암호 키 생성 및 등록시 최초 MEK도 함께 생성 및 등록하도록 구현

2025-12-12 21:08:46 +00:00 · 2024-12-30 01:59:09 +09:00
parent d39931c79a
commit 941e2a49bc
10 changed files with 133 additions and 40 deletions
--- a/src/lib/hooks/gotoStateful.ts
+++ b/src/lib/hooks/gotoStateful.ts
@@ -6,6 +6,7 @@ interface KeyExportState {
  redirectPath: string;
  pubKeyBase64: string;
  privKeyBase64: string;
+  mekDraft: ArrayBuffer;
 }

 const useAutoNull = <T>(value: T | null) => {
--- a/src/lib/modules/crypto.ts
+++ b/src/lib/modules/crypto.ts
@@ -1,5 +1,13 @@
 export type RSAKeyType = "public" | "private";

+export const encodeToBase64 = (data: ArrayBuffer) => {
+  return btoa(String.fromCharCode(...new Uint8Array(data)));
+};
+
+export const decodeFromBase64 = (data: string) => {
+  return Uint8Array.from(atob(data), (c) => c.charCodeAt(0)).buffer;
+};
+
 export const generateRSAKeyPair = async () => {
  const keyPair = await window.crypto.subtle.generateKey(
    {
@@ -15,36 +23,71 @@ export const generateRSAKeyPair = async () => {
 };

 export const makeRSAKeyNonextractable = async (key: CryptoKey, type: RSAKeyType) => {
-  const format = type === "public" ? "spki" : "pkcs8";
-  const keyUsage = type === "public" ? "encrypt" : "decrypt";
+  const { format, key: exportedKey } = await exportRSAKey(key, type);
  return await window.crypto.subtle.importKey(
    format,
-    await window.crypto.subtle.exportKey(format, key),
+    exportedKey,
    {
      name: "RSA-OAEP",
      hash: "SHA-256",
    } satisfies RsaHashedImportParams,
    false,
-    [keyUsage],
+    [type === "public" ? "encrypt" : "decrypt"],
  );
 };

-export const exportRSAKeyToBase64 = async (key: CryptoKey, type: RSAKeyType) => {
-  const exportedKey = await window.crypto.subtle.exportKey(
-    type === "public" ? "spki" : "pkcs8",
-    key,
-  );
-  return btoa(String.fromCharCode(...new Uint8Array(exportedKey)));
+export const exportRSAKey = async (key: CryptoKey, type: RSAKeyType) => {
+  const format = type === "public" ? ("spki" as const) : ("pkcs8" as const);
+  return {
+    format,
+    key: await window.crypto.subtle.exportKey(format, key),
+  };
 };

-export const decryptRSACiphertext = async (ciphertext: string, privateKey: CryptoKey) => {
-  const ciphertextBuffer = Uint8Array.from(atob(ciphertext), (c) => c.charCodeAt(0));
-  const plaintext = await window.crypto.subtle.decrypt(
+export const encryptRSAPlaintext = async (plaintext: ArrayBuffer, publicKey: CryptoKey) => {
+  return await window.crypto.subtle.encrypt(
+    {
+      name: "RSA-OAEP",
+    } satisfies RsaOaepParams,
+    publicKey,
+    plaintext,
+  );
+};
+
+export const decryptRSACiphertext = async (ciphertext: ArrayBuffer, privateKey: CryptoKey) => {
+  return await window.crypto.subtle.decrypt(
    {
      name: "RSA-OAEP",
    } satisfies RsaOaepParams,
    privateKey,
-    ciphertextBuffer,
+    ciphertext,
  );
-  return btoa(String.fromCharCode(...new Uint8Array(plaintext)));
+};
+
+export const generateAESKey = async () => {
+  return await window.crypto.subtle.generateKey(
+    {
+      name: "AES-GCM",
+      length: 256,
+    } satisfies AesKeyGenParams,
+    true,
+    ["encrypt", "decrypt"],
+  );
+};
+
+export const makeAESKeyNonextractable = async (key: CryptoKey) => {
+  return await window.crypto.subtle.importKey(
+    "raw",
+    await exportAESKey(key),
+    {
+      name: "AES-GCM",
+      length: 256,
+    } satisfies AesKeyAlgorithm,
+    false,
+    ["encrypt", "decrypt"],
+  );
+};
+
+export const exportAESKey = async (key: CryptoKey) => {
+  return await window.crypto.subtle.exportKey("raw", key);
 };
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -1,4 +1,4 @@
-import { and, eq, gt, lte, count } from "drizzle-orm";
+import { and, eq, gt, lte } from "drizzle-orm";
 import db from "./drizzle";
 import { client, userClient, userClientChallenge } from "./schema";

