1
0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-12 08:54:00 +02:00
joplin/packages/lib/services/e2ee/EncryptionService.ts

638 lines
21 KiB
TypeScript

import { MasterKeyEntity } from './types';
import Logger from '../../Logger';
import shim from '../../shim';
import Setting from '../../models/Setting';
import MasterKey from '../../models/MasterKey';
import BaseItem from '../../models/BaseItem';
import JoplinError from '../../JoplinError';
import { getActiveMasterKeyId, setActiveMasterKeyId } from '../synchronizer/syncInfoUtils';
const { padLeft } = require('../../string-utils.js');
const logger = Logger.create('EncryptionService');
function hexPad(s: string, length: number) {
return padLeft(s, length, '0');
}
export function isValidHeaderIdentifier(id: string, ignoreTooLongLength = false) {
if (!id) return false;
if (!ignoreTooLongLength && id.length !== 5) return false;
return /JED\d\d/.test(id);
}
interface DecryptedMasterKey {
updatedTime: number;
plainText: string;
}
export default class EncryptionService {
public static instance_: EncryptionService = null;
public static METHOD_SJCL_2 = 2;
public static METHOD_SJCL_3 = 3;
public static METHOD_SJCL_4 = 4;
public static METHOD_SJCL_1A = 5;
public static METHOD_SJCL = 1;
public static fsDriver_: any = null;
// Note: 1 MB is very slow with Node and probably even worse on mobile.
//
// On mobile the time it takes to decrypt increases exponentially for some reason, so it's important
// to have a relatively small size so as not to freeze the app. For example, on Android 7.1 simulator
// with 4.1 GB RAM, it takes this much to decrypt a block;
//
// 50KB => 1000 ms
// 25KB => 250ms
// 10KB => 200ms
// 5KB => 10ms
//
// So making the block 10 times smaller make it 100 times faster! So for now using 5KB. This can be
// changed easily since the chunk size is incorporated into the encrypted data.
private chunkSize_ = 5000;
private decryptedMasterKeys_: Record<string, DecryptedMasterKey> = {};
public defaultEncryptionMethod_ = EncryptionService.METHOD_SJCL_1A; // public because used in tests
private defaultMasterKeyEncryptionMethod_ = EncryptionService.METHOD_SJCL_4;
private headerTemplates_ = {
// Template version 1
1: {
// Fields are defined as [name, valueSize, valueType]
fields: [['encryptionMethod', 2, 'int'], ['masterKeyId', 32, 'hex']],
},
};
constructor() {
// Note: 1 MB is very slow with Node and probably even worse on mobile.
//
// On mobile the time it takes to decrypt increases exponentially for some reason, so it's important
// to have a relatively small size so as not to freeze the app. For example, on Android 7.1 simulator
// with 4.1 GB RAM, it takes this much to decrypt a block;
//
// 50KB => 1000 ms
// 25KB => 250ms
// 10KB => 200ms
// 5KB => 10ms
//
// So making the block 10 times smaller make it 100 times faster! So for now using 5KB. This can be
// changed easily since the chunk size is incorporated into the encrypted data.
