keeweb/desktop/scripts/ipc-handlers/hardware-crypto.js

const { ipcMain } = require('electron');
const { readXoredValue, makeXoredValue } = require('../util/byte-utils');
const { reqNative } = require('../util/req-native');
const { isDev } = require('../util/app-info');

ipcMain.handle('hardwareCryptoDeleteKey', hardwareCryptoDeleteKey);
ipcMain.handle('hardwareEncrypt', hardwareEncrypt);
ipcMain.handle('hardwareDecrypt', hardwareDecrypt);

const keyTag = 'net.antelle.keeweb.encryption-key';

let testCipherParams;
let keyChecked = false;

async function hardwareCryptoDeleteKey() {
    const secureEnclave = reqNative('secure-enclave');
    await secureEnclave.deleteKeyPair({ keyTag });
    keyChecked = false;
}

async function hardwareEncrypt(e, value) {
    return await hardwareCrypto(value, true);
}

async function hardwareDecrypt(e, value, touchIdPrompt) {
    return await hardwareCrypto(value, false, touchIdPrompt);
}

async function hardwareCrypto(value, encrypt, touchIdPrompt) {
    if (process.platform !== 'darwin') {
        throw new Error('Not supported');
    }

    // This is a native module, but why is it here and not in native-module-host?
    // It's because native-module-host is started as a fork,
    //  and macOS thinks it doesn't have necessary entitlements,
    //  so any attempt to use Secure Enclave API fails with an error.

    const secureEnclave = reqNative('secure-enclave');

    const data = readXoredValue(value);

    let res;
    if (isDev && process.env.KEEWEB_EMULATE_HARDWARE_ENCRYPTION) {
        const crypto = require('crypto');
        if (!testCipherParams) {
            let key, iv;
            if (process.env.KEEWEB_EMULATE_HARDWARE_ENCRYPTION === 'persistent') {
                key = Buffer.alloc(32, 0);
                iv = Buffer.alloc(16, 0);
            } else {
                key = crypto.randomBytes(32);
                iv = crypto.randomBytes(16);
            }
            testCipherParams = { key, iv };
        }
        const { key, iv } = testCipherParams;
        const algo = 'aes-256-cbc';
        let cipher;
        if (encrypt) {
            cipher = crypto.createCipheriv(algo, key, iv);
        } else {
            cipher = crypto.createDecipheriv(algo, key, iv);
        }
        res = Buffer.concat([cipher.update(data), cipher.final()]);
    } else {
        if (encrypt) {
            await checkKey();
            res = await secureEnclave.encrypt({ keyTag, data });
        } else {
            res = await secureEnclave.decrypt({ keyTag, data, touchIdPrompt });
        }
    }

    data.fill(0);

    return makeXoredValue(res);

    async function checkKey() {
        if (keyChecked) {
            return;
        }
        try {
            await secureEnclave.createKeyPair({ keyTag });
            keyChecked = true;
        } catch (e) {
            if (!e.keyExists) {
                throw e;
            }
        }
    }
}
moved ipc handlers setup to corresponding files 2021-04-18 11:50:11 +02:00			`const { ipcMain } = require('electron');`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`const { readXoredValue, makeXoredValue } = require('../util/byte-utils');`
			`const { reqNative } = require('../util/req-native');`
moved isDev to utils 2021-04-21 19:31:37 +02:00			`const { isDev } = require('../util/app-info');`
secure enclave support for #679 2021-01-10 14:31:33 +01:00
moved ipc handlers setup to corresponding files 2021-04-18 11:50:11 +02:00			`ipcMain.handle('hardwareCryptoDeleteKey', hardwareCryptoDeleteKey);`
			`ipcMain.handle('hardwareEncrypt', hardwareEncrypt);`
			`ipcMain.handle('hardwareDecrypt', hardwareDecrypt);`

fix #1775: special error message for cases when Touch ID is changed after setup also added Touch ID key deletion when it's disabled 2021-04-02 18:47:04 +02:00			`const keyTag = 'net.antelle.keeweb.encryption-key';`

fix #679, fix #1383: Touch ID on macOS 2021-02-03 20:30:59 +01:00			`let testCipherParams;`
fix #1775: special error message for cases when Touch ID is changed after setup also added Touch ID key deletion when it's disabled 2021-04-02 18:47:04 +02:00			`let keyChecked = false;`
fix #679, fix #1383: Touch ID on macOS 2021-02-03 20:30:59 +01:00
fix #1775: special error message for cases when Touch ID is changed after setup also added Touch ID key deletion when it's disabled 2021-04-02 18:47:04 +02:00			`async function hardwareCryptoDeleteKey() {`
			`const secureEnclave = reqNative('secure-enclave');`
			`await secureEnclave.deleteKeyPair({ keyTag });`
			`keyChecked = false;`
			`}`

separated encrypt and decrypt 2021-01-10 16:56:53 +01:00			`async function hardwareEncrypt(e, value) {`
			`return await hardwareCrypto(value, true);`
			`}`

			`async function hardwareDecrypt(e, value, touchIdPrompt) {`
			`return await hardwareCrypto(value, false, touchIdPrompt);`
			`}`

			`async function hardwareCrypto(value, encrypt, touchIdPrompt) {`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`if (process.platform !== 'darwin') {`
			`throw new Error('Not supported');`
			`}`

			`// This is a native module, but why is it here and not in native-module-host?`
message formatting 2021-01-10 17:11:47 +01:00			`// It's because native-module-host is started as a fork,`
			`// and macOS thinks it doesn't have necessary entitlements,`
			`// so any attempt to use Secure Enclave API fails with an error.`
secure enclave support for #679 2021-01-10 14:31:33 +01:00
			`const secureEnclave = reqNative('secure-enclave');`

			`const data = readXoredValue(value);`

			`let res;`
fix #679, fix #1383: Touch ID on macOS 2021-02-03 20:30:59 +01:00			`if (isDev && process.env.KEEWEB_EMULATE_HARDWARE_ENCRYPTION) {`
			`const crypto = require('crypto');`
			`if (!testCipherParams) {`
			`let key, iv;`
			`if (process.env.KEEWEB_EMULATE_HARDWARE_ENCRYPTION === 'persistent') {`
			`key = Buffer.alloc(32, 0);`
			`iv = Buffer.alloc(16, 0);`
			`} else {`
			`key = crypto.randomBytes(32);`
			`iv = crypto.randomBytes(16);`
			`}`
			`testCipherParams = { key, iv };`
			`}`
			`const { key, iv } = testCipherParams;`
			`const algo = 'aes-256-cbc';`
			`let cipher;`
			`if (encrypt) {`
			`cipher = crypto.createCipheriv(algo, key, iv);`
			`} else {`
			`cipher = crypto.createDecipheriv(algo, key, iv);`
			`}`
			`res = Buffer.concat([cipher.update(data), cipher.final()]);`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`} else {`
fix #679, fix #1383: Touch ID on macOS 2021-02-03 20:30:59 +01:00			`if (encrypt) {`
			`await checkKey();`
			`res = await secureEnclave.encrypt({ keyTag, data });`
			`} else {`
			`res = await secureEnclave.decrypt({ keyTag, data, touchIdPrompt });`
			`}`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`}`

			`data.fill(0);`

			`return makeXoredValue(res);`

			`async function checkKey() {`
fix #1775: special error message for cases when Touch ID is changed after setup also added Touch ID key deletion when it's disabled 2021-04-02 18:47:04 +02:00			`if (keyChecked) {`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`return;`
			`}`
			`try {`
			`await secureEnclave.createKeyPair({ keyTag });`
fix #1775: special error message for cases when Touch ID is changed after setup also added Touch ID key deletion when it's disabled 2021-04-02 18:47:04 +02:00			`keyChecked = true;`
secure enclave support for #679 2021-01-10 14:31:33 +01:00			`} catch (e) {`
			`if (!e.keyExists) {`
			`throw e;`
			`}`
			`}`
			`}`
separated encrypt and decrypt 2021-01-10 16:56:53 +01:00			`}`