--- a/src/lib/stores/key.ts
+++ b/src/lib/stores/key.ts
@@ -1,3 +1,4 @@
 import { writable } from "svelte/store";

 export const keyPairStore = writable<CryptoKeyPair | null>(null);
+export const mekStore = writable<Map<number, CryptoKey>>(new Map());
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,4 +1,4 @@
-import { exportRSAKeyToBase64 } from "$lib/modules/crypto";
+import { encodeToBase64, exportRSAKey } from "$lib/modules/crypto";
 import { requestPubKeyRegistration } from "../../key/export/service";

 const callLoginAPI = async (email: string, password: string, pubKeyBase64?: string) => {
@@ -22,7 +22,7 @@ export const requestLogin = async (
  registerPubKey = true,
 ): Promise<boolean> => {
  const pubKeyBase64 = keyPair
-    ? await exportRSAKeyToBase64(keyPair.publicKey, "public")
+    ? encodeToBase64((await exportRSAKey(keyPair.publicKey, "public")).key)
    : undefined;
  let loginRes = await callLoginAPI(email, password, pubKeyBase64);
  if (loginRes.ok) {
--- a/src/routes/(fullscreen)/key/export/+page.svelte
+++ b/src/routes/(fullscreen)/key/export/+page.svelte
@@ -9,8 +9,9 @@
  import {
    createBlobFromKeyPairBase64,
    requestPubKeyRegistration,
-    requestTokenUpgrade,
    storeKeyPairPersistently,
+    requestTokenUpgrade,
+    requestInitialMekRegistration,
  } from "./service";

  import IconKey from "~icons/material-symbols/key";
@@ -39,16 +40,22 @@
    isBeforeContinueModalOpen = false;
    isBeforeContinueBottomSheetOpen = false;

-    if (await requestPubKeyRegistration(data.pubKeyBase64, $keyPairStore.privateKey)) {
+    try {
+      if (!(await requestPubKeyRegistration(data.pubKeyBase64, $keyPairStore.privateKey)))
+        throw new Error("Failed to register public key");
+
      await storeKeyPairPersistently($keyPairStore);

-      if (await requestTokenUpgrade(data.pubKeyBase64)) {
-        await goto(data.redirectPath);
-      } else {
-        // TODO: Error handling
-      }
-    } else {
+      if (!(await requestTokenUpgrade(data.pubKeyBase64)))
+        throw new Error("Failed to upgrade token");
+
+      if (!(await requestInitialMekRegistration(data.mekDraft, $keyPairStore.publicKey)))
+        throw new Error("Failed to register initial MEK");
+
+      await goto(data.redirectPath);
+    } catch (e) {
      // TODO: Error handling
+      throw e;
    }
  };
 </script>
--- a/src/routes/(fullscreen)/key/export/service.ts
+++ b/src/routes/(fullscreen)/key/export/service.ts
@@ -1,6 +1,11 @@
 import { callAPI } from "$lib/hooks";
 import { storeKeyPairIntoIndexedDB } from "$lib/indexedDB";
-import { decryptRSACiphertext } from "$lib/modules/crypto";
+import {
+  encodeToBase64,
+  decodeFromBase64,
+  encryptRSAPlaintext,
+  decryptRSACiphertext,
+} from "$lib/modules/crypto";

 export const createBlobFromKeyPairBase64 = (pubKeyBase64: string, privKeyBase64: string) => {
  const pubKeyFormatted = pubKeyBase64.match(/.{1,64}/g)?.join("\n");
@@ -26,18 +31,22 @@ export const requestPubKeyRegistration = async (pubKeyBase64: string, privateKey

  const data = await res.json();
  const challenge = data.challenge as string;
-  const answer = await decryptRSACiphertext(challenge, privateKey);
+  const answer = await decryptRSACiphertext(decodeFromBase64(challenge), privateKey);

  res = await callAPI("/api/client/verify", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
-    body: JSON.stringify({ answer }),
+    body: JSON.stringify({ answer: encodeToBase64(answer) }),
  });
  return res.ok;
 };

