암호 키 생성 및 등록시 최초 MEK도 함께 생성 및 등록하도록 구현

src/routes/(fullscreen)/auth/login/service.ts

@@ -1,4 +1,4 @@
-import { exportRSAKeyToBase64 } from "$lib/modules/crypto";
+import { encodeToBase64, exportRSAKey } from "$lib/modules/crypto";
 import { requestPubKeyRegistration } from "../../key/export/service";
 
 const callLoginAPI = async (email: string, password: string, pubKeyBase64?: string) => {
@@ -22,7 +22,7 @@ export const requestLogin = async (
   registerPubKey = true,
 ): Promise<boolean> => {
   const pubKeyBase64 = keyPair
-    ? await exportRSAKeyToBase64(keyPair.publicKey, "public")
+    ? encodeToBase64((await exportRSAKey(keyPair.publicKey, "public")).key)
     : undefined;
   let loginRes = await callLoginAPI(email, password, pubKeyBase64);
   if (loginRes.ok) {

src/routes/(fullscreen)/key/export/+page.svelte

@@ -9,8 +9,9 @@
   import {
     createBlobFromKeyPairBase64,
     requestPubKeyRegistration,
-    requestTokenUpgrade,
     storeKeyPairPersistently,
+    requestTokenUpgrade,
+    requestInitialMekRegistration,
   } from "./service";
 
   import IconKey from "~icons/material-symbols/key";
@@ -39,16 +40,22 @@
     isBeforeContinueModalOpen = false;
     isBeforeContinueBottomSheetOpen = false;
 
-    if (await requestPubKeyRegistration(data.pubKeyBase64, $keyPairStore.privateKey)) {
+    try {
+      if (!(await requestPubKeyRegistration(data.pubKeyBase64, $keyPairStore.privateKey)))
+        throw new Error("Failed to register public key");
+
       await storeKeyPairPersistently($keyPairStore);
 
-      if (await requestTokenUpgrade(data.pubKeyBase64)) {
-        await goto(data.redirectPath);
-      } else {
-        // TODO: Error handling
-      }
-    } else {
+      if (!(await requestTokenUpgrade(data.pubKeyBase64)))
+        throw new Error("Failed to upgrade token");
+
+      if (!(await requestInitialMekRegistration(data.mekDraft, $keyPairStore.publicKey)))
+        throw new Error("Failed to register initial MEK");
+
+      await goto(data.redirectPath);
+    } catch (e) {
       // TODO: Error handling
+      throw e;
     }
   };
 </script>

src/routes/(fullscreen)/key/export/service.ts

@@ -1,6 +1,11 @@
 import { callAPI } from "$lib/hooks";
 import { storeKeyPairIntoIndexedDB } from "$lib/indexedDB";
-import { decryptRSACiphertext } from "$lib/modules/crypto";
+import {
+  encodeToBase64,
+  decodeFromBase64,
+  encryptRSAPlaintext,
+  decryptRSACiphertext,
+} from "$lib/modules/crypto";
 
 export const createBlobFromKeyPairBase64 = (pubKeyBase64: string, privKeyBase64: string) => {
   const pubKeyFormatted = pubKeyBase64.match(/.{1,64}/g)?.join("\n");
@@ -26,18 +31,22 @@ export const requestPubKeyRegistration = async (pubKeyBase64: string, privateKey
 
   const data = await res.json();
   const challenge = data.challenge as string;
-  const answer = await decryptRSACiphertext(challenge, privateKey);
+  const answer = await decryptRSACiphertext(decodeFromBase64(challenge), privateKey);
 
   res = await callAPI("/api/client/verify", {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
     },
-    body: JSON.stringify({ answer }),
+    body: JSON.stringify({ answer: encodeToBase64(answer) }),
   });
   return res.ok;
 };
 
+export const storeKeyPairPersistently = async (keyPair: CryptoKeyPair) => {
+  await storeKeyPairIntoIndexedDB(keyPair.publicKey, keyPair.privateKey);
+};
+
 export const requestTokenUpgrade = async (pubKeyBase64: string) => {
   const res = await fetch("/api/auth/upgradeToken", {
     method: "POST",
@@ -49,6 +58,17 @@ export const requestTokenUpgrade = async (pubKeyBase64: string) => {
   return res.ok;
 };
 
-export const storeKeyPairPersistently = async (keyPair: CryptoKeyPair) => {
-  await storeKeyPairIntoIndexedDB(keyPair.publicKey, keyPair.privateKey);
+export const requestInitialMekRegistration = async (
+  mekDraft: ArrayBuffer,
+  publicKey: CryptoKey,
+) => {
+  const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, publicKey);
+  const res = await callAPI("/api/mek/register/initial", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({ mek: encodeToBase64(mekDraftEncrypted) }),
+  });
+  return res.ok || res.status === 403;
 };

src/routes/(fullscreen)/key/generate/+page.svelte

@@ -5,7 +5,7 @@
   import { gotoStateful } from "$lib/hooks";
   import { keyPairStore } from "$lib/stores";
   import Order from "./Order.svelte";
-  import { generateKeyPair } from "./service";
+  import { generateKeyPair, generateMekDraft } from "./service";
 
   import IconKey from "~icons/material-symbols/key";
 
@@ -33,11 +33,14 @@
   const generate = async () => {
     // TODO: Loading indicator
 
-    const keyPair = await generateKeyPair();
+    const { pubKeyBase64, privKeyBase64 } = await generateKeyPair();
+    const { mekDraft } = await generateMekDraft();
+
     await gotoStateful("/key/export", {
       redirectPath: data.redirectPath,
-      pubKeyBase64: keyPair.pubKeyBase64,
-      privKeyBase64: keyPair.privKeyBase64,
+      pubKeyBase64,
+      privKeyBase64,
+      mekDraft,
     });
   };
 

src/routes/(fullscreen)/key/generate/service.ts

@@ -1,9 +1,13 @@
 import {
+  encodeToBase64,
   generateRSAKeyPair,
   makeRSAKeyNonextractable,
-  exportRSAKeyToBase64,
+  exportRSAKey,
+  generateAESKey,
+  makeAESKeyNonextractable,
+  exportAESKey,
 } from "$lib/modules/crypto";
-import { keyPairStore } from "$lib/stores";
+import { keyPairStore, mekStore } from "$lib/stores";
 
 export const generateKeyPair = async () => {
   const keyPair = await generateRSAKeyPair();
@@ -15,7 +19,21 @@ export const generateKeyPair = async () => {
   });
 
   return {
-    pubKeyBase64: await exportRSAKeyToBase64(keyPair.publicKey, "public"),
-    privKeyBase64: await exportRSAKeyToBase64(keyPair.privateKey, "private"),
+    pubKeyBase64: encodeToBase64((await exportRSAKey(keyPair.publicKey, "public")).key),
+    privKeyBase64: encodeToBase64((await exportRSAKey(keyPair.privateKey, "private")).key),
+  };
+};
+
+export const generateMekDraft = async () => {
+  const mek = await generateAESKey();
+  const mekSecured = await makeAESKeyNonextractable(mek);
+
+  mekStore.update((meks) => {
+    meks.set(meks.size, mekSecured);
+    return meks;
+  });
+
+  return {
+    mekDraft: await exportAESKey(mek),
   };
 };