This repository has been archived by the owner on Jul 7, 2020. It is now read-only.
forked from keybase/client
/
appkeys.go
121 lines (105 loc) · 3.65 KB
/
appkeys.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package teams
import (
"errors"
"fmt"
"github.com/keybase/client/go/libkb"
"github.com/keybase/client/go/protocol/keybase1"
"golang.org/x/net/context"
)
func AllApplicationKeys(ctx context.Context, teamData *keybase1.TeamData,
application keybase1.TeamApplication, latestGen keybase1.PerTeamKeyGeneration) (res []keybase1.TeamApplicationKey, err error) {
for gen := keybase1.PerTeamKeyGeneration(1); gen <= latestGen; gen++ {
appKey, err := ApplicationKeyAtGeneration(teamData, application, gen)
if err != nil {
return res, err
}
res = append(res, appKey)
}
return res, nil
}
func ApplicationKeyAtGeneration(teamData *keybase1.TeamData,
application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.TeamApplicationKey, err error) {
item, ok := teamData.PerTeamKeySeeds[generation]
if !ok {
return res, libkb.NotFoundError{
Msg: fmt.Sprintf("no team secret found at generation %v", generation)}
}
var rkm *keybase1.ReaderKeyMask
if UseRKMForApp(application) {
rkmReal, err := readerKeyMask(teamData, application, generation)
if err != nil {
return res, err
}
rkm = &rkmReal
} else {
var zeroMask [32]byte
zeroRKM := keybase1.ReaderKeyMask{
Application: application,
Generation: generation,
Mask: zeroMask[:],
}
rkm = &zeroRKM
}
return applicationKeyForMask(*rkm, item.Seed)
}
func UseRKMForApp(application keybase1.TeamApplication) bool {
switch application {
case keybase1.TeamApplication_SEITAN_INVITE_TOKEN:
// Seitan tokens do not use RKMs because implicit admins have all the privileges of explicit members.
return false
default:
return true
}
}
func applicationKeyForMask(mask keybase1.ReaderKeyMask, secret keybase1.PerTeamKeySeed) (keybase1.TeamApplicationKey, error) {
if secret.IsZero() {
return keybase1.TeamApplicationKey{}, errors.New("nil shared secret in Team#applicationKeyForMask")
}
var derivationString string
switch mask.Application {
case keybase1.TeamApplication_KBFS:
derivationString = libkb.TeamKBFSDerivationString
case keybase1.TeamApplication_CHAT:
derivationString = libkb.TeamChatDerivationString
case keybase1.TeamApplication_SALTPACK:
derivationString = libkb.TeamSaltpackDerivationString
case keybase1.TeamApplication_GIT_METADATA:
derivationString = libkb.TeamGitMetadataDerivationString
case keybase1.TeamApplication_SEITAN_INVITE_TOKEN:
derivationString = libkb.TeamSeitanTokenDerivationString
case keybase1.TeamApplication_STELLAR_RELAY:
derivationString = libkb.TeamStellarRelayDerivationString
default:
return keybase1.TeamApplicationKey{}, fmt.Errorf("unrecognized application id: %v", mask.Application)
}
key := keybase1.TeamApplicationKey{
Application: mask.Application,
KeyGeneration: mask.Generation,
}
if len(mask.Mask) != 32 {
return keybase1.TeamApplicationKey{}, fmt.Errorf("mask length: %d, expected 32", len(mask.Mask))
}
secBytes := make([]byte, len(mask.Mask))
n := libkb.XORBytes(secBytes, derivedSecret(secret, derivationString), mask.Mask)
if n != 32 {
return key, errors.New("invalid derived secret xor mask size")
}
copy(key.Key[:], secBytes)
return key, nil
}
func readerKeyMask(teamData *keybase1.TeamData,
application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.ReaderKeyMask, err error) {
m2, ok := teamData.ReaderKeyMasks[application]
if !ok {
return res, NewKeyMaskNotFoundErrorForApplication(application)
}
mask, ok := m2[generation]
if !ok {
return res, NewKeyMaskNotFoundErrorForApplicationAndGeneration(application, generation)
}
return keybase1.ReaderKeyMask{
Application: application,
Generation: generation,
Mask: mask,
}, nil
}