Skip to content

Fix recreate masterkey for hsm #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sharidas merged 1 commit into from
May 30, 2019
Merged

Fix recreate masterkey for hsm #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 33 additions & 120 deletions lib/Command/RecreateMasterKey.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,44 +21,23 @@

namespace OCA\Encryption\Command;

use OC\Encryption\DecryptAll;
use OC\Encryption\Manager;
use OC\Files\View;
use OCA\Encryption\Crypto\EncryptAll;
use OCA\Encryption\KeyManager;
use OCA\Encryption\Users\Setup;
use OCA\Encryption\Factory\EncDecAllFactory;
use OCA\Encryption\Util;
use OCP\App\IAppManager;
use OCP\IAppConfig;
use OCP\IConfig;
use OCP\IL10N;
use OCP\ILogger;
use OCP\ISession;
use OCP\IUserManager;
use OCP\Mail\IMailer;
use OCP\Security\ISecureRandom;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\ProgressBar;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\ConfirmationQuestion;

class RecreateMasterKey extends Command {

/** @var Manager */
protected $encryptionManager;

/** @var IUserManager */
protected $userManager;

/** @var View */
protected $rootView;

/** @var KeyManager */
protected $keyManager;

/** @var Util */
protected $util;

Expand All @@ -71,77 +50,32 @@ class RecreateMasterKey extends Command {
/** @var IAppConfig */
protected $appConfig;

/** @var IConfig */
protected $config;

/** @var ISession */
protected $session;

/** @var QuestionHelper */
protected $questionHelper;

/** @var Setup */
protected $userSetup;

/** @var IMailer */
protected $mailer;

/** @var ISecureRandom */
protected $secureRandom;

/** @var IL10N */
protected $l;

/** @var ILogger */
protected $logger;

/** @var */
protected $encryptAll;

protected $decryptAll;
/** @var EncDecAllFactory */
private $encDecAllFactory;

/** @var array files which couldn't be decrypted */
protected $failed;

/**
* RecreateMasterKey constructor.
*
* @param IUserManager $userManager
* @param View $rootView
* @param KeyManager $keyManager
* @param Util $util
* @param \OC\Encryption\Util $encUtil
* @param IAppManager $appManager
* @param IAppConfig $appConfig
* @param IConfig $config
* @param ISession $session
* @param QuestionHelper $questionHelper
* @param Setup $userSetup
* @param IMailer $mailer
* @param ISecureRandom $secureRandom
* @param IL10N $l
* @param ILogger $logger
* @param EncDecAllFactory $encDecAllFactory
*/
public function __construct(IUserManager $userManager, View $rootView, KeyManager $keyManager, Util $util, \OC\Encryption\Util $encUtil,
IAppManager $appManager, IAppConfig $appConfig, IConfig $config, ISession $session,
Manager $encryptionManager, QuestionHelper $questionHelper, Setup $userSetup, IMailer $mailer,
ISecureRandom $secureRandom, IL10N $l, ILogger $logger) {
public function __construct(View $rootView, Util $util, \OC\Encryption\Util $encUtil,
IAppManager $appManager, IAppConfig $appConfig,
EncDecAllFactory $encDecAllFactory) {
parent::__construct();
$this->userManager = $userManager;
$this->rootView = $rootView;
$this->keyManager = $keyManager;
$this->util = $util;
$this->encUtil = $encUtil;
$this->appManager = $appManager;
$this->appConfig = $appConfig;
$this->config = $config;
$this->session = $session;
$this->encryptionManager = $encryptionManager;
$this->questionHelper = $questionHelper;
$this->userSetup = $userSetup;
$this->mailer = $mailer;
$this->secureRandom = $secureRandom;
$this->l = $l;
$this->logger = $logger;
$this->encDecAllFactory = $encDecAllFactory;
}

protected function configure() {
Expand All @@ -166,14 +100,18 @@ protected function execute(InputInterface $input, OutputInterface $output) {
$question = new ConfirmationQuestion(
'Warning: In order to re-create master key, the entire ownCloud filesystem will be decrypted and then encrypted using new master key.'
. ' Do you want to continue? (y/n)', false);
if ($yes || $this->questionHelper->ask($input, $output, $question)) {
//$questionHelper = $this->getHelper('question');
if ($yes || $this->getHelper('question')->ask($input, $output, $question)) {
$output->writeln("Decryption started\n");
$progress = new ProgressBar($output);
$progress->start();
$progress->setMessage("Decryption in progress...");
$progress->advance();

