DEK를 AES-256-KW를 이용해 암호화하는 것으로 변경

src/lib/server/db/file.ts

@@ -9,7 +9,6 @@ export interface NewDirectroyParams {
   parentId: DirectroyId;
   mekVersion: number;
   encDek: string;
-  encDekIv: string;
   encName: string;
   encNameIv: string;
 }
@@ -30,7 +29,7 @@ export const registerNewDirectory = async (params: NewDirectroyParams) => {
       parentId: params.parentId === "root" ? null : params.parentId,
       userId: params.userId,
       mekVersion: params.mekVersion,
-      encDek: { ciphertext: params.encDek, iv: params.encDekIv },
+      encDek: params.encDek,
       encryptedAt: now,
       encName: { ciphertext: params.encName, iv: params.encNameIv },
     });

src/lib/server/db/schema/file.ts

@@ -4,8 +4,8 @@ import { user } from "./user";
 
 const ciphertext = (name: string) =>
   text(name, { mode: "json" }).$type<{
-    ciphertext: string;
-    iv: string;
+    ciphertext: string; // Base64
+    iv: string; // Base64
   }>();
 
 export const directory = sqliteTable(
@@ -18,7 +18,7 @@ export const directory = sqliteTable(
       .notNull()
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: ciphertext("encrypted_data_encryption_key").notNull().unique(),
+    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
     encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
     encName: ciphertext("encrypted_name").notNull(),
   },
@@ -45,7 +45,7 @@ export const file = sqliteTable(
       .notNull()
       .references(() => user.id),
     mekVersion: integer("master_encryption_key_version").notNull(),
-    encDek: ciphertext("encrypted_data_encryption_key").notNull().unique(),
+    encDek: text("encrypted_data_encryption_key").notNull().unique(), // Base64
     encryptedAt: integer("encrypted_at", { mode: "timestamp_ms" }).notNull(),
     encName: ciphertext("encrypted_name").notNull(),
   },

src/lib/server/schemas/directory.ts

@@ -1,12 +1,11 @@
 import { z } from "zod";
 
-export const directroyEntriesResponse = z.object({
+export const directroyInfoResponse = z.object({
   metadata: z
     .object({
       createdAt: z.date(),
       mekVersion: z.number().int().positive(),
       dek: z.string().base64().nonempty(),
-      dekIv: z.string().base64().nonempty(),
       name: z.string().base64().nonempty(),
       nameIv: z.string().base64().nonempty(),
     })
@@ -14,13 +13,12 @@ export const directroyEntriesResponse = z.object({
   subDirectories: z.number().int().positive().array(),
   files: z.number().int().positive().array(),
 });
-export type DirectroyEntriesResponse = z.infer<typeof directroyEntriesResponse>;
+export type DirectroyInfoResponse = z.infer<typeof directroyInfoResponse>;
 
 export const directoryCreateRequest = z.object({
   parentId: z.union([z.enum(["root"]), z.number().int().positive()]),
   mekVersion: z.number().int().positive(),
   dek: z.string().base64().nonempty(),
-  dekIv: z.string().base64().nonempty(),
   name: z.string().base64().nonempty(),
   nameIv: z.string().base64().nonempty(),
 });

src/lib/server/services/client.ts

@@ -22,7 +22,7 @@ export const getUserClientList = async (userId: number) => {
   return {
     userClients: userClients.map(({ clientId, state }) => ({
       id: clientId,
-      state,
+      state: state as "pending" | "active",
     })),
   };
 };
@@ -83,7 +83,7 @@ export const getUserClientStatus = async (userId: number, clientId: number) => {
   }
 
   return {
-    state: userClient.state,
+    state: userClient.state as "pending" | "active",
     isInitialMekNeeded: await isInitialMekNeeded(userId),
   };
 };

src/lib/server/services/mek.ts

@@ -8,7 +8,7 @@ export const getClientMekList = async (userId: number, clientId: number) => {
   return {
     encMeks: clientMeks.map((clientMek) => ({
       version: clientMek.master_encryption_key.version,
-      state: clientMek.master_encryption_key.state,
+      state: clientMek.master_encryption_key.state as "active" | "retired",
       encMek: clientMek.client_master_encryption_key.encMek,
       encMekSig: clientMek.client_master_encryption_key.encMekSig,
     })),