mirror of
https://github.com/nextcloud/passman.git
synced 2025-11-09 13:44:40 +08:00
Implement encryption class
This commit is contained in:
brantje
parent
e5c8c5d1f7
commit
734496ebcc
13 changed files with 297 additions and 89 deletions
|
|
@ -12,6 +12,7 @@
|
|||
namespace OCA\Passman\Controller;
|
||||
|
||||
use OCA\Passman\Db\SharingACL;
|
||||
use OCA\Passman\Service\EncryptService;
|
||||
use OCA\Passman\Service\SettingsService;
|
||||
use OCA\Passman\Utility\NotFoundJSONResponse;
|
||||
use OCP\AppFramework\Http;
|
||||
|
|
@ -42,6 +43,7 @@ class CredentialController extends ApiController {
|
|||
CredentialRevisionService $credentialRevisionService,
|
||||
ShareService $sharingService,
|
||||
SettingsService $settings
|
||||
|
||||
) {
|
||||
parent::__construct($AppName, $request);
|
||||
$this->userId = $userId;
|
||||
|
|
@ -86,6 +88,7 @@ class CredentialController extends ApiController {
|
|||
'hidden' => $hidden,
|
||||
|
||||
);
|
||||
|
||||
$credential = $this->credentialService->createCredential($credential);
|
||||
$link = ''; // @TODO create direct link to credential
|
||||
if (!$credential->getHidden()) {
|
||||
|
|
@ -102,7 +105,8 @@ class CredentialController extends ApiController {
|
|||
* @NoCSRFRequired
|
||||
*/
|
||||
public function getCredential($credential_guid) {
|
||||
return new JSONResponse($this->credentialService->getCredentialByGUID($credential_guid, $this->userId));
|
||||
$credential = $this->credentialService->getCredentialByGUID($credential_guid, $this->userId);
|
||||
return new JSONResponse($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -116,7 +120,7 @@ class CredentialController extends ApiController {
|
|||
$tags, $url, $username, $vault_id, $revision_created, $shared_key, $acl, $unshare_action, $set_share_key, $skip_revision) {
|
||||
|
||||
|
||||
$storedCredential = $this->credentialService->getCredentialByGUID($credential_guid, $this->userId);
|
||||
$storedCredential = $this->credentialService->getCredentialByGUID($credential_guid);
|
||||
|
||||
$credential = array(
|
||||
'credential_id' => $credential_id,
|
||||
|
|
@ -139,6 +143,7 @@ class CredentialController extends ApiController {
|
|||
'delete_time' => $delete_time,
|
||||
'hidden' => $hidden,
|
||||
'otp' => $otp,
|
||||
'user_id' => $storedCredential->getUserId()
|
||||
);
|
||||
|
||||
|
||||
|
|
@ -149,11 +154,12 @@ class CredentialController extends ApiController {
|
|||
} else {
|
||||
return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
|
||||
}
|
||||
if ($this->settings->isEnabled('user_sharing_enabled')) {
|
||||
if (!$this->settings->isEnabled('user_sharing_enabled')) {
|
||||
return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$link = ''; // @TODO create direct link to credential
|
||||
if ($revision_created) {
|
||||
$activity = 'item_apply_revision';
|
||||
|
|
@ -237,6 +243,7 @@ class CredentialController extends ApiController {
|
|||
if (!$skip_revision) {
|
||||
$this->credentialRevisionService->createRevision($storedCredential, $storedCredential->getUserId(), $credential_id, $this->userId);
|
||||
}
|
||||
|
||||
$credential = $this->credentialService->updateCredential($credential);
|
||||
|
||||
return new JSONResponse($credential);
|
||||
|
|
@ -271,7 +278,6 @@ class CredentialController extends ApiController {
|
|||
} catch (\Exception $ex) {
|
||||
return new NotFoundJSONResponse();
|
||||
}
|
||||
|