this.chunkSize_ = 5000;
this.decryptedMasterKeys_ = {};
this.defaultEncryptionMethod_ = EncryptionService.METHOD_SJCL_1A;
this.defaultMasterKeyEncryptionMethod_ = EncryptionService.METHOD_SJCL_4;
this.headerTemplates_ = {
// Template version 1
1: {
// Fields are defined as [name, valueSize, valueType]
fields: [['encryptionMethod', 2, 'int'], ['masterKeyId', 32, 'hex']],
},
};
}
public static instance() {
if (this.instance_) return this.instance_;
this.instance_ = new EncryptionService();
return this.instance_;
}
loadedMasterKeysCount() {
return Object.keys(this.decryptedMasterKeys_).length;
}
chunkSize() {
return this.chunkSize_;
}
defaultEncryptionMethod() {
return this.defaultEncryptionMethod_;
}
setActiveMasterKeyId(id: string) {
setActiveMasterKeyId(id);
}
activeMasterKeyId() {
const id = getActiveMasterKeyId();
if (!id) {
const error: any = new Error('No master key is defined as active. Check this: Either one or more master keys exist but no password was provided for any of them. Or no master key exist. Or master keys and password exist, but none was set as active.');
error.code = 'noActiveMasterKey';
throw error;
}
return id;
}
public isMasterKeyLoaded(masterKey: MasterKeyEntity) {
const d = this.decryptedMasterKeys_[masterKey.id];
if (!d) return false;
return d.updatedTime === masterKey.updated_time;
}
public async loadMasterKey(model: MasterKeyEntity, password: string, makeActive = false) {
if (!model.id) throw new Error('Master key does not have an ID - save it first');
logger.info(`Loading master key: ${model.id}. Make active:`, makeActive);
this.decryptedMasterKeys_[model.id] = {
plainText: await this.decryptMasterKey_(model, password),
updatedTime: model.updated_time,
};
if (makeActive) this.setActiveMasterKeyId(model.id);
}
unloadMasterKey(model: MasterKeyEntity) {
delete this.decryptedMasterKeys_[model.id];
}
loadedMasterKey(id: string) {
if (!this.decryptedMasterKeys_[id]) {
const error: any = new Error(`Master key is not loaded: ${id}`);
error.code = 'masterKeyNotLoaded';
error.masterKeyId = id;
throw error;
}
return this.decryptedMasterKeys_[id];
}
loadedMasterKeyIds() {
return Object.keys(this.decryptedMasterKeys_);
}
fsDriver() {
if (!EncryptionService.fsDriver_) throw new Error('EncryptionService.fsDriver_ not set!');
return EncryptionService.fsDriver_;
}
sha256(string: string) {
const sjcl = shim.sjclModule;
const bitArray = sjcl.hash.sha256.hash(string);
return sjcl.codec.hex.fromBits(bitArray);
}
async generateApiToken() {
return await this.randomHexString(64);
}
async randomHexString(byteCount: number) {
const bytes: any[] = await shim.randomBytes(byteCount);
return bytes
.map(a => {
return hexPad(a.toString(16), 2);
})
.join('');
}
masterKeysThatNeedUpgrading(masterKeys: MasterKeyEntity[]) {
const output = MasterKey.allWithoutEncryptionMethod(masterKeys, this.defaultMasterKeyEncryptionMethod_);
// Anything below 5 is a new encryption method and doesn't need an upgrade
return output.filter(mk => mk.encryption_method <= 5);
}
async upgradeMasterKey(model: MasterKeyEntity, decryptionPassword: string) {
const newEncryptionMethod = this.defaultMasterKeyEncryptionMethod_;
const plainText = await this.decryptMasterKey_(model, decryptionPassword);
const newContent = await this.encryptMasterKeyContent_(newEncryptionMethod, plainText, decryptionPassword);
return { ...model, ...newContent };
}
async encryptMasterKeyContent_(encryptionMethod: number, hexaBytes: any, password: string): Promise<MasterKeyEntity> {
// Checksum is not necessary since decryption will already fail if data is invalid
const checksum = encryptionMethod === EncryptionService.METHOD_SJCL_2 ? this.sha256(hexaBytes) : '';
const cipherText = await this.encrypt(encryptionMethod, password, hexaBytes);
return {
checksum: checksum,
encryption_method: encryptionMethod,
content: cipherText,
};
}
async generateMasterKeyContent_(password: string, options: any = null) {
options = Object.assign({}, {
encryptionMethod: this.defaultMasterKeyEncryptionMethod_,
}, options);
const bytes: any[] = await shim.randomBytes(256);
const hexaBytes = bytes.map(a => hexPad(a.toString(16), 2)).join('');
return this.encryptMasterKeyContent_(options.encryptionMethod, hexaBytes, password);
}
async generateMasterKey(password: string, options: any = null) {
const model = await this.generateMasterKeyContent_(password, options);
const now = Date.now();
model.created_time = now;
model.updated_time = now;
model.source_application = Setting.value('appId');
return model;
}
public async decryptMasterKey_(model: MasterKeyEntity, password: string): Promise<string> {
const plainText = await this.decrypt(model.encryption_method, password, model.content);
if (model.encryption_method === EncryptionService.METHOD_SJCL_2) {
const checksum = this.sha256(plainText);
if (checksum !== model.checksum) throw new Error('Could not decrypt master key (checksum failed)');
}
return plainText;
}
public async checkMasterKeyPassword(model: MasterKeyEntity, password: string) {
try {
await this.decryptMasterKey_(model, password);
} catch (error) {
return false;
}
return true;
}
private wrapSjclError(sjclError: any) {
const error = new Error(sjclError.message);
error.stack = sjclError.stack;
return error;
}
async encrypt(method: number, key: string, plainText: string) {
if (!method) throw new Error('Encryption method is required');
if (!key) throw new Error('Encryption key is required');
const sjcl = shim.sjclModule;
// 2020-01-23: Deprecated and no longer secure due to the use og OCB2 mode - do not use.
