mirror of
https://github.com/the-djmaze/snappymail.git
synced 2024-09-20 07:35:55 +08:00
Now the MainAccount CryptKey is sealed.
This way change-password extension, Oauth2 and others can easily change the cryptkey seal withoug loosing decrypt functionality
This commit is contained in:
parent
8c033f53fa
commit
9ccd616132
|
@ -201,6 +201,7 @@ class ChangePasswordPlugin extends \RainLoop\Plugins\AbstractPlugin
|
|||
$oAccount->SetPassword($oNewPassword);
|
||||
if ($oAccount instanceof \RainLoop\Model\MainAccount) {
|
||||
$oActions->SetAuthToken($oAccount);
|
||||
$oAccount->resealCryptKey($oPrevPassword);
|
||||
}
|
||||
|
||||
return $this->jsonResponse(__FUNCTION__, $oActions->AppData(false));
|
||||
|
|
|
@ -77,8 +77,8 @@ class LoginOAuth2Plugin extends \RainLoop\Plugins\AbstractPlugin
|
|||
* So we need to securely save a cryptkey.
|
||||
* Encrypted using the old/new refresh token is an option:
|
||||
* 1. decrypt cryptkey with the old refresh token
|
||||
* 2. $oAccount->SetCryptKey('cryptkey')
|
||||
* 3. encrypt cryptkey with the new refresh token
|
||||
* 2. encrypt cryptkey with the new refresh token
|
||||
* = $oAccount->resealCryptKey(new \SnappyMail\SensitiveString('old refresh token'))
|
||||
*/
|
||||
}
|
||||
}
|
||||
|
|
|
@ -10,59 +10,46 @@ use SnappyMail\SensitiveString;
|
|||
class MainAccount extends Account
|
||||
{
|
||||
private ?SensitiveString $sCryptKey = null;
|
||||
/*
|
||||
public function resealCryptKey(
|
||||
#[\SensitiveParameter]
|
||||
string $sOldPass,
|
||||
#[\SensitiveParameter]
|
||||
string $sNewPass
|
||||
) : bool
|
||||
|
||||
public function resealCryptKey(SensitiveString $oOldPass) : bool
|
||||
{
|
||||
$oStorage = \RainLoop\Api::Actions()->StorageProvider();
|
||||
$sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey');
|
||||
$sKey = $this->CryptKey();
|
||||
if ($sKey) {
|
||||
$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sOldPass);
|
||||
$sKey = \SnappyMail\Crypt::EncryptToJSON(\bin2hex($sKey), $this->IncPassword());
|
||||
if ($sKey) {
|
||||
$sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $sNewPass);
|
||||
\RainLoop\Api::Actions()->StorageProvider()->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
|
||||
$sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword());
|
||||
if ($sKey) {
|
||||
$oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
|
||||
$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $sNewPass);
|
||||
$this->SetCryptKey($sKey);
|
||||
return true;
|
||||
$this->sCryptKey = new SensitiveString(\hex2bin($sKey));
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
*/
|
||||
|
||||
public function CryptKey() : string
|
||||
{
|
||||
if (!$this->sCryptKey) {
|
||||
$sKey = \sha1($this->IncPassword() . APP_SALT, true);
|
||||
/*
|
||||
// Seal the cryptkey so that people who change their login password
|
||||
// can use the old password to re-seal the cryptkey
|
||||
$oStorage = \RainLoop\Api::Actions()->StorageProvider();
|
||||
$sKey = $oStorage->Get($this, StorageType::ROOT, '.cryptkey');
|
||||
if (!$sKey) {
|
||||
$sKey = \sha1($this->IncPassword() . APP_SALT, true);
|
||||
$sKey = \SnappyMail\Crypt::EncryptUrlSafe($sKey, $this->IncPassword());
|
||||
$sKey = \SnappyMail\Crypt::EncryptToJSON(
|
||||
\sha1($this->IncPassword() . APP_SALT),
|
||||
$this->IncPassword()
|
||||
);
|
||||
$oStorage->Put($this, StorageType::ROOT, '.cryptkey', $sKey);
|
||||
}
|
||||
$sKey = \SnappyMail\Crypt::DecryptUrlSafe($sKey, $this->IncPassword());
|
||||
*/
|
||||
$this->SetCryptKey($sKey);
|
||||
$sKey = \SnappyMail\Crypt::DecryptFromJSON($sKey, $this->IncPassword());
|
||||
if ($sKey) {
|
||||
$this->sCryptKey = new SensitiveString(\hex2bin($sKey));
|
||||
}
|
||||
}
|
||||
return $this->sCryptKey;
|
||||
}
|
||||
|
||||
public function SetCryptKey(
|
||||
#[\SensitiveParameter]
|
||||
string $sKey
|
||||
) : void
|
||||
{
|
||||
$this->sCryptKey = new SensitiveString($sKey);
|
||||
}
|
||||
/*
|
||||
// Stores settings in MainAccount
|
||||
public function settings() : \RainLoop\Settings
|
||||
|
|
Loading…
Reference in a new issue