||||
// If the request was made by the owner of the credential
|
||||
if ($this->userId === $credential->getUserId()) {
|
||||
$result = $this->credentialRevisionService->getRevisions($credential->getId(), $this->userId);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,8 @@ class FileController extends ApiController {
|
|||
'filename' => $filename,
|
||||
'size' => $size,
|
||||
'mimetype' => $mimetype,
|
||||
'file_data' => $data
|
||||
'file_data' => $data,
|
||||
'user_id' => $this->userId
|
||||
);
|
||||
return new JSONResponse($this->fileService->createFile($file, $this->userId));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -464,12 +464,12 @@ class ShareController extends ApiController {
|
|||
}
|
||||
|
||||
/**
|
||||
* @param $credential_guid
|
||||
* @param $item_guid
|
||||
* @param $file_guid
|
||||
* @NoAdminRequired
|
||||
* @PublicPage
|
||||
* @return JSONResponse
|
||||
* @return NotFoundResponse
|
||||
* @return mixed
|
||||
* @return NotFoundJSONResponse
|
||||
*/
|
||||
public function getFile($item_guid, $file_guid) {
|
||||
try {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@
|
|||
|
||||
namespace OCA\Passman\Controller;
|
||||
|
||||
use OCA\Passman\Service\EncryptService;
|
||||
use OCA\Passman\Service\SettingsService;
|
||||
use OCA\Passman\Utility\NotFoundJSONResponse;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
use OCP\IRequest;
|
||||
|
|
@ -24,12 +26,15 @@ class VaultController extends ApiController {
|
|||
private $userId;
|
||||
private $vaultService;
|
||||
private $credentialService;
|
||||
private $settings;
|
||||
|
||||
public function __construct($AppName,
|
||||
IRequest $request,
|
||||
$UserId,
|
||||
VaultService $vaultService,
|
||||
CredentialService $credentialService) {
|
||||
CredentialService $credentialService,
|
||||
SettingsService $settings,
|
||||
EncryptService $encryptService) {
|
||||
parent::__construct(
|
||||
$AppName,
|
||||
$request,
|
||||
|
|
@ -39,6 +44,7 @@ class VaultController extends ApiController {
|
|||
$this->userId = $UserId;
|
||||
$this->vaultService = $vaultService;
|
||||
$this->credentialService = $credentialService;
|
||||
$this->settings = $settings;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -61,7 +67,7 @@ class VaultController extends ApiController {
|
|||
'created' => $vault->getCreated(),
|
||||
'public_sharing_key' => $vault->getPublicSharingKey(),
|
||||
'last_access' => $vault->getlastAccess(),
|
||||
'challenge_password' => $credential->{$secret_field}()
|
||||
'challenge_password' => $credential->{$secret_field}(),
|
||||
));
|
||||
}
|
||||
}
|
||||
|
|
@ -83,7 +89,6 @@ class VaultController extends ApiController {
|
|||
* @NoCSRFRequired
|
||||
*/
|
||||
public function get($vault_guid) {
|
||||
//$vault_guid
|
||||
$vault = null;
|
||||
try {
|
||||
$vault = $this->vaultService->getByGuid($vault_guid, $this->userId);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ class CredentialMapper extends Mapper {
|
|||
* Obtains the credentials by vault id (not guid)
|
||||
* @throws \OCP\AppFramework\Db\DoesNotExistException if not found
|
||||
* @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException if more than one result
|
||||
* @return Vault[]
|
||||
* @return Credential[]
|
||||
*/
|
||||
public function getCredentialsByVaultId($vault_id, $user_id) {
|
||||
$sql = 'SELECT * FROM `*PREFIX*passman_credentials` ' .
