Request 서명 시스템 삭제

보안에 큰 도움이 되지 않는다고 판단하여 삭제하였습니다. 판단 근거는 다음과 같습니다.

1. Web Crypto API는 HTTPS 환경에서만 사용할 수 있음
2. 프론트엔드와 백엔드가 하나의 서버에서 제공되므로, 리버스 프록시에 의한 중간자 공격을 받지 않는가에 대한 직관적인 검증이 불가능함
3. 신뢰할 수 없는 리버스 프록시는 애초에 사용하지 않는 것이 맞음

다만 MEK에 대한 서명 등은 그대로 유지됩니다.

src/routes/(main)/directory/[[id]]/+page.svelte

@@ -10,7 +10,7 @@
   import { goto } from "$app/navigation";
   import { TopBar } from "$lib/components";
   import { FloatingButton } from "$lib/components/buttons";
-  import { clientKeyStore, masterKeyStore } from "$lib/stores";
+  import { masterKeyStore } from "$lib/stores";
   import CreateBottomSheet from "./CreateBottomSheet.svelte";
   import CreateDirectoryModal from "./CreateDirectoryModal.svelte";
   import DeleteDirectoryEntryModal from "./DeleteDirectoryEntryModal.svelte";
@@ -81,12 +81,7 @@
   });
 
   const createDirectory = async (name: string) => {
-    await requestDirectroyCreation(
-      name,
-      data.id,
-      $masterKeyStore?.get(1)!,
-      $clientKeyStore?.signKey!,
-    );
+    await requestDirectroyCreation(name, data.id, $masterKeyStore?.get(1)!);
     isCreateDirectoryModalOpen = false;
   };
 
@@ -94,7 +89,7 @@
     const file = fileInput?.files?.[0];
     if (!file) return;
 
-    requestFileUpload(file, data.id, $masterKeyStore?.get(1)!, $clientKeyStore?.signKey!);
+    requestFileUpload(file, data.id, $masterKeyStore?.get(1)!);
   };
 </script>
 

src/routes/(main)/directory/[[id]]/service.ts

@@ -1,4 +1,4 @@
-import { callSignedPostApi } from "$lib/hooks";
+import { callPostApi } from "$lib/hooks";
 import {
   encodeToBase64,
   generateDataKey,
@@ -7,8 +7,6 @@ import {
   encryptData,
   encryptString,
   decryptString,
-  digestMessage,
-  signRequestBody,
 } from "$lib/modules/crypto";
 import type {
   DirectroyInfoResponse,
@@ -33,49 +31,38 @@ export const requestDirectroyCreation = async (
   name: string,
   parentId: "root" | number,
   masterKey: MasterKey,
-  signKey: CryptoKey,
 ) => {
   const { dataKey } = await generateDataKey();
   const nameEncrypted = await encryptData(new TextEncoder().encode(name), dataKey);
-  return await callSignedPostApi<DirectoryCreateRequest>(
-    "/api/directory/create",
-    {
-      parentId,
-      mekVersion: masterKey.version,
-      dek: await wrapDataKey(dataKey, masterKey.key),
-      name: encodeToBase64(nameEncrypted.ciphertext),
-      nameIv: nameEncrypted.iv,
-    },
-    signKey,
-  );
+  return await callPostApi<DirectoryCreateRequest>("/api/directory/create", {
+    parentId,
+    mekVersion: masterKey.version,
+    dek: await wrapDataKey(dataKey, masterKey.key),
+    name: encodeToBase64(nameEncrypted.ciphertext),
+    nameIv: nameEncrypted.iv,
+  });
 };
 
 export const requestFileUpload = async (
   file: File,
   parentId: "root" | number,
   masterKey: MasterKey,
-  signKey: CryptoKey,
 ) => {
   const { dataKey } = await generateDataKey();
   const fileEncrypted = await encryptData(await file.arrayBuffer(), dataKey);
-  const fileEncryptedHash = await digestMessage(fileEncrypted.ciphertext);
   const nameEncrypted = await encryptString(file.name, dataKey);
 
   const form = new FormData();
   form.set(
     "metadata",
-    await signRequestBody<FileUploadRequest>(
-      {
-        parentId,
-        mekVersion: masterKey.version,
-        dek: await wrapDataKey(dataKey, masterKey.key),
-        contentHash: encodeToBase64(fileEncryptedHash),
-        contentIv: fileEncrypted.iv,
-        name: nameEncrypted.ciphertext,
-        nameIv: nameEncrypted.iv,
-      },
-      signKey,
-    ),
+    JSON.stringify({
+      parentId,
+      mekVersion: masterKey.version,
+      dek: await wrapDataKey(dataKey, masterKey.key),
+      contentIv: fileEncrypted.iv,
+      name: nameEncrypted.ciphertext,
+      nameIv: nameEncrypted.iv,
+    } satisfies FileUploadRequest),
   );
   form.set("content", new Blob([fileEncrypted.ciphertext]));