암호 키 생성 및 등록시 HSK도 함께 생성 및 등록하도록 변경

2025-12-16 15:08:46 +00:00 · 2025-01-12 21:52:41 +09:00
parent 805d7df182
commit 59c8523e25
15 changed files with 183 additions and 33 deletions
--- a/src/routes/(fullscreen)/key/export/+page.svelte
+++ b/src/routes/(fullscreen)/key/export/+page.svelte
@@ -11,7 +11,7 @@
    requestClientRegistration,
    storeClientKeys,
    requestSessionUpgrade,
-    requestInitialMasterKeyRegistration,
+    requestInitialMasterKeyAndHmacSecretRegistration,
  } from "./service";

  import IconKey from "~icons/material-symbols/key";
@@ -69,9 +69,13 @@
        throw new Error("Failed to upgrade session");

      if (
-        !(await requestInitialMasterKeyRegistration(data.masterKeyWrapped, $clientKeyStore.signKey))
+        !(await requestInitialMasterKeyAndHmacSecretRegistration(
+          data.masterKeyWrapped,
+          data.hmacSecretWrapped,
+          $clientKeyStore.signKey,
+        ))
      )
-        throw new Error("Failed to register initial MEK");
+        throw new Error("Failed to register initial MEK and HSK");

      await goto("/client/pending?redirect=" + encodeURIComponent(data.redirectPath));
    } catch (e) {
--- a/src/routes/(fullscreen)/key/export/service.ts
+++ b/src/routes/(fullscreen)/key/export/service.ts
@@ -1,7 +1,10 @@
 import { callPostApi } from "$lib/hooks";
 import { storeClientKey } from "$lib/indexedDB";
 import { signMasterKeyWrapped } from "$lib/modules/crypto";
-import type { InitialMasterKeyRegisterRequest } from "$lib/server/schemas";
+import type {
+  InitialMasterKeyRegisterRequest,
+  InitialHmacSecretRegisterRequest,
+} from "$lib/server/schemas";
 import type { ClientKeys } from "$lib/stores";

 export { requestSessionUpgrade } from "$lib/services/auth";
@@ -44,13 +47,22 @@ export const storeClientKeys = async (clientKeys: ClientKeys) => {
  ]);
 };

-export const requestInitialMasterKeyRegistration = async (
+export const requestInitialMasterKeyAndHmacSecretRegistration = async (
  masterKeyWrapped: string,
+  hmacSecretWrapped: string,
  signKey: CryptoKey,
 ) => {
-  const res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
+  let res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
    mek: masterKeyWrapped,
    mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
  });
-  return res.ok || res.status === 409;
+  if (!res.ok) {
+    return res.status === 409;
+  }
+
+  res = await callPostApi<InitialHmacSecretRegisterRequest>("/api/hsk/register/initial", {
+    mekVersion: 1,
+    hsk: hmacSecretWrapped,
+  });
+  return res.ok;
 };
--- a/src/routes/(fullscreen)/key/generate/+page.svelte
+++ b/src/routes/(fullscreen)/key/generate/+page.svelte
@@ -6,7 +6,11 @@
  import { gotoStateful } from "$lib/hooks";
  import { clientKeyStore } from "$lib/stores";
  import Order from "./Order.svelte";
-  import { generateClientKeys, generateInitialMasterKey } from "./service";
+  import {
+    generateClientKeys,
+    generateInitialMasterKey,
+    generateInitialHmacSecret,
+  } from "./service";

  import IconKey from "~icons/material-symbols/key";

@@ -36,12 +40,14 @@
    // TODO: Loading indicator

    const { encryptKey, ...clientKeys } = await generateClientKeys();
-    const { masterKeyWrapped } = await generateInitialMasterKey(encryptKey);
+    const { masterKey, masterKeyWrapped } = await generateInitialMasterKey(encryptKey);
+    const { hmacSecretWrapped } = await generateInitialHmacSecret(masterKey);

    await gotoStateful("/key/export", {
      ...clientKeys,
      redirectPath: data.redirectPath,
      masterKeyWrapped,
+      hmacSecretWrapped,
    });
  };

--- a/src/routes/(fullscreen)/key/generate/service.ts
+++ b/src/routes/(fullscreen)/key/generate/service.ts
@@ -3,8 +3,11 @@ import {
  generateSigningKeyPair,
  exportRSAKeyToBase64,
  makeRSAKeyNonextractable,
-  generateMasterKey,
  wrapMasterKey,
+  generateMasterKey,
+  makeAESKeyNonextractable,
+  wrapHmacSecret,
+  generateHmacSecret,
 } from "$lib/modules/crypto";
 import { clientKeyStore } from "$lib/stores";

