kmc7468/arkvault
1
0
Fork 0
mirror of https://github.com/kmc7468/arkvault.git synced 2025-12-14 22:08:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

프론트엔드에서의 암호 키 관련된 변수 이름 리팩토링

Browse Source
This commit is contained in:
static
2024-12-31 06:20:23 +09:00
parent be70ef1507
commit 214568f2ee
13 changed files with 137 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/lib/hooks/gotoStateful.ts
View File

@@ -4,14 +4,12 @@ type Path = "/key/export";
interface KeyExportState { interface KeyExportState {
redirectPath: string; redirectPath: string;
encKeyPair: {
pubKeyBase64: string; encryptKeyBase64: string;
privKeyBase64: string; decryptKeyBase64: string;
}; signKeyBase64: string;
sigKeyPair: { verifyKeyBase64: string;
pubKeyBase64: string;
privKeyBase64: string;
};
mekDraft: ArrayBuffer; mekDraft: ArrayBuffer;
} }

24
src/lib/indexedDB.ts
View File

@@ -12,7 +12,7 @@ const keyStore = new Dexie("keyStore") as Dexie & {
}; };
keyStore.version(1).stores({ keyStore.version(1).stores({
rsaKey: "usage, key", rsaKey: "usage",
}); });
export const getRSAKey = async (usage: RSAKeyUsage) => { export const getRSAKey = async (usage: RSAKeyUsage) => {
@@ -21,11 +21,23 @@ export const getRSAKey = async (usage: RSAKeyUsage) => {
}; };
export const storeRSAKey = async (key: CryptoKey, usage: RSAKeyUsage) => { export const storeRSAKey = async (key: CryptoKey, usage: RSAKeyUsage) => {
if ((usage === "encrypt" || usage === "verify") && !key.extractable) { switch (usage) {
throw new Error("Public key must be extractable"); case "encrypt":
} else if ((usage === "decrypt" || usage === "sign") && key.extractable) { case "verify":
throw new Error("Private key must be non-extractable"); if (key.type !== "public") {
throw new Error("Public key required");
} else if (!key.extractable) {
throw new Error("Public key must be extractable");
}
break;
case "decrypt":
case "sign":
if (key.type !== "private") {
throw new Error("Private key required");
} else if (key.extractable) {
throw new Error("Private key must be non-extractable");
}
break;
} }
await keyStore.rsaKey.put({ usage, key }); await keyStore.rsaKey.put({ usage, key });
}; };

16
src/lib/services/auth.ts
View File

@@ -6,10 +6,10 @@ import {
} from "$lib/modules/crypto"; } from "$lib/modules/crypto";
export const requestTokenUpgrade = async ( export const requestTokenUpgrade = async (
encPubKeyBase64: string, encryptKeyBase64: string,
encPrivKey: CryptoKey, decryptKey: CryptoKey,
sigPubKeyBase64: string, verifyKeyBase64: string,
sigPrivKey: CryptoKey, signKey: CryptoKey,
) => { ) => {
let res = await fetch("/api/auth/upgradeToken", { let res = await fetch("/api/auth/upgradeToken", {
method: "POST", method: "POST",
@@ -17,15 +17,15 @@ export const requestTokenUpgrade = async (
"Content-Type": "application/json", "Content-Type": "application/json",
}, },
body: JSON.stringify({ body: JSON.stringify({
encPubKey: encPubKeyBase64, encPubKey: encryptKeyBase64,
sigPubKey: sigPubKeyBase64, sigPubKey: verifyKeyBase64,
}), }),
}); });
if (!res.ok) return false; if (!res.ok) return false;
const { challenge } = await res.json(); const { challenge } = await res.json();
const answer = await decryptRSACiphertext(decodeFromBase64(challenge), encPrivKey); const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey);
const sigAnswer = await signRSAMessage(answer, sigPrivKey); const sigAnswer = await signRSAMessage(answer, signKey);
res = await fetch("/api/auth/upgradeToken/verify", { res = await fetch("/api/auth/upgradeToken/verify", {
method: "POST", method: "POST",

