packages/shared/lib/keyTransparency/createPreAuthKTVerifier.ts

   1 import { serverTime } from '@proton/crypto';
   2 import { commitSKLToLS, fetchSignedKeyLists, ktSentryReport, ktSentryReportError } from '@proton/key-transparency';
   3
   4 import type { Address, DecryptedKey, PreAuthKTVerifier, PreAuthKTVerify, SignedKeyList } from '../interfaces';
   5 import { KeyTransparencyActivation } from '../interfaces';
   6 import { getDefaultKTLS } from './defaults';
   7
   8 /**
   9  * Return a KT verifier for when getSignedKeyList is called before apps are properly mounted,
  10  * e.g. signup or login, such that self audit couldn't have run and user keys are not directly accessible
  11  */
  12 const createPreAuthKTVerifier = (ktActivation: KeyTransparencyActivation): PreAuthKTVerifier => {
  13     interface CreatedSKL {
  14         address: Address;
  15         revision?: number;
  16         userKeys: DecryptedKey[];
  17         signedKeyList: SignedKeyList;
  18         creationTimestamp: number;
  19     }
  20
  21     var createdSKLs: CreatedSKL[] = [];
  22
  23     const ktLSAPI = getDefaultKTLS();
  24
  25     const preAuthKTVerify: PreAuthKTVerify = (userKeys: DecryptedKey[]) => async (address, signedKeyList) => {
  26         if (ktActivation === KeyTransparencyActivation.DISABLED) {
  27             return;
  28         }
  29         createdSKLs.push({
  30             address,
  31             revision: address.SignedKeyList?.Revision,
  32             userKeys,
  33             signedKeyList,
  34             creationTimestamp: +serverTime(),
  35         });
  36     };
  37
  38     const preAuthKTCommit: PreAuthKTVerifier['preAuthKTCommit'] = async (userID, api) => {
  39         try {
  40             if (ktActivation === KeyTransparencyActivation.DISABLED) {
  41                 return;
  42             }
  43
  44             if (!createdSKLs.length) {
  45                 return;
  46             }
  47
  48             for (const savedSKL of createdSKLs) {
  49                 const allSKLs = await fetchSignedKeyLists(api, savedSKL.revision ?? 0, savedSKL.address.Email);
  50                 const correspondingSKL = allSKLs.find((skl) => savedSKL.signedKeyList.Data == skl.Data);
  51                 if (!correspondingSKL || !correspondingSKL.Revision || !correspondingSKL.ExpectedMinEpochID) {
  52                     ktSentryReport('Could not find new SKL revision and expectedMinEpochID', {
  53                         email: savedSKL.address.Email,
  54                     });
  55                     return;
  56                 }
  57                 const privateKeys = savedSKL.userKeys.map(({ privateKey }) => privateKey);
  58                 const ktBlob = {
  59                     creationTimestamp: savedSKL.creationTimestamp,
  60                     expectedMinEpochID: correspondingSKL.ExpectedMinEpochID,
  61                     revision: correspondingSKL.Revision,
  62                     email: savedSKL.address.Email,
  63                     data: savedSKL.signedKeyList.Data,
  64                 };
  65                 await commitSKLToLS(ktBlob, privateKeys, ktLSAPI, userID, savedSKL.address.ID);
  66             }
  67             createdSKLs = [];
  68         } catch (error: any) {
  69             ktSentryReportError(error, { context: 'preAuthKTCommit' });
  70         }
  71     };
  72
  73     return {
  74         preAuthKTVerify,
  75         preAuthKTCommit,
  76     };
  77 };
  78
  79 export default createPreAuthKTVerifier;