if (method === EncryptionService.METHOD_SJCL) {
try {
// Good demo to understand each parameter: https://bitwiseshiftleft.github.io/sjcl/demo/
return sjcl.json.encrypt(key, plainText, {
v: 1, // version
iter: 1000, // Defaults to 1000 in sjcl but since we're running this on mobile devices, use a lower value. Maybe review this after some time. https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256
ks: 128, // Key size - "128 bits should be secure enough"
ts: 64, // ???
mode: 'ocb2', // The cipher mode is a standard for how to use AES and other algorithms to encrypt and authenticate your message. OCB2 mode is slightly faster and has more features, but CCM mode has wider support because it is not patented.
// "adata":"", // Associated Data - not needed?
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
}
// 2020-03-06: Added method to fix https://github.com/laurent22/joplin/issues/2591
// Also took the opportunity to change number of key derivations, per Isaac Potoczny's suggestion
if (method === EncryptionService.METHOD_SJCL_1A) {
try {
// We need to escape the data because SJCL uses encodeURIComponent to process the data and it only
// accepts UTF-8 data, or else it throws an error. And the notes might occasionally contain
// invalid UTF-8 data. Fixes https://github.com/laurent22/joplin/issues/2591
return sjcl.json.encrypt(key, escape(plainText), {
v: 1, // version
iter: 101, // Since the master key already uses key derivations and is secure, additional iteration here aren't necessary, which will make decryption faster. SJCL enforces an iter strictly greater than 100
ks: 128, // Key size - "128 bits should be secure enough"
ts: 64, // ???
mode: 'ccm', // The cipher mode is a standard for how to use AES and other algorithms to encrypt and authenticate your message. OCB2 mode is slightly faster and has more features, but CCM mode has wider support because it is not patented.
// "adata":"", // Associated Data - not needed?
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
}
// 2020-01-23: Deprectated - see above.
// Was used to encrypt master keys
if (method === EncryptionService.METHOD_SJCL_2) {
try {
return sjcl.json.encrypt(key, plainText, {
v: 1,
iter: 10000,
ks: 256,
ts: 64,
mode: 'ocb2',
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
}
if (method === EncryptionService.METHOD_SJCL_3) {
try {
// Good demo to understand each parameter: https://bitwiseshiftleft.github.io/sjcl/demo/
return sjcl.json.encrypt(key, plainText, {
v: 1, // version
iter: 1000, // Defaults to 1000 in sjcl. Since we're running this on mobile devices we need to be careful it doesn't affect performances too much. Maybe review this after some time. https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256
ks: 128, // Key size - "128 bits should be secure enough"
ts: 64, // ???
mode: 'ccm', // The cipher mode is a standard for how to use AES and other algorithms to encrypt and authenticate your message. OCB2 mode is slightly faster and has more features, but CCM mode has wider support because it is not patented.
// "adata":"", // Associated Data - not needed?