$this->decryptAllUsers($input, $output);
//Get DecryptAll object from the factory
$decryptAll = $this->encDecAllFactory->getDecryptAllObj();
$decryptAll->decryptAll($input, $output);

$progress->finish();

if (empty($this->failed)) {
Expand All @@ -187,69 +125,44 @@ protected function execute(InputInterface $input, OutputInterface $output) {
$this->rootView->deleteAll($filesEncryptionDir . '/files_encryption');
}

$this->appConfig->setValue('core', 'encryption_enabled', 'no');
$this->appConfig->deleteKey('encryption', 'useMasterKey');
$this->appConfig->deleteKey('encryption', 'masterKeyId');
$this->appConfig->deleteKey('encryption', 'recoveryKeyId');
$this->appConfig->deleteKey('encryption', 'publicShareKeyId');
$this->appConfig->deleteKey('files_encryption', 'installed_version');
$this->util->removeEncryptionAppSettings();
}
$output->writeln("\nDecryption completed\n");

//Reencrypt again
$this->appManager->enableApp('encryption');
$this->appConfig->setValue('core', 'encryption_enabled', 'yes');
$this->appConfig->setValue('encryption', 'enabled', 'yes');
$output->writeln("Encryption started\n");
$this->appConfig->setValue('encryption', 'useMasterKey', '1');

$output->writeln("Waiting for creating new masterkey\n");

$this->keyManager->setPublicShareKeyIDAndMasterKeyId();

//Get the EncryptAll object from factory
$encryptAll = $this->encDecAllFactory->getEncryptAllObj();
if ($encryptAll->createMasterKey($input, $output) === false) {
$output->writeln("<error>Error: masterkeys creation failed</error>");
Comment thread
sharidas marked this conversation as resolved.
return 1;
}
$output->writeln("New masterkey created successfully\n");

$this->appConfig->setValue('encryption', 'enabled', 'yes');
$this->appConfig->setValue('encryption', 'useMasterKey', '1');

/**
* Call validateShareKey method, to check if public share exists,
* else create one.
*/
$this->keyManager->validateShareKey();
$output->writeln("Encryption started\n");
/**
* Same here, check if public masterkey exists else
* create one.
* We are reusing the encryptAll code but not the decryptAll. The reason being
* decryptAll finishes by encrypting. Which is not what we want. This will make
* things out of scope for this command. We want first the entire oC FS to be
* decrypt. Then re-encrypt the entire oC FS with the new master key generated.
*/
$this->keyManager->validateMasterKey();
$this->encryptAllUsers($input, $output);
$encryptAll->encryptAll($input, $output);

$output->writeln("\nEncryption completed successfully\n");
$output->writeln("\n<info>Note: All users are required to relogin.</info>\n");
return 0;
} else {
$output->writeln("The process is abandoned");
return 2;
}
} else {
$output->writeln("Master key is not enabled.\n");
return 3;
}
}

protected function decryptAllUsers(InputInterface $input, OutputInterface $output) {
$this->decryptAll = new DecryptAll($this->encryptionManager, $this->userManager, $this->rootView, $this->logger);
$this->decryptAll->decryptAll($input, $output);
}

protected function encryptAllUsers(InputInterface $input, OutputInterface $output) {
/*
* We are reusing the encryptAll code but not the decryptAll. The reason being
* decryptAll finishes by encrypting. Which is not what we want. This will make
* things out of scope for this command. We want first the entire oC FS to be
* decrypt. Then re-encrypt the entire oC FS with the new master key generated.
*
*/
$this->encryptAll = new EncryptAll(
$this->userSetup, $this->userManager, $this->rootView,
$this->keyManager, $this->util, $this->config,
$this->mailer, $this->l, $this->questionHelper,
$this->secureRandom);
$this->encryptAll->encryptAll($input, $output);
}
}
21 changes: 21 additions & 0 deletions lib/Crypto/EncryptAll.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,27 @@ public function __construct(
$this->userPasswords = [];
}

/**
* Call this method only when no master key is created.
*
* @return bool true when masterkey and sharekey is created else false
*/
public function createMasterKey() {
$this->keyManager->setPublicShareKeyIDAndMasterKeyId();

/**
* Call validateShareKey method, to check if public share exists,
* else create one.
*/
$this->keyManager->validateShareKey();
/**
* Same here, check if public masterkey exists else
* create one.
*/
$this->keyManager->validateMasterKey();
return (!empty($this->keyManager->getPublicShareKey()) && !empty($this->keyManager->getPublicMasterKey()));
}

/**
* start to encrypt all files
*
Expand Down
Loading