|
||||
|
|
@ -166,7 +166,9 @@ class CredentialMapper extends Mapper {
|
|||
$credential->setOtp($raw_credential['otp']);
|
||||
$credential->setHidden($raw_credential['hidden']);
|
||||
$credential->setDeleteTime($raw_credential['delete_time']);
|
||||
$credential->setSharedKey($raw_credential['shared_key']);
|
||||
if(isset($raw_credential['shared_key'])) {
|
||||
$credential->setSharedKey($raw_credential['shared_key']);
|
||||
}
|
||||
return parent::update($credential);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ class CredentialRevision extends Entity implements \JsonSerializable {
|
|||
protected $credentialId;
|
||||
protected $userId;
|
||||
protected $created;
|
||||
protected $credentialData;
|
||||
public $credentialData;
|
||||
protected $editedBy;
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -33,9 +33,13 @@ use OCA\Passman\Db\CredentialRevisionMapper;
|
|||
class CredentialRevisionService {
|
||||
|
||||
private $credentialRevisionMapper;
|
||||
private $encryptService;
|
||||
private $server_key;
|
||||
|
||||
public function __construct(CredentialRevisionMapper $credentialRevisionMapper) {
|
||||
public function __construct(CredentialRevisionMapper $credentialRevisionMapper, EncryptService $encryptService) {
|
||||
$this->credentialRevisionMapper = $credentialRevisionMapper;
|
||||
$this->encryptService = $encryptService;
|
||||
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -47,6 +51,7 @@ class CredentialRevisionService {
|
|||
* @return CredentialRevision
|
||||
*/
|
||||
public function createRevision($credential, $userId, $credential_id, $edited_by) {
|
||||
$credential = $this->encryptService->encryptCredential($credential);
|
||||
return $this->credentialRevisionMapper->create($credential, $userId, $credential_id, $edited_by);
|
||||
}
|
||||
|
||||
|
|
@ -57,7 +62,13 @@ class CredentialRevisionService {
|
|||
* @return CredentialRevision[]
|
||||
*/
|
||||
public function getRevisions($credential_id, $user_id = null){
|
||||
return $this->credentialRevisionMapper->getRevisions($credential_id, $user_id);
|
||||
$result = $this->credentialRevisionMapper->getRevisions($credential_id, $user_id);
|
||||
foreach ($result as $index => $revision){
|
||||
$c = json_decode(base64_decode($revision->getCredentialData()), true);
|
||||
$result[$index] = $revision->jsonSerialize();
|
||||
$result[$index]['credential_data'] = $this->encryptService->decryptCredential($c);
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -67,7 +78,10 @@ class CredentialRevisionService {
|
|||
* @return CredentialRevision
|
||||
*/
|
||||
public function getRevision($credential_id, $user_id = null){
|
||||
return $this->credentialRevisionMapper->getRevision($credential_id, $user_id);
|
||||
$revision = $this->credentialRevisionMapper->getRevision($credential_id, $user_id);
|
||||
$c = json_decode(base64_decode($revision->getCredentialData()), true);
|
||||
$revision->setCredentialData($this->encryptService->decryptCredential($c));
|
||||
return $revision;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -86,6 +100,10 @@ class CredentialRevisionService {
|
|||
* @return CredentialRevision
|
||||
*/
|
||||
public function updateRevision(CredentialRevision $credentialRevision){
|
||||
$credential_data = $credentialRevision->getCredentialData();
|
||||
$credential_data = json_decode(base64_decode($credential_data), true);
|
||||
$credential_data = base64_encode(json_encode($this->encryptService->encryptCredential($credential_data)));
|
||||
$credentialRevision->setCredentialData($credential_data);
|
||||
return $this->credentialRevisionMapper->update($credentialRevision);
|
||||
}
|
||||
}
|
||||
|
|
@ -36,116 +36,147 @@ use OCA\Passman\Db\CredentialMapper;
|
|||
class CredentialService {
|
||||
|
||||
private $credentialMapper;
|
||||
private $sharingACL;
|
||||
private $sharingACL;
|
||||
private $encryptService;
|
||||
private $server_key;
|
||||
|
||||
public function __construct(CredentialMapper $credentialMapper, SharingACLMapper $sharingACL) {
|
||||
public function __construct(CredentialMapper $credentialMapper, SharingACLMapper $sharingACL, EncryptService $encryptService) {
|
||||
$this->credentialMapper = $credentialMapper;
|
||||
$this->sharingACL = $sharingACL;
|
||||
$this->sharingACL = $sharingACL;
|
||||
$this->encryptService = $encryptService;
|
||||