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
}
// Same as above but more secure (but slower) to encrypt master keys
if (method === EncryptionService.METHOD_SJCL_4) {
try {
return sjcl.json.encrypt(key, plainText, {
v: 1,
iter: 10000,
ks: 256,
ts: 64,
mode: 'ccm',
cipher: 'aes',
});
} catch (error) {
throw this.wrapSjclError(error);
}
}
throw new Error(`Unknown encryption method: ${method}`);
}
async decrypt(method: number, key: string, cipherText: string) {
if (!method) throw new Error('Encryption method is required');
if (!key) throw new Error('Encryption key is required');
const sjcl = shim.sjclModule;
if (!this.isValidEncryptionMethod(method)) throw new Error(`Unknown decryption method: ${method}`);
try {
const output = sjcl.json.decrypt(key, cipherText);
if (method === EncryptionService.METHOD_SJCL_1A) {
return unescape(output);
} else {
return output;
}
} catch (error) {
// SJCL returns a string as error which means stack trace is missing so convert to an error object here
throw new Error(error.message);
}
}
async encryptAbstract_(source: any, destination: any, options: any = null) {
options = Object.assign({}, {
encryptionMethod: this.defaultEncryptionMethod(),
}, options);
const method = options.encryptionMethod;
const masterKeyId = this.activeMasterKeyId();
const masterKeyPlainText = this.loadedMasterKey(masterKeyId).plainText;
const header = {
encryptionMethod: method,
masterKeyId: masterKeyId,
};
await destination.append(this.encodeHeader_(header));
let doneSize = 0;
while (true) {
const block = await source.read(this.chunkSize_);
if (!block) break;
doneSize += this.chunkSize_;
if (options.onProgress) options.onProgress({ doneSize: doneSize });
// Wait for a frame so that the app remains responsive in mobile.
// https://corbt.com/posts/2015/12/22/breaking-up-heavy-processing-in-react-native.html
await shim.waitForFrame();
const encrypted = await this.encrypt(method, masterKeyPlainText, block);
await destination.append(padLeft(encrypted.length.toString(16), 6, '0'));
await destination.append(encrypted);
}
}
async decryptAbstract_(source: any, destination: any, options: any = null) {
if (!options) options = {};
const header: any = await this.decodeHeaderSource_(source);
const masterKeyPlainText = this.loadedMasterKey(header.masterKeyId).plainText;
let doneSize = 0;
while (true) {
const lengthHex = await source.read(6);
if (!lengthHex) break;
if (lengthHex.length !== 6) throw new Error(`Invalid block size: ${lengthHex}`);
const length = parseInt(lengthHex, 16);
if (!length) continue; // Weird but could be not completely invalid (block of size 0) so continue decrypting
doneSize += length;
if (options.onProgress) options.onProgress({ doneSize: doneSize });
await shim.waitForFrame();
const block = await source.read(length);
const plainText = await this.decrypt(header.encryptionMethod, masterKeyPlainText, block);
await destination.append(plainText);
}
}
stringReader_(string: string, sync = false) {
const reader = {
index: 0,
read: function(size: number) {
const output = string.substr(reader.index, size);
reader.index += size;
return !sync ? Promise.resolve(output) : output;
},
close: function() {},
};
return reader;
}
stringWriter_() {
const output: any = {
data: [],
append: async function(data: any) {
output.data.push(data);
},
result: function() {
return output.data.join('');
},
close: function() {},
};
return output;
}
async fileReader_(path: string, encoding: any) {
const handle = await this.fsDriver().open(path, 'r');
const reader = {
handle: handle,
read: async (size: number) => {
return this.fsDriver().readFileChunk(reader.handle, size, encoding);
},
close: async () => {
await this.fsDriver().close(reader.handle);
},
};
return reader;
}
async fileWriter_(path: string, encoding: any) {
return {
append: async (data: any) => {
return this.fsDriver().appendFile(path, data, encoding);
},
close: function() {},
};
}
async encryptString(plainText: any, options: any = null) {
const source = this.stringReader_(plainText);
const destination = this.stringWriter_();
await this.encryptAbstract_(source, destination, options);
return destination.result();
}
async decryptString(cipherText: any, options: any = null) {
const source = this.stringReader_(cipherText);
const destination = this.stringWriter_();