16
src/lib/services/key.ts
View File

@@ -7,10 +7,10 @@ import {
} from "$lib/modules/crypto"; } from "$lib/modules/crypto";
export const requestClientRegistration = async ( export const requestClientRegistration = async (
encPubKeyBase64: string, encryptKeyBase64: string,
encPrivKey: CryptoKey, decryptKey: CryptoKey,
sigPubKeyBase64: string, verifyKeyBase64: string,
sigPrivKey: CryptoKey, signKey: CryptoKey,
) => { ) => {
let res = await callAPI("/api/client/register", { let res = await callAPI("/api/client/register", {
method: "POST", method: "POST",
@@ -18,15 +18,15 @@ export const requestClientRegistration = async (
"Content-Type": "application/json", "Content-Type": "application/json",
}, },
body: JSON.stringify({ body: JSON.stringify({
encPubKey: encPubKeyBase64, encPubKey: encryptKeyBase64,
sigPubKey: sigPubKeyBase64, sigPubKey: verifyKeyBase64,
}), }),
}); });
if (!res.ok) return false; if (!res.ok) return false;
const { challenge } = await res.json(); const { challenge } = await res.json();
const answer = await decryptRSACiphertext(decodeFromBase64(challenge), encPrivKey); const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey);
const sigAnswer = await signRSAMessage(answer, sigPrivKey); const sigAnswer = await signRSAMessage(answer, signKey);
res = await callAPI("/api/client/verify", { res = await callAPI("/api/client/verify", {
method: "POST", method: "POST",

10
src/lib/stores/key.ts
View File

@@ -1,9 +1,11 @@
import { writable } from "svelte/store"; import { writable } from "svelte/store";
interface KeyPairs { export interface ClientKeys {
encKeyPair: CryptoKeyPair; encryptKey: CryptoKey;
sigKeyPair: CryptoKeyPair; decryptKey: CryptoKey;
signKey: CryptoKey;
verifyKey: CryptoKey;
} }
export const keyPairsStore = writable<KeyPairs | null>(null); export const clientKeyStore = writable<ClientKeys | null>(null);
export const mekStore = writable<Map<number, CryptoKey>>(new Map()); export const mekStore = writable<Map<number, CryptoKey>>(new Map());

9
src/routes/(fullscreen)/auth/login/+page.svelte
View File

@@ -5,7 +5,7 @@
import { TitleDiv, BottomDiv } from "$lib/components/divs"; import { TitleDiv, BottomDiv } from "$lib/components/divs";
import { TextInput } from "$lib/components/inputs"; import { TextInput } from "$lib/components/inputs";
import { refreshToken } from "$lib/hooks/callAPI"; import { refreshToken } from "$lib/hooks/callAPI";
import { keyPairsStore } from "$lib/stores"; import { clientKeyStore } from "$lib/stores";
import { requestLogin, requestTokenUpgrade } from "./service"; import { requestLogin, requestTokenUpgrade } from "./service";
let { data } = $props(); let { data } = $props();
@@ -19,14 +19,11 @@
try { try {
if (!(await requestLogin(email, password))) throw new Error("Failed to login"); if (!(await requestLogin(email, password))) throw new Error("Failed to login");
if ( if ($clientKeyStore && !(await requestTokenUpgrade($clientKeyStore)))
$keyPairsStore &&
!(await requestTokenUpgrade($keyPairsStore.encKeyPair, $keyPairsStore.sigKeyPair))
)
throw new Error("Failed to upgrade token"); throw new Error("Failed to upgrade token");
await goto( await goto(
$keyPairsStore $clientKeyStore
? data.redirectPath ? data.redirectPath
: "/key/generate?redirect=" + encodeURIComponent(data.redirectPath), : "/key/generate?redirect=" + encodeURIComponent(data.redirectPath),
); );