+export const storeKeyPairPersistently = async (keyPair: CryptoKeyPair) => {
+  await storeKeyPairIntoIndexedDB(keyPair.publicKey, keyPair.privateKey);
+};
+
 export const requestTokenUpgrade = async (pubKeyBase64: string) => {
  const res = await fetch("/api/auth/upgradeToken", {
    method: "POST",
@@ -49,6 +58,17 @@ export const requestTokenUpgrade = async (pubKeyBase64: string) => {
  return res.ok;
 };

-export const storeKeyPairPersistently = async (keyPair: CryptoKeyPair) => {
-  await storeKeyPairIntoIndexedDB(keyPair.publicKey, keyPair.privateKey);
+export const requestInitialMekRegistration = async (
+  mekDraft: ArrayBuffer,
+  publicKey: CryptoKey,
+) => {
+  const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, publicKey);
+  const res = await callAPI("/api/mek/register/initial", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({ mek: encodeToBase64(mekDraftEncrypted) }),
+  });
+  return res.ok || res.status === 403;
 };
--- a/src/routes/(fullscreen)/key/generate/+page.svelte
+++ b/src/routes/(fullscreen)/key/generate/+page.svelte
@@ -5,7 +5,7 @@
  import { gotoStateful } from "$lib/hooks";
  import { keyPairStore } from "$lib/stores";
  import Order from "./Order.svelte";
-  import { generateKeyPair } from "./service";
+  import { generateKeyPair, generateMekDraft } from "./service";

  import IconKey from "~icons/material-symbols/key";

@@ -33,11 +33,14 @@
  const generate = async () => {
    // TODO: Loading indicator

-    const keyPair = await generateKeyPair();
+    const { pubKeyBase64, privKeyBase64 } = await generateKeyPair();
+    const { mekDraft } = await generateMekDraft();
+
    await gotoStateful("/key/export", {
      redirectPath: data.redirectPath,
-      pubKeyBase64: keyPair.pubKeyBase64,
-      privKeyBase64: keyPair.privKeyBase64,
+      pubKeyBase64,
+      privKeyBase64,
+      mekDraft,
    });
  };

--- a/src/routes/(fullscreen)/key/generate/service.ts
+++ b/src/routes/(fullscreen)/key/generate/service.ts
@@ -1,9 +1,13 @@
 import {
+  encodeToBase64,
  generateRSAKeyPair,
  makeRSAKeyNonextractable,
-  exportRSAKeyToBase64,
+  exportRSAKey,
+  generateAESKey,
+  makeAESKeyNonextractable,
+  exportAESKey,
 } from "$lib/modules/crypto";
-import { keyPairStore } from "$lib/stores";
+import { keyPairStore, mekStore } from "$lib/stores";

 export const generateKeyPair = async () => {
  const keyPair = await generateRSAKeyPair();
@@ -15,7 +19,21 @@ export const generateKeyPair = async () => {
  });

  return {
-    pubKeyBase64: await exportRSAKeyToBase64(keyPair.publicKey, "public"),
-    privKeyBase64: await exportRSAKeyToBase64(keyPair.privateKey, "private"),
+    pubKeyBase64: encodeToBase64((await exportRSAKey(keyPair.publicKey, "public")).key),
+    privKeyBase64: encodeToBase64((await exportRSAKey(keyPair.privateKey, "private")).key),
+  };
+};
+
+export const generateMekDraft = async () => {
+  const mek = await generateAESKey();
+  const mekSecured = await makeAESKeyNonextractable(mek);
+
+  mekStore.update((meks) => {
+    meks.set(meks.size, mekSecured);
+    return meks;
+  });
+
+  return {
+    mekDraft: await exportAESKey(mek),
  };
 };
--- a/src/routes/api/mek/list/+server.ts
+++ b/src/routes/api/mek/list/+server.ts
@@ -1,4 +1,4 @@
-import { error, json } from "@sveltejs/kit";
+import { json } from "@sveltejs/kit";
 import { authorize } from "$lib/server/modules/auth";
 import { getClientMekList } from "$lib/server/services/mek";
 import type { RequestHandler } from "@sveltejs/kit";