암호 키 생성 및 등록시 HSK도 함께 생성 및 등록하도록 변경

src/routes/(fullscreen)/key/export/+page.svelte

@@ -11,7 +11,7 @@
     requestClientRegistration,
     storeClientKeys,
     requestSessionUpgrade,
-    requestInitialMasterKeyRegistration,
+    requestInitialMasterKeyAndHmacSecretRegistration,
   } from "./service";
 
   import IconKey from "~icons/material-symbols/key";
@@ -69,9 +69,13 @@
         throw new Error("Failed to upgrade session");
 
       if (
-        !(await requestInitialMasterKeyRegistration(data.masterKeyWrapped, $clientKeyStore.signKey))
+        !(await requestInitialMasterKeyAndHmacSecretRegistration(
+          data.masterKeyWrapped,
+          data.hmacSecretWrapped,
+          $clientKeyStore.signKey,
+        ))
       )
-        throw new Error("Failed to register initial MEK");
+        throw new Error("Failed to register initial MEK and HSK");
 
       await goto("/client/pending?redirect=" + encodeURIComponent(data.redirectPath));
     } catch (e) {

src/routes/(fullscreen)/key/export/service.ts

@@ -1,7 +1,10 @@
 import { callPostApi } from "$lib/hooks";
 import { storeClientKey } from "$lib/indexedDB";
 import { signMasterKeyWrapped } from "$lib/modules/crypto";
-import type { InitialMasterKeyRegisterRequest } from "$lib/server/schemas";
+import type {
+  InitialMasterKeyRegisterRequest,
+  InitialHmacSecretRegisterRequest,
+} from "$lib/server/schemas";
 import type { ClientKeys } from "$lib/stores";
 
 export { requestSessionUpgrade } from "$lib/services/auth";
@@ -44,13 +47,22 @@ export const storeClientKeys = async (clientKeys: ClientKeys) => {
   ]);
 };
 
-export const requestInitialMasterKeyRegistration = async (
+export const requestInitialMasterKeyAndHmacSecretRegistration = async (
   masterKeyWrapped: string,
+  hmacSecretWrapped: string,
   signKey: CryptoKey,
 ) => {
-  const res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
+  let res = await callPostApi<InitialMasterKeyRegisterRequest>("/api/mek/register/initial", {
     mek: masterKeyWrapped,
     mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
   });
-  return res.ok || res.status === 409;
+  if (!res.ok) {
+    return res.status === 409;
+  }
+
+  res = await callPostApi<InitialHmacSecretRegisterRequest>("/api/hsk/register/initial", {
+    mekVersion: 1,
+    hsk: hmacSecretWrapped,
+  });
+  return res.ok;
 };

src/routes/(fullscreen)/key/generate/+page.svelte

@@ -6,7 +6,11 @@
   import { gotoStateful } from "$lib/hooks";
   import { clientKeyStore } from "$lib/stores";
   import Order from "./Order.svelte";
-  import { generateClientKeys, generateInitialMasterKey } from "./service";
+  import {
+    generateClientKeys,
+    generateInitialMasterKey,
+    generateInitialHmacSecret,
+  } from "./service";
 
   import IconKey from "~icons/material-symbols/key";
 
@@ -36,12 +40,14 @@
     // TODO: Loading indicator
 
     const { encryptKey, ...clientKeys } = await generateClientKeys();
-    const { masterKeyWrapped } = await generateInitialMasterKey(encryptKey);
+    const { masterKey, masterKeyWrapped } = await generateInitialMasterKey(encryptKey);
+    const { hmacSecretWrapped } = await generateInitialHmacSecret(masterKey);
 
     await gotoStateful("/key/export", {
       ...clientKeys,
       redirectPath: data.redirectPath,
       masterKeyWrapped,
+      hmacSecretWrapped,
     });
   };
 

src/routes/(fullscreen)/key/generate/service.ts

@@ -3,8 +3,11 @@ import {
   generateSigningKeyPair,
   exportRSAKeyToBase64,
   makeRSAKeyNonextractable,
-  generateMasterKey,
   wrapMasterKey,
+  generateMasterKey,
+  makeAESKeyNonextractable,
+  wrapHmacSecret,
+  generateHmacSecret,
 } from "$lib/modules/crypto";
 import { clientKeyStore } from "$lib/stores";
 
@@ -31,6 +34,14 @@ export const generateClientKeys = async () => {
 export const generateInitialMasterKey = async (encryptKey: CryptoKey) => {
   const { masterKey } = await generateMasterKey();
   return {
+    masterKey: await makeAESKeyNonextractable(masterKey),
     masterKeyWrapped: await wrapMasterKey(masterKey, encryptKey),
   };
 };
+
+export const generateInitialHmacSecret = async (masterKey: CryptoKey) => {
+  const { hmacSecret } = await generateHmacSecret();
+  return {
+    hmacSecretWrapped: await wrapHmacSecret(hmacSecret, masterKey),
+  };
+};