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new credential
|
||||
*
|
||||
* @param $user_id
|
||||
* @param $item_guid
|
||||
* @return Credential
|
||||
*/
|
||||
public function createCredential($credential) {
|
||||
$credential = $this->encryptService->encryptCredential($credential);
|
||||
return $this->credentialMapper->create($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Update credential
|
||||
*
|
||||
* @param $credential array
|
||||
* @return Credential
|
||||
*/
|
||||
public function updateCredential($credential) {
|
||||
$credential = $this->encryptService->encryptCredential($credential);
|
||||
return $this->credentialMapper->updateCredential($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Update credential
|
||||
*
|
||||
* @param $credential Credential
|
||||
* @return Credential
|
||||
*/
|
||||
public function upd(Credential $credential) {
|
||||
return $this->credentialMapper->upd($credential);
|
||||
$credential = $this->encryptService->encryptCredential($credential);
|
||||
return $this->credentialMapper->updateCredential($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete credential
|
||||
*
|
||||
* @param Credential $credential
|
||||
* @return \OCP\AppFramework\Db\Entity
|
||||
*/
|
||||
public function deleteCredential(Credential $credential){
|
||||
public function deleteCredential(Credential $credential) {
|
||||
return $this->credentialMapper->deleteCredential($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get credentials by vault id
|
||||
*
|
||||
* @param $vault_id
|
||||
* @param $user_id
|
||||
* @return \OCA\Passman\Db\Vault[]
|
||||
* @return \OCA\Passman\Db\Credential[]
|
||||
*/
|
||||
public function getCredentialsByVaultId($vault_id, $user_id) {
|
||||
return $this->credentialMapper->getCredentialsByVaultId($vault_id, $user_id);
|
||||
$credentials = $this->credentialMapper->getCredentialsByVaultId($vault_id, $user_id);
|
||||
foreach ($credentials as $index => $credential) {
|
||||
$credentials[$index] = $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
return $credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a random credential from given vault
|
||||
*
|
||||
* @param $vault_id
|
||||
* @param $user_id
|
||||
* @return mixed
|
||||
*/
|
||||
public function getRandomCredentialByVaultId($vault_id, $user_id) {
|
||||
$credentials = $this->credentialMapper->getRandomCredentialByVaultId($vault_id, $user_id);
|
||||
foreach ($credentials as $index => $credential) {
|
||||
$credentials[$index] = $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
return array_pop($credentials);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get expired credentials.
|
||||
*
|
||||
* @param $timestamp
|
||||
* @return \OCA\Passman\Db\Credential[]
|
||||
*/
|
||||
public function getExpiredCredentials($timestamp) {
|
||||
return $this->credentialMapper->getExpiredCredentials($timestamp);
|
||||
$credentials = $this->credentialMapper->getExpiredCredentials($timestamp);
|
||||
foreach ($credentials as $index => $credential) {
|
||||
$credentials[$index] = $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
return $credentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a single credential.
|
||||
*
|
||||
* @param $credential_id
|
||||
* @param $user_id
|
||||
* @return Credential
|
||||
* @throws DoesNotExistException
|
||||
*/
|
||||
public function getCredentialById($credential_id, $user_id){
|
||||
$credential = $this->credentialMapper->getCredentialById($credential_id);
|
||||
if ($credential->getUserId() === $user_id){
|
||||
return $credential;
|
||||
}
|
||||
else {
|
||||
$acl = $this->sharingACL->getItemACL($user_id, $credential->getGuid());
|
||||
if ($acl->hasPermission(SharingACL::READ)) {
|
||||
return $credential;
|
||||
public function getCredentialById($credential_id, $user_id) {
|
||||
$credential = $this->credentialMapper->getCredentialById($credential_id);
|
||||
if ($credential->getUserId() === $user_id) {
|
||||
return $credential;
|
||||
} else {
|
||||
$acl = $this->sharingACL->getItemACL($user_id, $credential->getGuid());
|
||||
if ($acl->hasPermission(SharingACL::READ)) {
|
||||
return $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
throw new DoesNotExistException("Did expect one result but found none when executing");
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get credential label by credential id.
