feat(security): switch master key to non-extractable CryptoKey handle and remove direct access
This commit is contained in:
lockbitchat
13
src/app.jsx
13
src/app.jsx
@@ -2589,7 +2589,7 @@
|
||||
}
|
||||
|
||||
// Single QR code - try to decode directly
|
||||
console.log('Processing single QR code:', scannedData.substring(0, 50) + '...');
|
||||
// Removed verbose debug log
|
||||
let parsedData;
|
||||
if (typeof window.decodeAnyPayload === 'function') {
|
||||
const any = window.decodeAnyPayload(scannedData);
|
||||
@@ -2939,26 +2939,15 @@
|
||||
|
||||
let offer;
|
||||
try {
|
||||
console.log('DEBUG: Processing offer input:', offerInput.trim().substring(0, 100) + '...');
|
||||
console.log('DEBUG: decodeAnyPayload available:', typeof window.decodeAnyPayload === 'function');
|
||||
console.log('DEBUG: decompressIfNeeded available:', typeof window.decompressIfNeeded === 'function');
|
||||
|
||||
// Prefer binary decode first, then gzip JSON
|
||||
if (typeof window.decodeAnyPayload === 'function') {
|
||||
console.log('DEBUG: Using decodeAnyPayload...');
|
||||
const any = window.decodeAnyPayload(offerInput.trim());
|
||||
console.log('DEBUG: decodeAnyPayload result type:', typeof any);
|
||||
console.log('DEBUG: decodeAnyPayload result:', any);
|
||||
offer = (typeof any === 'string') ? JSON.parse(any) : any;
|
||||
} else {
|
||||
console.log('DEBUG: Using decompressIfNeeded...');
|
||||
const rawText = (typeof window.decompressIfNeeded === 'function') ? window.decompressIfNeeded(offerInput.trim()) : offerInput.trim();
|
||||
console.log('DEBUG: decompressIfNeeded result:', rawText.substring(0, 100) + '...');
|
||||
offer = JSON.parse(rawText);
|
||||
}
|
||||
console.log('DEBUG: Final offer:', offer);
|
||||
} catch (parseError) {
|
||||
console.error('DEBUG: Parse error:', parseError);
|
||||
throw new Error(`Invalid invitation format: ${parseError.message}`);
|
||||
}
|
||||
|
||||
|
||||
@@ -63,11 +63,11 @@ const EnhancedMinimalHeader = ({
|
||||
} else if (window.DEBUG_MODE) {
|
||||
}
|
||||
} else {
|
||||
console.warn(' Security calculation returned invalid data');
|
||||
|
||||
}
|
||||
|
||||
} catch (error) {
|
||||
console.error(' Error in real security calculation:', error);
|
||||
|
||||
} finally {
|
||||
isUpdating = false;
|
||||
}
|
||||
@@ -125,11 +125,11 @@ const EnhancedMinimalHeader = ({
|
||||
if (securityData && securityData.isRealData !== false) {
|
||||
setRealSecurityLevel(securityData);
|
||||
setLastSecurityUpdate(Date.now());
|
||||
console.log('✅ Header security level force-updated');
|
||||
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('❌ Force update failed:', error);
|
||||
|
||||
});
|
||||
} else {
|
||||
setLastSecurityUpdate(0);
|
||||
@@ -170,9 +170,7 @@ const EnhancedMinimalHeader = ({
|
||||
|
||||
// Connection cleanup handler (use existing event from module)
|
||||
const handleConnectionCleaned = () => {
|
||||
if (window.DEBUG_MODE) {
|
||||
console.log('🧹 Connection cleaned - clearing security data in header');
|
||||
}
|
||||
|
||||
|
||||
setRealSecurityLevel(null);
|
||||
setLastSecurityUpdate(0);
|
||||
@@ -183,9 +181,7 @@ const EnhancedMinimalHeader = ({
|
||||
};
|
||||
|
||||
const handlePeerDisconnect = () => {
|
||||
if (window.DEBUG_MODE) {
|
||||
console.log('👋 Peer disconnect detected - clearing security data in header');
|
||||
}
|
||||
|
||||
|
||||
setRealSecurityLevel(null);
|
||||
setLastSecurityUpdate(0);
|
||||
@@ -236,15 +232,12 @@ const EnhancedMinimalHeader = ({
|
||||
if (webrtcManager && window.EnhancedSecureCryptoUtils) {
|
||||
try {
|
||||
realTestResults = await window.EnhancedSecureCryptoUtils.calculateSecurityLevel(webrtcManager);
|
||||
console.log('✅ Real security tests completed:', realTestResults);
|
||||
|
||||
} catch (error) {
|
||||
console.error('❌ Real security tests failed:', error);
|
||||
|
||||
}
|
||||
} else {
|
||||