@@ -31,6 +34,14 @@ export const generateClientKeys = async () => {
 export const generateInitialMasterKey = async (encryptKey: CryptoKey) => {
  const { masterKey } = await generateMasterKey();
  return {
+    masterKey: await makeAESKeyNonextractable(masterKey),
    masterKeyWrapped: await wrapMasterKey(masterKey, encryptKey),
  };
 };
+
+export const generateInitialHmacSecret = async (masterKey: CryptoKey) => {
+  const { hmacSecret } = await generateHmacSecret();
+  return {
+    hmacSecretWrapped: await wrapHmacSecret(hmacSecret, masterKey),
+  };
+};
--- a/src/routes/(main)/directory/[[id]]/+page.svelte
+++ b/src/routes/(main)/directory/[[id]]/+page.svelte
@@ -1,10 +1,11 @@
 <script lang="ts">
+  import { onMount } from "svelte";
  import type { Writable } from "svelte/store";
  import { goto } from "$app/navigation";
  import { TopBar } from "$lib/components";
  import { FloatingButton } from "$lib/components/buttons";
  import { getDirectoryInfo } from "$lib/modules/file";
-  import { masterKeyStore, type DirectoryInfo } from "$lib/stores";
+  import { masterKeyStore, hmacSecretStore, type DirectoryInfo } from "$lib/stores";
  import CreateBottomSheet from "./CreateBottomSheet.svelte";
  import CreateDirectoryModal from "./CreateDirectoryModal.svelte";
  import DeleteDirectoryEntryModal from "./DeleteDirectoryEntryModal.svelte";
@@ -12,6 +13,7 @@
  import DirectoryEntryMenuBottomSheet from "./DirectoryEntryMenuBottomSheet.svelte";
  import RenameDirectoryEntryModal from "./RenameDirectoryEntryModal.svelte";
  import {
+    requestHmacSecretDownload,
    requestDirectoryCreation,
    requestFileUpload,
    requestDirectoryEntryRename,
@@ -44,11 +46,19 @@
    const file = fileInput?.files?.[0];
    if (!file) return;

-    requestFileUpload(file, data.id, $masterKeyStore?.get(1)!).then(() => {
-      info = getDirectoryInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
-    });
+    requestFileUpload(file, data.id, $masterKeyStore?.get(1)!, $hmacSecretStore?.get(1)!).then(
+      () => {
+        info = getDirectoryInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
+      },
+    );
  };

+  onMount(async () => {
+    if (!$hmacSecretStore && !(await requestHmacSecretDownload($masterKeyStore?.get(1)?.key!))) {
+      throw new Error("Failed to download hmac secrets");
+    }
+  });
+
  $effect(() => {
    info = getDirectoryInfo(data.id, $masterKeyStore?.get(1)?.key!);
  });
--- a/src/routes/(main)/directory/[[id]]/service.ts
+++ b/src/routes/(main)/directory/[[id]]/service.ts
@@ -1,12 +1,22 @@
-import { callPostApi } from "$lib/hooks";
-import { generateDataKey, wrapDataKey, encryptData, encryptString } from "$lib/modules/crypto";
+import { callGetApi, callPostApi } from "$lib/hooks";
+import { storeHmacSecrets } from "$lib/indexedDB";
+import {
+  encodeToBase64,
+  generateDataKey,
+  wrapDataKey,
+  unwrapHmacSecret,
+  encryptData,
+  encryptString,
+  signMessageHmac,
+} from "$lib/modules/crypto";
 import type {
  DirectoryRenameRequest,
  DirectoryCreateRequest,
  FileRenameRequest,
  FileUploadRequest,
+  HmacSecretListResponse,
 } from "$lib/server/schemas";
-import type { MasterKey } from "$lib/stores";
+import { hmacSecretStore, type MasterKey, type HmacSecret } from "$lib/stores";

 export interface SelectedDirectoryEntry {
  type: "directory" | "file";
@@ -16,6 +26,26 @@ export interface SelectedDirectoryEntry {
  name: string;
 }

+export const requestHmacSecretDownload = async (masterKey: CryptoKey) => {
+  // TODO: MEK rotation
+
+  const res = await callGetApi("/api/hsk/list");
+  if (!res.ok) return false;
+
+  const { hsks: hmacSecretsWrapped }: HmacSecretListResponse = await res.json();
+  const hmacSecrets = await Promise.all(
+    hmacSecretsWrapped.map(async ({ version, state, hsk: hmacSecretWrapped }) => {
+      const { hmacSecret } = await unwrapHmacSecret(hmacSecretWrapped, masterKey);
+      return { version, state, secret: hmacSecret };
+    }),
+  );
+
+  await storeHmacSecrets(hmacSecrets);
+  hmacSecretStore.set(new Map(hmacSecrets.map((hmacSecret) => [hmacSecret.version, hmacSecret])));
+
+  return true;
+};
+
 export const requestDirectoryCreation = async (
  name: string,
  parentId: "root" | number,
@@ -37,11 +67,15 @@ export const requestFileUpload = async (
  file: File,
  parentId: "root" | number,
  masterKey: MasterKey,
+  hmacSecret: HmacSecret,
 ) => {
  const { dataKey, dataKeyVersion } = await generateDataKey();
-  const fileEncrypted = await encryptData(await file.arrayBuffer(), dataKey);
  const nameEncrypted = await encryptString(file.name, dataKey);

+  const fileBuffer = await file.arrayBuffer();
+  const fileSigned = await signMessageHmac(fileBuffer, hmacSecret.secret);
+  const fileEncrypted = await encryptData(fileBuffer, dataKey);
+
  const form = new FormData();
  form.set(
    "metadata",
@@ -50,6 +84,8 @@ export const requestFileUpload = async (
      mekVersion: masterKey.version,
      dek: await wrapDataKey(dataKey, masterKey.key),
      dekVersion: dataKeyVersion.toISOString(),
+      hskVersion: hmacSecret.version,
+      contentHmac: encodeToBase64(fileSigned),
      contentType: file.type,
      contentIv: fileEncrypted.iv,
      name: nameEncrypted.ciphertext,