|
||||
*
|
||||
* @param $credential_id
|
||||
* @return Credential
|
||||
*/
|
||||
public function getCredentialLabelById($credential_id){
|
||||
return $this->credentialMapper->getCredentialLabelById($credential_id);
|
||||
public function getCredentialLabelById($credential_id) {
|
||||
$credential = $this->credentialMapper->getCredentialLabelById($credential_id);
|
||||
return $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get credential by guid
|
||||
*
|
||||
* @param $credential_guid
|
||||
* @param null $user_id
|
||||
* @return Credential
|
||||
*/
|
||||
public function getCredentialByGUID($credential_guid, $user_id = null){
|
||||
return $this->credentialMapper->getCredentialByGUID($credential_guid, $user_id);
|
||||
}
|
||||
public function getCredentialByGUID($credential_guid, $user_id = null) {
|
||||
$credential = $this->credentialMapper->getCredentialByGUID($credential_guid, $user_id);
|
||||
return $this->encryptService->decryptCredential($credential);
|
||||
}
|
||||
}
|
||||
|
|
@ -26,6 +26,10 @@ namespace OCA\Passman\Service;
|
|||
|
||||
// Class copied from http://stackoverflow.com/questions/5089841/two-way-encryption-i-need-to-store-passwords-that-can-be-retrieved?answertab=votes#tab-top
|
||||
// Upgraded to use openssl
|
||||
use Icewind\SMB\Exception\Exception;
|
||||
use OCA\Passman\Db\Credential;
|
||||
use OCA\Passman\Db\File;
|
||||
|
||||
class EncryptService {
|
||||
|
||||
/**
|
||||
|
|
@ -36,7 +40,7 @@ class EncryptService {
|
|||
* @var array
|
||||
*/
|
||||
protected $supportedAlgos = array(
|
||||
'aes-256' => array('name' => 'AES-256', 'keySize' => 32, 'blockSize' => 32),
|
||||
'aes-256-cbc' => array('name' => 'AES-256', 'keySize' => 32, 'blockSize' => 32),
|
||||
'bf' => array('name' => 'BF', 'keySize' => 16, 'blockSize' => 8),
|
||||
'des' => array('name' => 'DES', 'keySize' => 7, 'blockSize' => 8),
|
||||
'des-ede3' => array('name' => 'DES-EDE3', 'keySize' => 21, 'blockSize' => 8), // 3 different 56-bit keys
|
||||
|
|
@ -52,6 +56,12 @@ class EncryptService {
|
|||
'cbc' => 'CBC',
|
||||
);
|
||||
|
||||
public $encrypted_credential_fields = array(
|
||||
'description', 'username', 'password', 'files', 'custom_fields', 'otp', 'email', 'tags', 'url'
|
||||
);
|
||||
|
||||
|
||||
private $server_key;
|
||||
/**
|
||||
* A class to handle secure encryption and decryption of arbitrary data
|
||||
*
|
||||
|
|
@ -68,6 +78,28 @@ class EncryptService {
|
|||
*
|
||||
*/
|
||||
|
||||
|
||||
/**
|
||||
* @var string $cipher The openssl cipher to use for this instance
|
||||
*/
|
||||
protected $cipher = '';
|
||||
|
||||
/**
|
||||
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
|
||||
*/
|
||||
protected $rounds = 100;
|
||||
|
||||
/**
|
||||
* Constructor!
|
||||
*
|
||||
* @param SettingsService $settings
|
||||
*/
|
||||
public function __construct(SettingsService $settings) {
|
||||
$this->cipher = $settings->getAppSetting('server_side_encryption');
|
||||
$this->rounds = (int)100;
|
||||
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an encryption key. Based on given parameters
|
||||
*
|
||||
|
|
@ -83,34 +115,6 @@ class EncryptService {
|
|||
return $key;
|
||||
}
|
||||
|
||||
/**
|
||||
* @var string $cipher The mcrypt cipher to use for this instance
|
||||
*/
|
||||
protected $cipher = '';
|
||||
|
||||
/**
|
||||
* @var int $mode The mcrypt cipher mode to use
|
||||
*/
|
||||
protected $mode = '';
|
||||
|
||||
/**
|
||||
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
|
||||
*/
|
||||
protected $rounds = 100;
|
||||
|
||||
/**
|
||||
* Constructor!
|
||||
*
|
||||
* @param string $cipher The MCRYPT_* cypher to use for this instance
|
||||
* @param int $mode The MCRYPT_MODE_* mode to use for this instance
|
||||
* @param int $rounds The number of PBKDF2 rounds to do on the key
|
||||
*/
|
||||
public function __construct($cipher, $mode, $rounds = 100) {
|
||||
$this->cipher = $cipher;
|
||||
$this->mode = $mode;
|
||||
$this->rounds = (int)$rounds;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the maximum key size for the selected cipher and mode of operation