38
src/routes/(fullscreen)/auth/login/service.ts
View File

@@ -1,6 +1,7 @@
import { exportRSAKeyToBase64 } from "$lib/modules/crypto"; import { exportRSAKeyToBase64 } from "$lib/modules/crypto";
import { requestTokenUpgrade as requestTokenUpgradeInternal } from "$lib/services/auth"; import { requestTokenUpgrade as requestTokenUpgradeInternal } from "$lib/services/auth";
import { requestClientRegistration } from "$lib/services/key"; import { requestClientRegistration } from "$lib/services/key";
import type { ClientKeys } from "$lib/stores";
export const requestLogin = async (email: string, password: string) => { export const requestLogin = async (email: string, password: string) => {
const res = await fetch("/api/auth/login", { const res = await fetch("/api/auth/login", {
@@ -13,33 +14,24 @@ export const requestLogin = async (email: string, password: string) => {
return res.ok; return res.ok;
}; };
export const requestTokenUpgrade = async (encKeyPair: CryptoKeyPair, sigKeyPair: CryptoKeyPair) => { export const requestTokenUpgrade = async ({
const encPubKeyBase64 = await exportRSAKeyToBase64(encKeyPair.publicKey, "public"); encryptKey,
const sigPubKeyBase64 = await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"); decryptKey,
if ( signKey,
await requestTokenUpgradeInternal( verifyKey,
encPubKeyBase64, }: ClientKeys) => {
encKeyPair.privateKey, const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey, "public");
sigPubKeyBase64, const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey, "public");
sigKeyPair.privateKey, if (await requestTokenUpgradeInternal(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
)
) {
return true; return true;
} }
if ( if (await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
await requestClientRegistration(
encPubKeyBase64,
encKeyPair.privateKey,
sigPubKeyBase64,
sigKeyPair.privateKey,
)
) {
return await requestTokenUpgradeInternal( return await requestTokenUpgradeInternal(
encPubKeyBase64, encryptKeyBase64,
encKeyPair.privateKey, decryptKey,
sigPubKeyBase64, verifyKeyBase64,
sigKeyPair.privateKey, signKey,
); );
} else { } else {
return false; return false;