console.log('⚠️ Cannot run security tests:', {
|
||||
webrtcManager: !!webrtcManager,
|
||||
cryptoUtils: !!window.EnhancedSecureCryptoUtils
|
||||
});
|
||||
|
||||
}
|
||||
|
||||
// If no real test results and no existing security level, show progress message
|
||||
@@ -269,7 +262,7 @@ const EnhancedMinimalHeader = ({
|
||||
passedChecks: 0,
|
||||
totalChecks: 0
|
||||
};
|
||||
console.log('Using fallback security data:', securityData);
|
||||
|
||||
}
|
||||
|
||||
// Detailed information about the REAL security check
|
||||
@@ -501,18 +494,7 @@ const EnhancedMinimalHeader = ({
|
||||
// ============================================
|
||||
|
||||
React.useEffect(() => {
|
||||
window.debugHeaderSecurity = () => {
|
||||
console.log('🔍 Header Security Debug:', {
|
||||
realSecurityLevel,
|
||||
lastSecurityUpdate,
|
||||
isConnected,
|
||||
webrtcManagerProp: !!webrtcManager,
|
||||
windowWebrtcManager: !!window.webrtcManager,
|
||||
cryptoUtils: !!window.EnhancedSecureCryptoUtils,
|
||||
displaySecurityLevel: displaySecurityLevel,
|
||||
securityDetails: securityDetails
|
||||
});
|
||||
};
|
||||
window.debugHeaderSecurity = undefined;
|
||||
|
||||
return () => {
|
||||
delete window.debugHeaderSecurity;
|
||||
|
||||
@@ -2308,12 +2308,7 @@ class EnhancedSecureCryptoUtils {
|
||||
|
||||
payload.mac = Array.from(new Uint8Array(mac));
|
||||
|
||||
EnhancedSecureCryptoUtils.secureLog.log('info', 'Message encrypted with metadata protection', {
|
||||
messageId,
|
||||
sequenceNumber,
|
||||
hasMetadataProtection: true,
|
||||
hasPadding: true
|
||||
});
|
||||
// Logging removed to avoid noisy console output
|
||||
|
||||
return payload;
|
||||
} catch (error) {
|
||||
|
||||
@@ -12094,11 +12094,10 @@ class SecureKeyStorage {
|
||||
/**
|
||||
* Get master key (with automatic unlock if needed)
|
||||
*/
|
||||
async _getMasterKey() {
|
||||
async _ensureMasterKeyUnlocked() {
|
||||
if (!this._masterKeyManager.isUnlocked()) {
|
||||
await this._masterKeyManager.unlock();
|
||||
}
|
||||
return this._masterKeyManager.getMasterKey();
|
||||
}
|
||||
|
||||
async storeKey(keyId, cryptoKey, metadata = {}) {
|
||||
@@ -12191,20 +12190,12 @@ class SecureKeyStorage {
|
||||
const encoder = new TextEncoder();
|
||||
const data = encoder.encode(dataToEncrypt);
|
||||
|
||||
const iv = crypto.getRandomValues(new Uint8Array(12));
|
||||
|
||||
const masterKey = await this._getMasterKey();
|
||||
const encryptedData = await crypto.subtle.encrypt(
|
||||
{ name: 'AES-GCM', iv },
|
||||
masterKey,
|
||||
data
|
||||
);
|
||||
|
||||
await this._ensureMasterKeyUnlocked();
|
||||
const { encryptedData, iv } = await this._masterKeyManager.encryptBytes(data);
|
||||
// Return IV + encrypted data
|
||||
const result = new Uint8Array(iv.length + encryptedData.byteLength);
|
||||
result.set(iv, 0);
|
||||
result.set(new Uint8Array(encryptedData), iv.length);
|
||||
|
||||
result.set(encryptedData, iv.length);
|
||||
return result;
|
||||
}
|
||||
|
||||
@@ -12212,12 +12203,8 @@ class SecureKeyStorage {
|
||||
const iv = encryptedData.slice(0, 12);
|
||||
const data = encryptedData.slice(12);
|
||||
|
||||
const masterKey = await this._getMasterKey();
|
||||
const decryptedData = await crypto.subtle.decrypt(
|
||||
{ name: 'AES-GCM', iv },
|
||||
masterKey,
|
||||
data
|
||||
);
|
||||
await this._ensureMasterKeyUnlocked();
|
||||
const decryptedData = await this._masterKeyManager.decryptBytes(data, iv);
|
||||
|
||||
const decoder = new TextDecoder();
|
||||
const jsonString = decoder.decode(decryptedData);
|
||||
@@ -12906,11 +12893,8 @@ class SecurePersistentKeyStorage {
|
||||
// Export key to JWK
|
||||
const jwkData = await crypto.subtle.exportKey('jwk', cryptoKey);
|
||||
|
||||
// Get master key for encryption
|
||||
const masterKey = this._masterKeyManager.getMasterKey();
|
||||
|
||||
// Encrypt JWK data
|
||||
const { encryptedData, iv } = await this._encryptKeyData(jwkData, masterKey);