|
||||
*
|
||||
|
|
@ -155,7 +159,7 @@ class EncryptService {
|
|||
return false;
|
||||
}
|
||||
|
||||
$dec = openssl_decrypt($enc, $this->cipher . '-' . $this->mode, $cipherKey, true, $iv);
|
||||
$dec = openssl_decrypt($enc, $this->cipher, $cipherKey, true, $iv);
|
||||
$data = $this->unpad($dec);
|
||||
|
||||
return $data;
|
||||
|
|
@ -173,11 +177,8 @@ class EncryptService {
|
|||
$salt = openssl_random_pseudo_bytes(128);
|
||||
list ($cipherKey, $macKey, $iv) = EncryptService::getKeys($salt, $key);
|
||||
$data = EncryptService::pad($data);
|
||||
$enc = openssl_encrypt($data, $this->cipher . '-' . $this->mode, $cipherKey, true, $iv);
|
||||
|
||||
|
||||
$enc = openssl_encrypt($data, $this->cipher, $cipherKey, true, $iv);
|
||||
$mac = hash_hmac('sha512', $enc, $macKey, true);
|
||||
|
||||
$data = bin2hex($salt . $enc . $mac);
|
||||
return $data;
|
||||
|
||||
|
|
@ -192,8 +193,8 @@ class EncryptService {
|
|||
* @returns array An array of keys (a cipher key, a mac key, and a IV)
|
||||
*/
|
||||
protected function getKeys($salt, $key) {
|
||||
$ivSize = openssl_cipher_iv_length($this->cipher . '-' . $this->mode);
|
||||
$keySize = openssl_cipher_iv_length($this->cipher . '-' . $this->mode);
|
||||
$ivSize = openssl_cipher_iv_length($this->cipher);
|
||||
$keySize = openssl_cipher_iv_length($this->cipher);
|
||||
$length = 2 * $keySize + $ivSize;
|
||||
|
||||
$key = EncryptService::pbkdf2('sha512', $key, $salt, $this->rounds, $length);
|
||||
|
|
@ -204,7 +205,7 @@ class EncryptService {
|
|||
return array($cipherKey, $macKey, $iv);
|
||||
}
|
||||
|
||||
function hash_equals($a, $b) {
|
||||
protected function hash_equals($a, $b) {
|
||||
$key = openssl_random_pseudo_bytes(128);
|
||||
return hash_hmac('sha512', $a, $key) === hash_hmac('sha512', $b, $key);
|
||||
}
|
||||
|
|
@ -247,7 +248,7 @@ class EncryptService {
|
|||
protected function pad($data) {
|
||||
$length = $this->getKeySize();
|
||||
$padAmount = $length - strlen($data) % $length;
|
||||
if ($padAmount == 0) {
|
||||
if ($padAmount === 0) {
|
||||
$padAmount = $length;
|
||||
}
|
||||
return $data . str_repeat(chr($padAmount), $padAmount);
|
||||
|
|
@ -269,4 +270,111 @@ class EncryptService {
|
|||
}
|
||||
return substr($data, 0, -1 * $last);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Encrypt a credential
|
||||
*
|
||||
* @param Credential|array $credential the credential to decrypt
|
||||
* @return Credential|array
|
||||
*/
|
||||
public function decryptCredential($credential) {
|
||||
return $this->handleCredential($credential, 'decrypt');
|
||||
}
|
||||
|
||||
/**
|
||||
* Encrypt a credential
|
||||
*
|
||||
* @param Credential|array $credential the credential to encrypt
|
||||
* @return Credential|array
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function encryptCredential($credential) {
|
||||
return $this->handleCredential($credential, 'encrypt');
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles the encryption / decryption of a credential
|
||||
*
|
||||
* @param Credential|array $credential the credential to encrypt
|
||||
* @return Credential|array
|
||||
* @throws \Exception
|
||||
*/
|
||||
private function handleCredential($credential, $op) {
|
||||
$service_function = ($op === 'encrypt') ? 'encrypt' : 'decrypt';
|
||||
if ($credential instanceof Credential) {
|
||||
$userSuppliedKey = $credential->getLabel();
|
||||
$sk = $credential->getSharedKey();
|
||||
$userKey = (isset($sk)) ? $sk : $credential->getUserId();
|
||||
} else {
|
||||
$userSuppliedKey = $credential['label'];
|
||||
$userKey = (isset($credential['shared_key'])) ? $credential['shared_key'] : $credential['user_id'];
|
||||
}
|
||||
$key = EncryptService::makeKey($userKey, $this->server_key, $userSuppliedKey);
|
||||
|
||||
foreach ($this->encrypted_credential_fields as $field) {
|
||||
if ($credential instanceof Credential) {
|
||||
$field = str_replace(' ', '', str_replace('_', ' ', ucwords($field, '_')));
|
||||
$set = 'set' . $field;
|
||||
$get = 'get' . $field;
|
||||