45
src/routes/(fullscreen)/key/export/+page.svelte
View File

@@ -3,13 +3,13 @@
import { goto } from "$app/navigation"; import { goto } from "$app/navigation";
import { Button, TextButton } from "$lib/components/buttons"; import { Button, TextButton } from "$lib/components/buttons";
import { BottomDiv } from "$lib/components/divs"; import { BottomDiv } from "$lib/components/divs";
import { keyPairsStore } from "$lib/stores"; import { clientKeyStore } from "$lib/stores";
import BeforeContinueBottomSheet from "./BeforeContinueBottomSheet.svelte"; import BeforeContinueBottomSheet from "./BeforeContinueBottomSheet.svelte";
import BeforeContinueModal from "./BeforeContinueModal.svelte"; import BeforeContinueModal from "./BeforeContinueModal.svelte";
import { import {
makeKeyPairsSaveable, exportClientKeys,
requestClientRegistration, requestClientRegistration,
storeKeyPairsPersistently, storeClientKeys,
requestTokenUpgrade, requestTokenUpgrade,
requestInitialMekRegistration, requestInitialMekRegistration,
} from "./service"; } from "./service";
@@ -22,9 +22,16 @@
let isBeforeContinueBottomSheetOpen = $state(false); let isBeforeContinueBottomSheetOpen = $state(false);
const exportKeyPair = () => { const exportKeyPair = () => {
const keyPairsSaveable = makeKeyPairsSaveable(data.encKeyPair, data.sigKeyPair); const clientKeysExported = exportClientKeys(
const keyPairsBlob = new Blob([JSON.stringify(keyPairsSaveable)], { type: "application/json" }); data.encryptKeyBase64,
saveAs(keyPairsBlob, "arkvalut-key.json"); data.decryptKeyBase64,
data.verifyKeyBase64,
data.signKeyBase64,
);
const clientKeysBlob = new Blob([JSON.stringify(clientKeysExported)], {
type: "application/json",
});
saveAs(clientKeysBlob, "arkvalut-clientkey.json");
if (!isBeforeContinueBottomSheetOpen) { if (!isBeforeContinueBottomSheetOpen) {
setTimeout(() => { setTimeout(() => {
@@ -34,7 +41,7 @@
}; };
const registerPubKey = async () => { const registerPubKey = async () => {
if (!$keyPairsStore) { if (!$clientKeyStore) {
throw new Error("Failed to find key pair"); throw new Error("Failed to find key pair");
} }
@@ -44,29 +51,27 @@
try { try {
if ( if (
!(await requestClientRegistration( !(await requestClientRegistration(
data.encKeyPair.pubKeyBase64, data.encryptKeyBase64,
$keyPairsStore.encKeyPair.privateKey, $clientKeyStore.decryptKey,
data.sigKeyPair.pubKeyBase64, data.verifyKeyBase64,
$keyPairsStore.sigKeyPair.privateKey, $clientKeyStore.signKey,
)) ))
) )
throw new Error("Failed to register public key"); throw new Error("Failed to register client");
await storeKeyPairsPersistently($keyPairsStore.encKeyPair, $keyPairsStore.sigKeyPair); await storeClientKeys($clientKeyStore);
if ( if (
!(await requestTokenUpgrade( !(await requestTokenUpgrade(
data.encKeyPair.pubKeyBase64, data.encryptKeyBase64,
$keyPairsStore.encKeyPair.privateKey, $clientKeyStore.decryptKey,
data.sigKeyPair.pubKeyBase64, data.verifyKeyBase64,
$keyPairsStore.sigKeyPair.privateKey, $clientKeyStore.signKey,
)) ))
) )
throw new Error("Failed to upgrade token"); throw new Error("Failed to upgrade token");
if ( if (!(await requestInitialMekRegistration(data.mekDraft, $clientKeyStore.encryptKey)))
!(await requestInitialMekRegistration(data.mekDraft, $keyPairsStore.encKeyPair.publicKey))
)
throw new Error("Failed to register initial MEK"); throw new Error("Failed to register initial MEK");
await goto(data.redirectPath); await goto(data.redirectPath);

44
src/routes/(fullscreen)/key/export/service.ts
View File

@@ -1,6 +1,7 @@
import { callAPI } from "$lib/hooks"; import { callAPI } from "$lib/hooks";
import { storeRSAKey } from "$lib/indexedDB"; import { storeRSAKey } from "$lib/indexedDB";
import { encodeToBase64, encryptRSAPlaintext } from "$lib/modules/crypto"; import { encodeToBase64, encryptRSAPlaintext } from "$lib/modules/crypto";
import type { ClientKeys } from "$lib/stores";
export { requestTokenUpgrade } from "$lib/services/auth"; export { requestTokenUpgrade } from "$lib/services/auth";
export { requestClientRegistration } from "$lib/services/key"; export { requestClientRegistration } from "$lib/services/key";
@@ -10,44 +11,41 @@ type ExportedKeyPairs = {
exportedAt: Date; exportedAt: Date;
} & { } & {
version: 1; version: 1;
encKeyPair: { pubKey: string; privKey: string }; encryptKey: string;
sigKeyPair: { pubKey: string; privKey: string }; decryptKey: string;
verifyKey: string;
signKey: string;
}; };
export const makeKeyPairsSaveable = ( export const exportClientKeys = (
encKeyPair: { pubKeyBase64: string; privKeyBase64: string }, encryptKeyBase64: string,
sigKeyPair: { pubKeyBase64: string; privKeyBase64: string }, decryptKeyBase64: string,
verifyKeyBase64: string,
signKeyBase64: string,
) => { ) => {
return { return {
version: 1, version: 1,
generator: "ArkVault", generator: "ArkVault",
exportedAt: new Date(), exportedAt: new Date(),
encKeyPair: { encryptKey: encryptKeyBase64,
pubKey: encKeyPair.pubKeyBase64, decryptKey: decryptKeyBase64,
privKey: encKeyPair.privKeyBase64, verifyKey: verifyKeyBase64,
}, signKey: signKeyBase64,
sigKeyPair: {
pubKey: sigKeyPair.pubKeyBase64,
privKey: sigKeyPair.privKeyBase64,
},
} satisfies ExportedKeyPairs; } satisfies ExportedKeyPairs;
}; };
export const storeKeyPairsPersistently = async ( export const storeClientKeys = async (clientKeys: ClientKeys) => {
encKeyPair: CryptoKeyPair, await storeRSAKey(clientKeys.encryptKey, "encrypt");
sigKeyPair: CryptoKeyPair, await storeRSAKey(clientKeys.decryptKey, "decrypt");
) => { await storeRSAKey(clientKeys.signKey, "sign");
await storeRSAKey(encKeyPair.publicKey, "encrypt"); await storeRSAKey(clientKeys.verifyKey, "verify");
await storeRSAKey(encKeyPair.privateKey, "decrypt");
await storeRSAKey(sigKeyPair.publicKey, "verify");
await storeRSAKey(sigKeyPair.privateKey, "sign");
}; };
export const requestInitialMekRegistration = async ( export const requestInitialMekRegistration = async (
mekDraft: ArrayBuffer, mekDraft: ArrayBuffer,
publicKey: CryptoKey, encryptKey: CryptoKey,
) => { ) => {
const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, publicKey); const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, encryptKey);
const res = await callAPI("/api/mek/register/initial", { const res = await callAPI("/api/mek/register/initial", {
method: "POST", method: "POST",
headers: { headers: {

