type: "application/json" }); - saveAs(keyPairsBlob, "arkvalut-key.json"); + const clientKeysExported = exportClientKeys( + data.encryptKeyBase64, + data.decryptKeyBase64, + data.verifyKeyBase64, + data.signKeyBase64, + ); + const clientKeysBlob = new Blob([JSON.stringify(clientKeysExported)], { + type: "application/json", + }); + saveAs(clientKeysBlob, "arkvalut-clientkey.json"); if (!isBeforeContinueBottomSheetOpen) { setTimeout(() => { @@ -34,7 +41,7 @@ }; const registerPubKey = async () => { - if (!$keyPairsStore) { + if (!$clientKeyStore) { throw new Error("Failed to find key pair"); } @@ -44,29 +51,27 @@ try { if ( !(await requestClientRegistration( - data.encKeyPair.pubKeyBase64, - $keyPairsStore.encKeyPair.privateKey, - data.sigKeyPair.pubKeyBase64, - $keyPairsStore.sigKeyPair.privateKey, + data.encryptKeyBase64, + $clientKeyStore.decryptKey, + data.verifyKeyBase64, + $clientKeyStore.signKey, )) ) - throw new Error("Failed to register public key"); + throw new Error("Failed to register client"); - await storeKeyPairsPersistently($keyPairsStore.encKeyPair, $keyPairsStore.sigKeyPair); + await storeClientKeys($clientKeyStore); if ( !(await requestTokenUpgrade( - data.encKeyPair.pubKeyBase64, - $keyPairsStore.encKeyPair.privateKey, - data.sigKeyPair.pubKeyBase64, - $keyPairsStore.sigKeyPair.privateKey, + data.encryptKeyBase64, + $clientKeyStore.decryptKey, + data.verifyKeyBase64, + $clientKeyStore.signKey, )) ) throw new Error("Failed to upgrade token"); - if ( - !(await requestInitialMekRegistration(data.mekDraft, $keyPairsStore.encKeyPair.publicKey)) - ) + if (!(await requestInitialMekRegistration(data.mekDraft, $clientKeyStore.encryptKey))) throw new Error("Failed to register initial MEK"); await goto(data.redirectPath); diff --git a/src/routes/(fullscreen)/key/export/service.ts b/src/routes/(fullscreen)/key/export/service.ts index 97cfd8b..a7aa707 100644 --- a/src/routes/(fullscreen)/key/export/service.ts +++ b/src/routes/(fullscreen)/key/export/service.ts @@ -1,6 +1,7 @@ import { callAPI } from "$lib/hooks"; import { storeRSAKey } from "$lib/indexedDB"; import { encodeToBase64, encryptRSAPlaintext } from "$lib/modules/crypto"; +import type { ClientKeys } from "$lib/stores"; export { requestTokenUpgrade } from "$lib/services/auth"; export { requestClientRegistration } from "$lib/services/key"; @@ -10,44 +11,41 @@ type ExportedKeyPairs = { exportedAt: Date; } & { version: 1; - encKeyPair: { pubKey: string; privKey: string }; - sigKeyPair: { pubKey: string; privKey: string }; + encryptKey: string; + decryptKey: string; + verifyKey: string; + signKey: string; }; -export const makeKeyPairsSaveable = ( - encKeyPair: { pubKeyBase64: string; privKeyBase64: string }, - sigKeyPair: { pubKeyBase64: string; privKeyBase64: string }, +export const exportClientKeys = ( + encryptKeyBase64: string, + decryptKeyBase64: string, + verifyKeyBase64: string, + signKeyBase64: string, ) => { return { version: 1, generator: "ArkVault", exportedAt: new Date(), - encKeyPair: { - pubKey: encKeyPair.pubKeyBase64, - privKey: encKeyPair.privKeyBase64, - }, - sigKeyPair: { - pubKey: sigKeyPair.pubKeyBase64, - privKey: sigKeyPair.privKeyBase64, - }, + encryptKey: encryptKeyBase64, + decryptKey: decryptKeyBase64, + verifyKey: verifyKeyBase64, + signKey: signKeyBase64, } satisfies ExportedKeyPairs; }; -export const storeKeyPairsPersistently = async ( - encKeyPair: CryptoKeyPair, - sigKeyPair: CryptoKeyPair, -) => { - await storeRSAKey(encKeyPair.publicKey, "encrypt"); - await storeRSAKey(encKeyPair.privateKey, "decrypt"); - await storeRSAKey(sigKeyPair.publicKey, "verify"); - await storeRSAKey(sigKeyPair.privateKey, "sign"); +export const storeClientKeys = async (clientKeys: ClientKeys) => { + await storeRSAKey(clientKeys.encryptKey, "encrypt"); + await storeRSAKey(clientKeys.decryptKey, "decrypt"); + await storeRSAKey(clientKeys.signKey, "sign"); + await storeRSAKey(clientKeys.verifyKey, "verify"); }; export const requestInitialMekRegistration = async ( mekDraft: ArrayBuffer, - publicKey: CryptoKey, + encryptKey: CryptoKey, ) => { - const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, publicKey); + const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, encryptKey); const res = await callAPI("/api/mek/register/initial", { method: "POST", headers: { diff --git a/src/routes/(fullscreen)/key/generate/+page.svelte b/src/routes/(fullscreen)/key/generate/+page.svelte index b3b8986..4d48fa6 100644 --- a/src/routes/(fullscreen)/key/generate/+page.svelte +++ b/src/routes/(fullscreen)/key/generate/+page.svelte @@ -3,9 +3,9 @@ import { Button, TextButton } from "$lib/components/buttons"; import { TitleDiv, BottomDiv } from "$lib/components/divs"; import { gotoStateful } from "$lib/hooks"; - import { keyPairsStore } from "$lib/stores"; + import { clientKeyStore } from "$lib/stores"; import Order from "./Order.svelte"; - import { generateKeyPairs, generateMekDraft } from "./service"; + import { generateClientKeys, generateMekDraft } from "./service"; import IconKey from "~icons/material-symbols/key"; @@ -34,19 +34,18 @@ const generate = async () => { // TODO: Loading indicator - const { encKeyPair, sigKeyPair } = await generateKeyPairs(); + const clientKeys = await generateClientKeys(); const { mekDraft } = await generateMekDraft(); await gotoStateful("/key/export", { + ...clientKeys, redirectPath: data.redirectPath, - encKeyPair, - sigKeyPair, mekDraft, }); }; $effect(() => { - if ($keyPairsStore) { + if ($clientKeyStore) { goto(data.redirectPath); } }); diff --git a/src/routes/(fullscreen)/key/generate/service.ts b/src/routes/(fullscreen)/key/generate/service.ts index 438a861..d7c4ce9 100644 --- a/src/routes/(fullscreen)/key/generate/service.ts +++ b/src/routes/(fullscreen)/key/generate/service.ts @@ -8,32 +8,24 @@ import { makeAESKeyNonextractable, exportAESKey, } from "$lib/modules/crypto"; -import { keyPairsStore, mekStore } from "$lib/stores"; +import { clientKeyStore, mekStore } from "$lib/stores"; -export const generateKeyPairs = async () => { +export const generateClientKeys = async () => { const encKeyPair = await generateRSAEncKeyPair(); const sigKeyPair = await generateRSASigKeyPair(); - keyPairsStore.set({ - encKeyPair: { - publicKey: encKeyPair.publicKey, - privateKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"), - }, - sigKeyPair: { - publicKey: sigKeyPair.publicKey, - privateKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"), - }, + clientKeyStore.set({ + encryptKey: encKeyPair.publicKey, + decryptKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"), + signKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"), + verifyKey: sigKeyPair.publicKey, }); return { - encKeyPair: { - pubKeyBase64: await exportRSAKeyToBase64(encKeyPair.publicKey, "public"), - privKeyBase64: await exportRSAKeyToBase64(encKeyPair.privateKey, "private"), - }, - sigKeyPair: { - pubKeyBase64: await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"), - privKeyBase64: await exportRSAKeyToBase64(sigKeyPair.privateKey, "private"), - }, + encryptKeyBase64: await exportRSAKeyToBase64(encKeyPair.publicKey, "public"), + decryptKeyBase64: await exportRSAKeyToBase64(encKeyPair.privateKey, "private"), + signKeyBase64: await exportRSAKeyToBase64(sigKeyPair.privateKey, "private"), + verifyKeyBase64: await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"), }; }; @@ -42,7 +34,7 @@ export const generateMekDraft = async () => { const mekSecured = await makeAESKeyNonextractable(mek); mekStore.update((meks) => { - meks.set(meks.size, mekSecured); + meks.set(0, mekSecured); return meks; }); diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte index f881303..34d3688 100644 --- a/src/routes/+layout.svelte +++ b/src/routes/+layout.svelte @@ -2,12 +2,12 @@ import { onMount } from "svelte"; import { goto } from "$app/navigation"; import "../app.css"; - import { prepareKeyPairStores } from "./services"; + import { prepareClientKeyStore } from "./services"; let { children } = $props(); onMount(() => { - prepareKeyPairStores().then(async (ok) => { + prepareClientKeyStore().then(async (ok) => { if (!ok && !["/auth", "/key"].some((path) => location.pathname.startsWith(path))) { await goto( "/key/generate?redirect=" + encodeURIComponent(location.pathname + location.search), diff --git a/src/routes/services.ts b/src/routes/services.ts index 37dc736..bb07c6a 100644 --- a/src/routes/services.ts +++ b/src/routes/services.ts @@ -1,16 +1,13 @@ import { getRSAKey } from "$lib/indexedDB"; -import { keyPairsStore } from "$lib/stores"; +import { clientKeyStore } from "$lib/stores"; -export const prepareKeyPairStores = async () => { - const encPubKey = await getRSAKey("encrypt"); - const encPrivKey = await getRSAKey("decrypt"); - const sigPubKey = await getRSAKey("verify"); - const sigPrivKey = await getRSAKey("sign"); - if (encPubKey && encPrivKey && sigPubKey && sigPrivKey) { - keyPairsStore.set({ - encKeyPair: { publicKey: encPubKey, privateKey: encPrivKey }, - sigKeyPair: { publicKey: sigPubKey, privateKey: sigPrivKey }, - }); +export const prepareClientKeyStore = async () => { + const encryptKey = await getRSAKey("encrypt"); + const decryptKey = await getRSAKey("decrypt"); + const signKey = await getRSAKey("sign"); + const verifyKey = await getRSAKey("verify"); + if (encryptKey && decryptKey && signKey && verifyKey) { + clientKeyStore.set({ encryptKey, decryptKey, signKey, verifyKey }); return true; } else { return false;