await this.decryptAbstract_(source, destination, options);
return destination.data.join('');
}
async encryptFile(srcPath: string, destPath: string, options: any = null) {
let source = await this.fileReader_(srcPath, 'base64');
let destination = await this.fileWriter_(destPath, 'ascii');
const cleanUp = async () => {
if (source) await source.close();
if (destination) await destination.close();
// eslint-disable-next-line require-atomic-updates
source = null;
// eslint-disable-next-line require-atomic-updates
destination = null;
};
try {
await this.fsDriver().unlink(destPath);
await this.encryptAbstract_(source, destination, options);
} catch (error) {
await cleanUp();
await this.fsDriver().unlink(destPath);
throw error;
}
await cleanUp();
}
async decryptFile(srcPath: string, destPath: string, options: any = null) {
let source = await this.fileReader_(srcPath, 'ascii');
let destination = await this.fileWriter_(destPath, 'base64');
const cleanUp = async () => {
if (source) await source.close();
if (destination) await destination.close();
// eslint-disable-next-line require-atomic-updates
source = null;
// eslint-disable-next-line require-atomic-updates
destination = null;
};
try {
await this.fsDriver().unlink(destPath);
await this.decryptAbstract_(source, destination, options);
} catch (error) {
await cleanUp();
await this.fsDriver().unlink(destPath);
throw error;
}
await cleanUp();
}
headerTemplate(version: number) {
const r = (this.headerTemplates_ as any)[version];
if (!r) throw new Error(`Unknown header version: ${version}`);
return r;
}
encodeHeader_(header: any) {
// Sanity check
if (header.masterKeyId.length !== 32) throw new Error(`Invalid master key ID size: ${header.masterKeyId}`);
let encryptionMetadata = '';
encryptionMetadata += padLeft(header.encryptionMethod.toString(16), 2, '0');
encryptionMetadata += header.masterKeyId;
encryptionMetadata = padLeft(encryptionMetadata.length.toString(16), 6, '0') + encryptionMetadata;
return `JED01${encryptionMetadata}`;
}
async decodeHeaderString(cipherText: any) {
const source = this.stringReader_(cipherText);
return this.decodeHeaderSource_(source);
}
async decodeHeaderSource_(source: any) {
const identifier = await source.read(5);
if (!isValidHeaderIdentifier(identifier)) throw new JoplinError(`Invalid encryption identifier. Data is not actually encrypted? ID was: ${identifier}`, 'invalidIdentifier');
const mdSizeHex = await source.read(6);
const mdSize = parseInt(mdSizeHex, 16);
if (isNaN(mdSize) || !mdSize) throw new Error(`Invalid header metadata size: ${mdSizeHex}`);
const md = await source.read(parseInt(mdSizeHex, 16));
return this.decodeHeaderBytes_(identifier + mdSizeHex + md);
}
decodeHeaderBytes_(headerHexaBytes: any) {
const reader: any = this.stringReader_(headerHexaBytes, true);
const identifier = reader.read(3);
const version = parseInt(reader.read(2), 16);
if (identifier !== 'JED') throw new Error(`Invalid header (missing identifier): ${headerHexaBytes.substr(0, 64)}`);
const template = this.headerTemplate(version);
parseInt(reader.read(6), 16); // Read the size and move the reader pointer forward
const output: any = {};
for (let i = 0; i < template.fields.length; i++) {
const m = template.fields[i];
const name = m[0];
const size = m[1];
const type = m[2];
let v = reader.read(size);
if (type === 'int') {
v = parseInt(v, 16);
} else if (type === 'hex') {
// Already in hexa
} else {
throw new Error(`Invalid type: ${type}`);
}
output[name] = v;
}
return output;
}
isValidEncryptionMethod(method: number) {
return [EncryptionService.METHOD_SJCL, EncryptionService.METHOD_SJCL_1A, EncryptionService.METHOD_SJCL_2, EncryptionService.METHOD_SJCL_3, EncryptionService.METHOD_SJCL_4].indexOf(method) >= 0;
}
async itemIsEncrypted(item: any) {
if (!item) throw new Error('No item');
const ItemClass = BaseItem.itemClass(item);
if (!ItemClass.encryptionSupported()) return false;
return item.encryption_applied && isValidHeaderIdentifier(item.encryption_cipher_text, true);
}
async fileIsEncrypted(path: string) {
const handle = await this.fsDriver().open(path, 'r');
const headerIdentifier = await this.fsDriver().readFileChunk(handle, 5, 'ascii');
await this.fsDriver().close(handle);
return isValidHeaderIdentifier(headerIdentifier);
}
}