$credential->{$set}($this->{$service_function}($credential->{$get}(), $key));
|
||||
} else {
|
||||
$credential[$field] = $this->{$service_function}($credential[$field], $key);
|
||||
}
|
||||
}
|
||||
|
||||
return $credential;
|
||||
}
|
||||
|
||||
/**
|
||||
* Encrypt a file
|
||||
*
|
||||
* @param File|array $file
|
||||
* @return File|array
|
||||
*/
|
||||
|
||||
public function encryptFile($file) {
|
||||
return $this->handleFile($file, 'encrypt');
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt a file
|
||||
*
|
||||
* @param File|array $file
|
||||
* @return File|array
|
||||
*/
|
||||
|
||||
public function decryptFile($file) {
|
||||
return $this->handleFile($file, 'decrypt');
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles the encryption / decryption of a File
|
||||
*
|
||||
* @param File|array $file the credential to encrypt
|
||||
* @return File|array
|
||||
* @throws \Exception
|
||||
*/
|
||||
private function handleFile($file, $op){
|
||||
$service_function = ($op === 'encrypt') ? 'encrypt' : 'decrypt';
|
||||
if ($file instanceof File) {
|
||||
$userSuppliedKey = $file->getSize();
|
||||
$userKey = md5($file->getMimetype());
|
||||
} else {
|
||||
$userSuppliedKey = $file['size'];
|
||||
$userKey = md5($file['mimetype']);
|
||||
}
|
||||
|
||||
$key = EncryptService::makeKey($userKey, $this->server_key, $userSuppliedKey);
|
||||
|
||||
|
||||
if ($file instanceof File) {
|
||||
$file->setFilename($this->{$service_function}($file->getFilename(), $key));
|
||||
$file->setFileData($this->{$service_function}($file->getFileData(), $key));
|
||||
} else {
|
||||
$file['filename'] = $this->{$service_function}($file['filename'], $key);
|
||||
$file['file_data'] = $this->{$service_function}($file['file_data'], $key);
|
||||
}
|
||||
return $file;
|
||||
}
|
||||
}
|
||||
|
|
@ -23,6 +23,7 @@
|
|||
|
||||
namespace OCA\Passman\Service;
|
||||
|
||||
use OCA\Passman\Db\File;
|
||||
use OCP\IConfig;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
|
||||
|
|
@ -32,43 +33,55 @@ use OCA\Passman\Db\FileMapper;
|
|||
class FileService {
|
||||
|
||||
private $fileMapper;
|
||||
private $encryptService;
|
||||
private $server_key;
|
||||
|
||||
public function __construct(FileMapper $fileMapper) {
|
||||
public function __construct(FileMapper $fileMapper, EncryptService $encryptService) {
|
||||
$this->fileMapper = $fileMapper;
|
||||
$this->encryptService = $encryptService;
|
||||
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a single file. This function also returns the file content.
|
||||
*
|
||||
* @param $fileId
|
||||
* @param null $userId
|
||||
* @return \OCA\Passman\Db\File
|
||||
*/
|
||||
public function getFile($fileId, $userId = null) {
|
||||
return $this->fileMapper->getFile($fileId, $userId);
|
||||
$file = $this->fileMapper->getFile($fileId, $userId);
|
||||
return $this->encryptService->decryptFile($file);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a single file. This function also returns the file content.
|
||||
*
|
||||
* @param $file_guid
|
||||
* @param null $userId
|
||||
* @return \OCA\Passman\Db\File
|
||||
*/
|
||||
public function getFileByGuid($file_guid, $userId = null) {
|
||||
return $this->fileMapper->getFileByGuid($file_guid, $userId);
|
||||
$file = $this->fileMapper->getFileByGuid($file_guid, $userId);
|
||||
return $this->encryptService->decryptFile($file);
|
||||
}
|
||||
|
||||
/**
|
||||
* Upload a new file,
|
||||
*
|
||||
* @param $file array
|
||||
* @param $userId
|
||||
* @return \OCA\Passman\Db\File
|
||||
*/
|
||||
public function createFile($file, $userId) {
|
||||
return $this->fileMapper->create($file, $userId);
|
||||
$file = $this->encryptService->encryptFile($file);
|
||||
$file = $this->fileMapper->create($file, $userId);
|
||||
return $this->getFile($file->getId());
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete file
|
||||
*
|
||||
* @param $file_id
|
||||
* @param $userId
|
||||
* @return \OCA\Passman\Db\File
|
||||
|
|
@ -79,11 +92,13 @@ class FileService {
|
|||
|
||||
/**
|
||||
* Update file
|