11
src/routes/(fullscreen)/key/generate/+page.svelte
View File

@@ -3,9 +3,9 @@
import { Button, TextButton } from "$lib/components/buttons"; import { Button, TextButton } from "$lib/components/buttons";
import { TitleDiv, BottomDiv } from "$lib/components/divs"; import { TitleDiv, BottomDiv } from "$lib/components/divs";
import { gotoStateful } from "$lib/hooks"; import { gotoStateful } from "$lib/hooks";
import { keyPairsStore } from "$lib/stores"; import { clientKeyStore } from "$lib/stores";
import Order from "./Order.svelte"; import Order from "./Order.svelte";
import { generateKeyPairs, generateMekDraft } from "./service"; import { generateClientKeys, generateMekDraft } from "./service";
import IconKey from "~icons/material-symbols/key"; import IconKey from "~icons/material-symbols/key";
@@ -34,19 +34,18 @@
const generate = async () => { const generate = async () => {
// TODO: Loading indicator // TODO: Loading indicator
const { encKeyPair, sigKeyPair } = await generateKeyPairs(); const clientKeys = await generateClientKeys();
const { mekDraft } = await generateMekDraft(); const { mekDraft } = await generateMekDraft();
await gotoStateful("/key/export", { await gotoStateful("/key/export", {
...clientKeys,
redirectPath: data.redirectPath, redirectPath: data.redirectPath,
encKeyPair,
sigKeyPair,
mekDraft, mekDraft,
}); });
}; };
$effect(() => { $effect(() => {
if ($keyPairsStore) { if ($clientKeyStore) {
goto(data.redirectPath); goto(data.redirectPath);
} }
}); });

32
src/routes/(fullscreen)/key/generate/service.ts
View File

@@ -8,32 +8,24 @@ import {
makeAESKeyNonextractable, makeAESKeyNonextractable,
exportAESKey, exportAESKey,
} from "$lib/modules/crypto"; } from "$lib/modules/crypto";
import { keyPairsStore, mekStore } from "$lib/stores"; import { clientKeyStore, mekStore } from "$lib/stores";
export const generateKeyPairs = async () => { export const generateClientKeys = async () => {
const encKeyPair = await generateRSAEncKeyPair(); const encKeyPair = await generateRSAEncKeyPair();
const sigKeyPair = await generateRSASigKeyPair(); const sigKeyPair = await generateRSASigKeyPair();
keyPairsStore.set({ clientKeyStore.set({
encKeyPair: { encryptKey: encKeyPair.publicKey,
publicKey: encKeyPair.publicKey, decryptKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"),
privateKey: await makeRSAEncKeyNonextractable(encKeyPair.privateKey, "private"), signKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"),
}, verifyKey: sigKeyPair.publicKey,
sigKeyPair: {
publicKey: sigKeyPair.publicKey,
privateKey: await makeRSASigKeyNonextractable(sigKeyPair.privateKey, "private"),
},
}); });
return { return {
encKeyPair: { encryptKeyBase64: await exportRSAKeyToBase64(encKeyPair.publicKey, "public"),
pubKeyBase64: await exportRSAKeyToBase64(encKeyPair.publicKey, "public"), decryptKeyBase64: await exportRSAKeyToBase64(encKeyPair.privateKey, "private"),
privKeyBase64: await exportRSAKeyToBase64(encKeyPair.privateKey, "private"), signKeyBase64: await exportRSAKeyToBase64(sigKeyPair.privateKey, "private"),
}, verifyKeyBase64: await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"),
sigKeyPair: {
pubKeyBase64: await exportRSAKeyToBase64(sigKeyPair.publicKey, "public"),
privKeyBase64: await exportRSAKeyToBase64(sigKeyPair.privateKey, "private"),
},
}; };
}; };
@@ -42,7 +34,7 @@ export const generateMekDraft = async () => {
const mekSecured = await makeAESKeyNonextractable(mek); const mekSecured = await makeAESKeyNonextractable(mek);
mekStore.update((meks) => { mekStore.update((meks) => {
meks.set(meks.size, mekSecured); meks.set(0, mekSecured);
return meks; return meks;
}); });

4
src/routes/+layout.svelte
View File

@@ -2,12 +2,12 @@
import { onMount } from "svelte"; import { onMount } from "svelte";
import { goto } from "$app/navigation"; import { goto } from "$app/navigation";
import "../app.css"; import "../app.css";
import { prepareKeyPairStores } from "./services"; import { prepareClientKeyStore } from "./services";
let { children } = $props(); let { children } = $props();
onMount(() => { onMount(() => {
prepareKeyPairStores().then(async (ok) => { prepareClientKeyStore().then(async (ok) => {
if (!ok && !["/auth", "/key"].some((path) => location.pathname.startsWith(path))) { if (!ok && !["/auth", "/key"].some((path) => location.pathname.startsWith(path))) {
await goto( await goto(
"/key/generate?redirect=" + encodeURIComponent(location.pathname + location.search), "/key/generate?redirect=" + encodeURIComponent(location.pathname + location.search),

19
src/routes/services.ts
View File

@@ -1,16 +1,13 @@
import { getRSAKey } from "$lib/indexedDB"; import { getRSAKey } from "$lib/indexedDB";
import { keyPairsStore } from "$lib/stores"; import { clientKeyStore } from "$lib/stores";
export const prepareKeyPairStores = async () => { export const prepareClientKeyStore = async () => {
const encPubKey = await getRSAKey("encrypt"); const encryptKey = await getRSAKey("encrypt");
const encPrivKey = await getRSAKey("decrypt"); const decryptKey = await getRSAKey("decrypt");
const sigPubKey = await getRSAKey("verify"); const signKey = await getRSAKey("sign");
const sigPrivKey = await getRSAKey("sign"); const verifyKey = await getRSAKey("verify");
if (encPubKey && encPrivKey && sigPubKey && sigPrivKey) { if (encryptKey && decryptKey && signKey && verifyKey) {
keyPairsStore.set({ clientKeyStore.set({ encryptKey, decryptKey, signKey, verifyKey });
encKeyPair: { publicKey: encPubKey, privateKey: encPrivKey },
sigKeyPair: { publicKey: sigPubKey, privateKey: sigPrivKey },
});
return true; return true;
} else { } else {
return false; return false;