/api/mek/register, /api/mek/share Endpoint 삭제 및 MEK 서명 매커니즘 구현

2025년 첫 커밋! Happy New Year~
2025-12-16 06:58:46 +00:00 · 2025-01-01 05:24:13 +09:00
parent e8e4022bc2
commit 363f809d02
12 changed files with 112 additions and 259 deletions
--- a/src/routes/(fullscreen)/auth/login/+page.svelte
+++ b/src/routes/(fullscreen)/auth/login/+page.svelte
@@ -29,7 +29,10 @@

      // TODO: Multi-user support

-      if ($masterKeyStore || (await requestMasterKeyDownload($clientKeyStore.decryptKey))) {
+      if (
+        $masterKeyStore ||
+        (await requestMasterKeyDownload($clientKeyStore.decryptKey, $clientKeyStore.verifyKey))
+      ) {
        await goto(data.redirectPath);
      } else {
        await redirect("/client/pending");
--- a/src/routes/(fullscreen)/client/pending/+page.svelte
+++ b/src/routes/(fullscreen)/client/pending/+page.svelte
@@ -16,11 +16,13 @@
    if ($masterKeyStore) {
      goto(data.redirectPath);
    } else if ($clientKeyStore) {
-      requestMasterKeyDownload($clientKeyStore.decryptKey).then(async (ok) => {
-        if (ok) {
-          return await goto(data.redirectPath);
-        }
-      });
+      requestMasterKeyDownload($clientKeyStore.decryptKey, $clientKeyStore.verifyKey).then(
+        async (ok) => {
+          if (ok) {
+            return await goto(data.redirectPath);
+          }
+        },
+      );
    }
  });
 </script>
--- a/src/routes/(fullscreen)/key/export/service.ts
+++ b/src/routes/(fullscreen)/key/export/service.ts
@@ -1,6 +1,6 @@
 import { callAPI } from "$lib/hooks";
 import { storeClientKey } from "$lib/indexedDB";
-import { encodeToBase64, signRequest } from "$lib/modules/crypto";
+import { encodeToBase64, signRequest, signMasterKeyWrapped } from "$lib/modules/crypto";
 import type { ClientKeys } from "$lib/stores";

 export { requestTokenUpgrade } from "$lib/services/auth";
@@ -53,6 +53,7 @@ export const requestInitialMasterKeyRegistration = async (
    body: await signRequest(
      {
        mek: encodeToBase64(masterKeyWrapped),
+        mekSig: await signMasterKeyWrapped(1, masterKeyWrapped, signKey),
      },
      signKey,
    ),
--- a/src/routes/api/mek/register/+server.ts
+++ b/src/routes/api/mek/register/+server.ts
@@ -1,32 +0,0 @@
-import { text } from "@sveltejs/kit";
-import { z } from "zod";
-import { authorize } from "$lib/server/modules/auth";
-import { parseSignedRequest } from "$lib/server/modules/crypto";
-import { registerNewActiveMek } from "$lib/server/services/mek";
-import type { RequestHandler } from "@sveltejs/kit";
-
-export const POST: RequestHandler = async ({ request, cookies }) => {
-  const { userId, clientId } = await authorize(cookies, "activeClient");
-  const { meks } = await parseSignedRequest(
-    clientId,
-    await request.json(),
-    z.object({
-      meks: z.array(
-        z.object({
-          clientId: z.number().int().positive(),
-          mek: z.string().base64().nonempty(),
-        }),
-      ),
-    }),
-  );
-
-  await registerNewActiveMek(
-    userId,
-    clientId,
-    meks.map(({ clientId, mek }) => ({
-      clientId,
-      encMek: mek,
-    })),
-  );
-  return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
-};
--- a/src/routes/api/mek/register/initial/+server.ts
+++ b/src/routes/api/mek/register/initial/+server.ts
@@ -11,14 +11,15 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
    error(403, "Forbidden");
  }

-  const { mek } = await parseSignedRequest(
+  const { mek, mekSig } = await parseSignedRequest(
    clientId,
    await request.json(),
    z.object({
      mek: z.string().base64().nonempty(),
+      mekSig: z.string().base64().nonempty(),
    }),
  );

-  await registerInitialActiveMek(userId, clientId, mek);
+  await registerInitialActiveMek(userId, clientId, mek, mekSig);
  return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
 };
--- a/src/routes/api/mek/share/+server.ts
+++ b/src/routes/api/mek/share/+server.ts
@@ -1,30 +0,0 @@
-import { text } from "@sveltejs/kit";
-import { z } from "zod";
-import { authorize } from "$lib/server/modules/auth";
-import { parseSignedRequest } from "$lib/server/modules/crypto";
-import { shareMeksForNewClient } from "$lib/server/services/mek";
-import type { RequestHandler } from "./$types";
-
-export const POST: RequestHandler = async ({ request, cookies }) => {
-  const { userId, clientId } = await authorize(cookies, "activeClient");
-  const { targetId, meks } = await parseSignedRequest(
-    clientId,
-    await request.json(),
-    z.object({
-      targetId: z.number().int().positive(),
-      meks: z.array(
-        z.object({
-          version: z.number().int().positive(),
-          mek: z.string().base64().nonempty(),
-        }),
-      ),
-    }),
-  );
-
-  await shareMeksForNewClient(
-    userId,
-    targetId,
-    meks.map(({ version, mek }) => ({ version, encMek: mek })),
-  );
-  return text("MEK shared", { headers: { "Content-Type": "text/plain" } });
-};