||||
* @param $file_id
|
||||
*
|
||||
* @param File $file
|
||||
* @return \OCA\Passman\Db\File
|
||||
*/
|
||||
public function updateFile($file_id) {
|
||||
return $this->fileMapper->updateFile($file_id);
|
||||
public function updateFile($file) {
|
||||
$file = $this->encryptService->encryptFile($file);
|
||||
return $this->fileMapper->updateFile($file);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -54,6 +54,7 @@ class SettingsService {
|
|||
'check_version' => intval($this->config->getAppValue('passman', 'check_version', 1)),
|
||||
'https_check' => intval($this->config->getAppValue('passman', 'https_check', 1)),
|
||||
'disable_contextmenu' => intval($this->config->getAppValue('passman', 'disable_contextmenu', 1)),
|
||||
'server_side_encryption' => $this->config->getAppValue('passman', 'server_side_encryption', 'aes-256-cbc'),
|
||||
'settings_loaded' => 1
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,17 +39,22 @@ class ShareService {
|
|||
private $shareRequest;
|
||||
private $credential;
|
||||
private $revisions;
|
||||
private $encryptService;
|
||||
|
||||
private $server_key;
|
||||
public function __construct(
|
||||
SharingACLMapper $sharingACL,
|
||||
ShareRequestMapper $shareRequest,
|
||||
CredentialMapper $credentials,
|
||||
CredentialRevisionService $revisions
|
||||
CredentialRevisionService $revisions,
|
||||
EncryptService $encryptService
|
||||
) {
|
||||
$this->sharingACL = $sharingACL;
|
||||
$this->shareRequest = $shareRequest;
|
||||
$this->credential = $credentials;
|
||||
$this->revisions = $revisions;
|
||||
$this->encryptService = $encryptService;
|
||||
$this->server_key = \OC::$server->getConfig()->getSystemValue('passwordsalt', '');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -140,9 +145,10 @@ class ShareService {
|
|||
foreach ($entries as $entry) {
|
||||
// Check if the user can read the credential, probably unnecesary, but just to be sure
|
||||
if (!$entry->hasPermission(SharingACL::READ)) continue;
|
||||
|
||||
$tmp = $entry->jsonSerialize();
|
||||
$tmp['credential_data'] = $this->credential->getCredentialById($entry->getItemId())->jsonSerialize();
|
||||
$credential = $this->credential->getCredentialById($entry->getItemId());
|
||||
$credential = $this->encryptService->decryptCredential($credential);
|
||||
$tmp['credential_data'] = $credential->jsonSerialize();
|
||||
|
||||
if (!$entry->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']);
|
||||
unset($tmp['credential_data']['shared_key']);
|
||||
|
|
@ -168,7 +174,10 @@ class ShareService {
|
|||
if (!$acl->hasPermission(SharingACL::READ)) throw new DoesNotExistException("Item not found or wrong access level");
|
||||
|
||||
$tmp = $acl->jsonSerialize();
|
||||
$tmp['credential_data'] = $this->credential->getCredentialById($acl->getItemId())->jsonSerialize();
|
||||
$credential = $this->credential->getCredentialById($acl->getItemId());
|
||||
$credential = $this->encryptService->decryptCredential($credential);
|
||||
|
||||
$tmp['credential_data'] = $credential->jsonSerialize();
|
||||
|
||||
if (!$acl->hasPermission(SharingACL::FILES)) unset($tmp['credential_data']['files']);
|
||||
unset($tmp['credential_data']['shared_key']);
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ if ($checkVersion) {
|
|||
$githubVersion = $version;
|
||||
}
|
||||
}
|
||||
$ciphers = openssl_get_cipher_methods();
|
||||
?>
|
||||
|
||||
<div id="passwordSharingSettings" class="followup section">
|
||||
|
|
@ -99,5 +100,16 @@ if ($checkVersion) {
|
|||
</option>
|
||||
</select>
|
||||
</p>
|
||||
<p>
|
||||
|
||||
<label for="server_side_encryption">Server side encryption method:</label>
|
||||
<select name="server_side_encryption2" id="server_side_encryption2">
|
||||
<?php
|
||||
foreach ($ciphers as $cipher){
|
||||
print '<option value="'. $cipher .'">'. $cipher .'</option>';
|
||||
}
|
||||
?>
|
||||
</select> (Not working atm. OpenSSL has no equivalent of <code>mcrypt_get_key_size()</code>)
|
||||
</p>
|
||||
</form>
|
||||
</div>
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue