SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(security): switch master key to non-extractable CryptoKey handle and remove direct access
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details

Browse Source
This commit is contained in:
lockbitchat
2025-10-30 15:16:36 -04:00
parent 77ed4b3e4f
commit 4583db39a2
8 changed files with 84 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dist/app-boot.js
Vendored
+33 -79
View File
@@ -2507,12 +2507,6 @@ var EnhancedSecureCryptoUtils = class _EnhancedSecureCryptoUtils {
encoder.encode(payloadStr)
);
payload.mac = Array.from(new Uint8Array(mac));
_EnhancedSecureCryptoUtils.secureLog.log("info", "Message encrypted with metadata protection", {
messageId,
sequenceNumber,
hasMetadataProtection: true,
hasPadding: true
});
return payload;
} catch (error) {
_EnhancedSecureCryptoUtils.secureLog.log("error", "Message encryption failed", {
@@ -13781,11 +13775,10 @@ var SecureKeyStorage = class {
/**
* Get master key (with automatic unlock if needed)
*/
async _getMasterKey() {
async _ensureMasterKeyUnlocked() {
if (!this._masterKeyManager.isUnlocked()) {
await this._masterKeyManager.unlock();
}
return this._masterKeyManager.getMasterKey();
}
async storeKey(keyId, cryptoKey, metadata = {}) {
if (!(cryptoKey instanceof CryptoKey)) {
@@ -13854,27 +13847,18 @@ var SecureKeyStorage = class {
const dataToEncrypt = typeof keyData === "object" ? JSON.stringify(keyData) : keyData;
const encoder = new TextEncoder();
const data = encoder.encode(dataToEncrypt);
const iv = crypto.getRandomValues(new Uint8Array(12));
const masterKey = await this._getMasterKey();
const encryptedData = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv },
masterKey,
data
);
await this._ensureMasterKeyUnlocked();
const { encryptedData, iv } = await this._masterKeyManager.encryptBytes(data);
const result = new Uint8Array(iv.length + encryptedData.byteLength);
result.set(iv, 0);
result.set(new Uint8Array(encryptedData), iv.length);
result.set(encryptedData, iv.length);
return result;
}
async _decryptKeyData(encryptedData) {
const iv = encryptedData.slice(0, 12);
const data = encryptedData.slice(12);
const masterKey = await this._getMasterKey();
const decryptedData = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv },
masterKey,
data
);
await this._ensureMasterKeyUnlocked();
const decryptedData = await this._masterKeyManager.decryptBytes(data, iv);
const decoder = new TextDecoder();
const jsonString = decoder.decode(decryptedData);
try {
@@ -14418,8 +14402,7 @@ var SecurePersistentKeyStorage = class {
try {
await this._ensureDBInitialized();
const jwkData = await crypto.subtle.exportKey("jwk", cryptoKey);
const masterKey = this._masterKeyManager.getMasterKey();
const { encryptedData, iv } = await this._encryptKeyData(jwkData, masterKey);
const { encryptedData, iv } = await this._encryptKeyData(jwkData);
await this._indexedDB.storeEncryptedKey(
keyId,
encryptedData,
@@ -14449,8 +14432,7 @@ var SecurePersistentKeyStorage = class {
if (!keyRecord) {
return null;
}
const masterKey = this._masterKeyManager.getMasterKey();
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv, masterKey);
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv);
const restoredKey = await this._importAsNonExtractable(jwkData, keyRecord.algorithm, keyRecord.usages);
this._keyReferences.set(keyId, restoredKey);
await this._indexedDB.updateKeyMetadata(keyId, { lastAccessed: Date.now() });
@@ -14499,29 +14481,18 @@ var SecurePersistentKeyStorage = class {
/**
* Encrypt key data using master key
*/
async _encryptKeyData(jwkData, masterKey) {
async _encryptKeyData(jwkData) {
const jsonString = JSON.stringify(jwkData);
const data = new TextEncoder().encode(jsonString);
const iv = crypto.getRandomValues(new Uint8Array(12));
const encryptedData = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv },
masterKey,
data
);
return {
encryptedData: new Uint8Array(encryptedData),
iv
};
await this._ensureMasterKeyUnlocked();
return await this._masterKeyManager.encryptBytes(data);
}
/**
* Decrypt key data using master key
*/
async _decryptKeyData(encryptedData, iv, masterKey) {
const decryptedData = await crypto.subtle.decrypt(
{ name: "AES-GCM", iv },
masterKey,
encryptedData
);
async _decryptKeyData(encryptedData, iv) {
await this._ensureMasterKeyUnlocked();
const decryptedData = await this._masterKeyManager.decryptBytes(encryptedData, iv);
const jsonString = new TextDecoder().decode(decryptedData);
return JSON.parse(jsonString);
}
@@ -14564,7 +14535,7 @@ var SecurePersistentKeyStorage = class {
};
var SecureMasterKeyManager = class {
constructor(indexedDBWrapper = null) {
this._masterKey = null;
this._keyHandle = null;
this._isUnlocked = false;
this._sessionTimeout = null;
this._lastActivity = null;
@@ -14773,7 +14744,7 @@ var SecureMasterKeyManager = class {
password = await this._requestPassword(false);
}
const salt = await this._getOrCreateSalt();
this._masterKey = await this._deriveKeyFromPassword(password, salt);
this._keyHandle = await this._deriveKeyFromPassword(password, salt);
this._isUnlocked = true;
this._lastActivity = Date.now();
this._startSessionTimer();
@@ -14796,12 +14767,23 @@ var SecureMasterKeyManager = class {
/**
* Get master key (only if unlocked)
*/
getMasterKey() {
if (!this._isUnlocked || !this._masterKey) {
// Prevent direct key access; provide operations only
async encryptBytes(plainBytes) {
if (!this._isUnlocked || !this._keyHandle) {
throw new Error("Master key is locked");
}
this._updateActivity();
return this._masterKey;
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, this._keyHandle, plainBytes);
return { encryptedData: new Uint8Array(encrypted), iv };
}
async decryptBytes(encryptedBytes, iv) {
if (!this._isUnlocked || !this._keyHandle) {
throw new Error("Master key is locked");
}
this._updateActivity();
const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, this._keyHandle, encryptedBytes);
return new Uint8Array(decrypted);
}
/**
* Check if master key is unlocked
@@ -14824,8 +14806,8 @@ var SecureMasterKeyManager = class {
* Securely wipe master key from memory
*/
_secureWipeMasterKey() {
if (this._masterKey) {
this._masterKey = null;
if (this._keyHandle) {
this._keyHandle = null;
}
this._clearTimers();
}
@@ -14896,10 +14878,8 @@ var EnhancedMinimalHeader = ({
} else if (window.DEBUG_MODE) {
}
} else {
console.warn(" Security calculation returned invalid data");
}
} catch (error) {
console.error(" Error in real security calculation:", error);
} finally {
isUpdating = false;
}
@@ -14940,10 +14920,8 @@ var EnhancedMinimalHeader = ({
if (securityData && securityData.isRealData !== false) {
setRealSecurityLevel(securityData);
setLastSecurityUpdate(Date.now());
console.log("\u2705 Header security level force-updated");
}
}).catch((error) => {
console.error("\u274C Force update failed:", error);
});
} else {
setLastSecurityUpdate(0);
@@ -14971,9 +14949,6 @@ var EnhancedMinimalHeader = ({
setSessionType("premium");
};
const handleConnectionCleaned = () => {
if (window.DEBUG_MODE) {
console.log("\u{1F9F9} Connection cleaned - clearing security data in header");
}
setRealSecurityLevel(null);
setLastSecurityUpdate(0);
setHasActiveSession(false);
@@ -14981,9 +14956,6 @@ var EnhancedMinimalHeader = ({
setSessionType("unknown");
};
const handlePeerDisconnect = () => {
if (window.DEBUG_MODE) {
console.log("\u{1F44B} Peer disconnect detected - clearing security data in header");
}
setRealSecurityLevel(null);
setLastSecurityUpdate(0);
};
@@ -15018,15 +14990,9 @@ var EnhancedMinimalHeader = ({
if (webrtcManager && window.EnhancedSecureCryptoUtils) {
try {
realTestResults = await window.EnhancedSecureCryptoUtils.calculateSecurityLevel(webrtcManager);
console.log("\u2705 Real security tests completed:", realTestResults);
} catch (error) {
console.error("\u274C Real security tests failed:", error);
}
} else {
console.log("\u26A0\uFE0F Cannot run security tests:", {
webrtcManager: !!webrtcManager,
cryptoUtils: !!window.EnhancedSecureCryptoUtils
});
}
if (!realTestResults && !realSecurityLevel) {
alert("Security verification in progress...\nPlease wait for real-time cryptographic verification to complete.");
@@ -15045,7 +15011,6 @@ var EnhancedMinimalHeader = ({
passedChecks: 0,
totalChecks: 0
};
console.log("Using fallback security data:", securityData);
}
let message = `REAL-TIME SECURITY VERIFICATION
@@ -15261,18 +15226,7 @@ Right-click or Ctrl+click to disconnect`,
};
const securityDetails = getSecurityIndicatorDetails();
React.useEffect(() => {
window.debugHeaderSecurity = () => {
console.log("\u{1F50D} Header Security Debug:", {
realSecurityLevel,
lastSecurityUpdate,
isConnected,
webrtcManagerProp: !!webrtcManager,
windowWebrtcManager: !!window.webrtcManager,
cryptoUtils: !!window.EnhancedSecureCryptoUtils,
displaySecurityLevel,
securityDetails
});
};
window.debugHeaderSecurity = void 0;
return () => {
delete window.debugHeaderSecurity;
};
dist/app-boot.js.map
Vendored
+2 -2
View File
File diff suppressed because one or more lines are too long
dist/app.js
Vendored
-11
View File
@@ -2266,7 +2266,6 @@ var EnhancedSecureP2PChat = () => {
return Promise.resolve(false);
}
}
console.log("Processing single QR code:", scannedData.substring(0, 50) + "...");
let parsedData;
if (typeof window.decodeAnyPayload === "function") {
const any = window.decodeAnyPayload(scannedData);
@@ -2568,24 +2567,14 @@ var EnhancedSecureP2PChat = () => {
}]);
let offer;
try {
console.log("DEBUG: Processing offer input:", offerInput.trim().substring(0, 100) + "...");
console.log("DEBUG: decodeAnyPayload available:", typeof window.decodeAnyPayload === "function");
console.log("DEBUG: decompressIfNeeded available:", typeof window.decompressIfNeeded === "function");
if (typeof window.decodeAnyPayload === "function") {
console.log("DEBUG: Using decodeAnyPayload...");
const any = window.decodeAnyPayload(offerInput.trim());
console.log("DEBUG: decodeAnyPayload result type:", typeof any);
console.log("DEBUG: decodeAnyPayload result:", any);
offer = typeof any === "string" ? JSON.parse(any) : any;
} else {
console.log("DEBUG: Using decompressIfNeeded...");
const rawText = typeof window.decompressIfNeeded === "function" ? window.decompressIfNeeded(offerInput.trim()) : offerInput.trim();
console.log("DEBUG: decompressIfNeeded result:", rawText.substring(0, 100) + "...");
offer = JSON.parse(rawText);
}
console.log("DEBUG: Final offer:", offer);
} catch (parseError) {
console.error("DEBUG: Parse error:", parseError);
throw new Error(`Invalid invitation format: ${parseError.message}`);
}
if (!offer || typeof offer !== "object") {
dist/app.js.map
Vendored
+2 -2
View File
File diff suppressed because one or more lines are too long
src/app.jsx
+1 -12
View File
@@ -2589,7 +2589,7 @@
}
// Single QR code - try to decode directly
console.log('Processing single QR code:', scannedData.substring(0, 50) + '...');
// Removed verbose debug log
let parsedData;
if (typeof window.decodeAnyPayload === 'function') {
const any = window.decodeAnyPayload(scannedData);
@@ -2939,26 +2939,15 @@
let offer;
try {
console.log('DEBUG: Processing offer input:', offerInput.trim().substring(0, 100) + '...');
console.log('DEBUG: decodeAnyPayload available:', typeof window.decodeAnyPayload === 'function');
console.log('DEBUG: decompressIfNeeded available:', typeof window.decompressIfNeeded === 'function');
// Prefer binary decode first, then gzip JSON
if (typeof window.decodeAnyPayload === 'function') {
console.log('DEBUG: Using decodeAnyPayload...');
const any = window.decodeAnyPayload(offerInput.trim());
console.log('DEBUG: decodeAnyPayload result type:', typeof any);
console.log('DEBUG: decodeAnyPayload result:', any);
offer = (typeof any === 'string') ? JSON.parse(any) : any;
} else {
console.log('DEBUG: Using decompressIfNeeded...');
const rawText = (typeof window.decompressIfNeeded === 'function') ? window.decompressIfNeeded(offerInput.trim()) : offerInput.trim();
console.log('DEBUG: decompressIfNeeded result:', rawText.substring(0, 100) + '...');
offer = JSON.parse(rawText);
}
console.log('DEBUG: Final offer:', offer);
} catch (parseError) {
console.error('DEBUG: Parse error:', parseError);
throw new Error(`Invalid invitation format: ${parseError.message}`);
}
src/components/ui/Header.jsx
+11 -29
View File
@@ -63,11 +63,11 @@ const EnhancedMinimalHeader = ({
} else if (window.DEBUG_MODE) {
}
} else {
console.warn(' Security calculation returned invalid data');
}
} catch (error) {
console.error(' Error in real security calculation:', error);
} finally {
isUpdating = false;
}
@@ -125,11 +125,11 @@ const EnhancedMinimalHeader = ({
if (securityData && securityData.isRealData !== false) {
setRealSecurityLevel(securityData);
setLastSecurityUpdate(Date.now());
console.log('✅ Header security level force-updated');
}
})
.catch(error => {
console.error('❌ Force update failed:', error);
});
} else {
setLastSecurityUpdate(0);
@@ -170,9 +170,7 @@ const EnhancedMinimalHeader = ({
// Connection cleanup handler (use existing event from module)
const handleConnectionCleaned = () => {
if (window.DEBUG_MODE) {
console.log('🧹 Connection cleaned - clearing security data in header');
}
setRealSecurityLevel(null);
setLastSecurityUpdate(0);
@@ -183,9 +181,7 @@ const EnhancedMinimalHeader = ({
};
const handlePeerDisconnect = () => {
if (window.DEBUG_MODE) {
console.log('👋 Peer disconnect detected - clearing security data in header');
}
setRealSecurityLevel(null);
setLastSecurityUpdate(0);
@@ -236,15 +232,12 @@ const EnhancedMinimalHeader = ({
if (webrtcManager && window.EnhancedSecureCryptoUtils) {
try {
realTestResults = await window.EnhancedSecureCryptoUtils.calculateSecurityLevel(webrtcManager);
console.log('✅ Real security tests completed:', realTestResults);
} catch (error) {
console.error('❌ Real security tests failed:', error);
}
} else {
console.log('⚠️ Cannot run security tests:', {
webrtcManager: !!webrtcManager,
cryptoUtils: !!window.EnhancedSecureCryptoUtils
});
}
// If no real test results and no existing security level, show progress message
@@ -269,7 +262,7 @@ const EnhancedMinimalHeader = ({
passedChecks: 0,
totalChecks: 0
};
console.log('Using fallback security data:', securityData);
}
// Detailed information about the REAL security check
@@ -501,18 +494,7 @@ const EnhancedMinimalHeader = ({
// ============================================
React.useEffect(() => {
window.debugHeaderSecurity = () => {
console.log('🔍 Header Security Debug:', {
realSecurityLevel,
lastSecurityUpdate,
isConnected,
webrtcManagerProp: !!webrtcManager,
windowWebrtcManager: !!window.webrtcManager,
cryptoUtils: !!window.EnhancedSecureCryptoUtils,
displaySecurityLevel: displaySecurityLevel,
securityDetails: securityDetails
});
};
window.debugHeaderSecurity = undefined;
return () => {
delete window.debugHeaderSecurity;
src/crypto/EnhancedSecureCryptoUtils.js
+1 -6
View File
@@ -2308,12 +2308,7 @@ class EnhancedSecureCryptoUtils {
payload.mac = Array.from(new Uint8Array(mac));
EnhancedSecureCryptoUtils.secureLog.log('info', 'Message encrypted with metadata protection', {
messageId,
sequenceNumber,
hasMetadataProtection: true,
hasPadding: true
});
// Logging removed to avoid noisy console output
return payload;
} catch (error) {
src/network/EnhancedSecureWebRTCManager.js
+34 -58
View File
@@ -12094,11 +12094,10 @@ class SecureKeyStorage {
/**
* Get master key (with automatic unlock if needed)
*/
async _getMasterKey() {
async _ensureMasterKeyUnlocked() {
if (!this._masterKeyManager.isUnlocked()) {
await this._masterKeyManager.unlock();
}
return this._masterKeyManager.getMasterKey();
}
async storeKey(keyId, cryptoKey, metadata = {}) {
@@ -12191,20 +12190,12 @@ class SecureKeyStorage {
const encoder = new TextEncoder();
const data = encoder.encode(dataToEncrypt);
const iv = crypto.getRandomValues(new Uint8Array(12));
const masterKey = await this._getMasterKey();
const encryptedData = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv },
masterKey,
data
);
await this._ensureMasterKeyUnlocked();
const { encryptedData, iv } = await this._masterKeyManager.encryptBytes(data);
// Return IV + encrypted data
const result = new Uint8Array(iv.length + encryptedData.byteLength);
result.set(iv, 0);
result.set(new Uint8Array(encryptedData), iv.length);
result.set(encryptedData, iv.length);
return result;
}
@@ -12212,12 +12203,8 @@ class SecureKeyStorage {
const iv = encryptedData.slice(0, 12);
const data = encryptedData.slice(12);
const masterKey = await this._getMasterKey();
const decryptedData = await crypto.subtle.decrypt(
{ name: 'AES-GCM', iv },
masterKey,
data
);
await this._ensureMasterKeyUnlocked();
const decryptedData = await this._masterKeyManager.decryptBytes(data, iv);
const decoder = new TextDecoder();
const jsonString = decoder.decode(decryptedData);
@@ -12906,11 +12893,8 @@ class SecurePersistentKeyStorage {
// Export key to JWK
const jwkData = await crypto.subtle.exportKey('jwk', cryptoKey);
// Get master key for encryption
const masterKey = this._masterKeyManager.getMasterKey();
// Encrypt JWK data
const { encryptedData, iv } = await this._encryptKeyData(jwkData, masterKey);
const { encryptedData, iv } = await this._encryptKeyData(jwkData);
// Store encrypted data in IndexedDB
await this._indexedDB.storeEncryptedKey(
@@ -12952,11 +12936,8 @@ class SecurePersistentKeyStorage {
return null;
}
// Get master key for decryption
const masterKey = this._masterKeyManager.getMasterKey();
// Decrypt JWK data
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv, masterKey);
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv);
// Import as non-extractable key
const restoredKey = await this._importAsNonExtractable(jwkData, keyRecord.algorithm, keyRecord.usages);
@@ -13029,37 +13010,21 @@ class SecurePersistentKeyStorage {
/**
* Encrypt key data using master key
*/
async _encryptKeyData(jwkData, masterKey) {
async _encryptKeyData(jwkData) {
// Convert JWK to JSON string and then to bytes
const jsonString = JSON.stringify(jwkData);
const data = new TextEncoder().encode(jsonString);
// Generate random IV
const iv = crypto.getRandomValues(new Uint8Array(12));
// Encrypt with AES-GCM
const encryptedData = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv },
masterKey,
data
);
return {
encryptedData: new Uint8Array(encryptedData),
iv: iv
};
await this._ensureMasterKeyUnlocked();
return await this._masterKeyManager.encryptBytes(data);
}
/**
* Decrypt key data using master key
*/
async _decryptKeyData(encryptedData, iv, masterKey) {
// Decrypt with AES-GCM
const decryptedData = await crypto.subtle.decrypt(
{ name: 'AES-GCM', iv },
masterKey,
encryptedData
);
async _decryptKeyData(encryptedData, iv) {
await this._ensureMasterKeyUnlocked();
const decryptedData = await this._masterKeyManager.decryptBytes(encryptedData, iv);
// Convert back to JWK
const jsonString = new TextDecoder().decode(decryptedData);
@@ -13114,7 +13079,7 @@ class SecurePersistentKeyStorage {
class SecureMasterKeyManager {
constructor(indexedDBWrapper = null) {
// Session state
this._masterKey = null;
this._keyHandle = null; // non-extractable CryptoKey
this._isUnlocked = false;
this._sessionTimeout = null;
this._lastActivity = null;
@@ -13372,8 +13337,8 @@ class SecureMasterKeyManager {
// Get or create persistent salt
const salt = await this._getOrCreateSalt();
// Derive master key
this._masterKey = await this._deriveKeyFromPassword(password, salt);
// Derive non-extractable key handle
this._keyHandle = await this._deriveKeyFromPassword(password, salt);
// Mark as unlocked
this._isUnlocked = true;
@@ -13408,13 +13373,24 @@ class SecureMasterKeyManager {
/**
* Get master key (only if unlocked)
*/
getMasterKey() {
if (!this._isUnlocked || !this._masterKey) {
// Prevent direct key access; provide operations only
async encryptBytes(plainBytes) {
if (!this._isUnlocked || !this._keyHandle) {
throw new Error('Master key is locked');
}
this._updateActivity();
return this._masterKey;
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, this._keyHandle, plainBytes);
return { encryptedData: new Uint8Array(encrypted), iv };
}
async decryptBytes(encryptedBytes, iv) {
if (!this._isUnlocked || !this._keyHandle) {
throw new Error('Master key is locked');
}
this._updateActivity();
const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, this._keyHandle, encryptedBytes);
return new Uint8Array(decrypted);
}
/**
@@ -13440,10 +13416,10 @@ class SecureMasterKeyManager {
* Securely wipe master key from memory
*/
_secureWipeMasterKey() {
if (this._masterKey) {
if (this._keyHandle) {
// CryptoKey objects are automatically garbage collected
// but we clear the reference immediately
this._masterKey = null;
this._keyHandle = null;
}
this._clearTimers();
}