|
||||
const { encryptedData, iv } = await this._encryptKeyData(jwkData);
|
||||
|
||||
// Store encrypted data in IndexedDB
|
||||
await this._indexedDB.storeEncryptedKey(
|
||||
@@ -12952,11 +12936,8 @@ class SecurePersistentKeyStorage {
|
||||
return null;
|
||||
}
|
||||
|
||||
// Get master key for decryption
|
||||
const masterKey = this._masterKeyManager.getMasterKey();
|
||||
|
||||
// Decrypt JWK data
|
||||
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv, masterKey);
|
||||
const jwkData = await this._decryptKeyData(keyRecord.encryptedData, keyRecord.iv);
|
||||
|
||||
// Import as non-extractable key
|
||||
const restoredKey = await this._importAsNonExtractable(jwkData, keyRecord.algorithm, keyRecord.usages);
|
||||
@@ -13029,37 +13010,21 @@ class SecurePersistentKeyStorage {
|
||||
/**
|
||||
* Encrypt key data using master key
|
||||
*/
|
||||
async _encryptKeyData(jwkData, masterKey) {
|
||||
async _encryptKeyData(jwkData) {
|
||||
// Convert JWK to JSON string and then to bytes
|
||||
const jsonString = JSON.stringify(jwkData);
|
||||
const data = new TextEncoder().encode(jsonString);
|
||||
|
||||
// Generate random IV
|
||||
const iv = crypto.getRandomValues(new Uint8Array(12));
|
||||
|
||||
// Encrypt with AES-GCM
|
||||
const encryptedData = await crypto.subtle.encrypt(
|
||||
{ name: 'AES-GCM', iv },
|
||||
masterKey,
|
||||
data
|
||||
);
|
||||
|
||||
return {
|
||||
encryptedData: new Uint8Array(encryptedData),
|
||||
iv: iv
|
||||
};
|
||||
await this._ensureMasterKeyUnlocked();
|
||||
return await this._masterKeyManager.encryptBytes(data);
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt key data using master key
|
||||
*/
|
||||
async _decryptKeyData(encryptedData, iv, masterKey) {
|
||||
// Decrypt with AES-GCM
|
||||
const decryptedData = await crypto.subtle.decrypt(
|
||||
{ name: 'AES-GCM', iv },
|
||||
masterKey,
|
||||
encryptedData
|
||||
);
|
||||
async _decryptKeyData(encryptedData, iv) {
|
||||
await this._ensureMasterKeyUnlocked();
|
||||
const decryptedData = await this._masterKeyManager.decryptBytes(encryptedData, iv);
|
||||
|
||||
// Convert back to JWK
|
||||
const jsonString = new TextDecoder().decode(decryptedData);
|
||||
@@ -13114,7 +13079,7 @@ class SecurePersistentKeyStorage {
|
||||
class SecureMasterKeyManager {
|
||||
constructor(indexedDBWrapper = null) {
|
||||
// Session state
|
||||
this._masterKey = null;
|
||||
this._keyHandle = null; // non-extractable CryptoKey
|
||||
this._isUnlocked = false;
|
||||
this._sessionTimeout = null;
|
||||
this._lastActivity = null;
|
||||
@@ -13372,8 +13337,8 @@ class SecureMasterKeyManager {
|
||||
// Get or create persistent salt
|
||||
const salt = await this._getOrCreateSalt();
|
||||
|
||||
// Derive master key
|
||||
this._masterKey = await this._deriveKeyFromPassword(password, salt);
|
||||
// Derive non-extractable key handle
|
||||
this._keyHandle = await this._deriveKeyFromPassword(password, salt);
|
||||
|
||||
// Mark as unlocked
|
||||
this._isUnlocked = true;
|
||||
@@ -13408,13 +13373,24 @@ class SecureMasterKeyManager {
|
||||
/**
|
||||
* Get master key (only if unlocked)
|
||||
*/
|
||||
getMasterKey() {
|
||||
if (!this._isUnlocked || !this._masterKey) {
|
||||
// Prevent direct key access; provide operations only
|
||||
async encryptBytes(plainBytes) {
|
||||
if (!this._isUnlocked || !this._keyHandle) {
|
||||
throw new Error('Master key is locked');
|
||||
}
|
||||
|
||||
this._updateActivity();
|
||||
return this._masterKey;
|
||||
const iv = crypto.getRandomValues(new Uint8Array(12));
|
||||
const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, this._keyHandle, plainBytes);
|
||||
return { encryptedData: new Uint8Array(encrypted), iv };
|
||||
}
|
||||
|
||||
async decryptBytes(encryptedBytes, iv) {
|
||||
if (!this._isUnlocked || !this._keyHandle) {
|
||||
throw new Error('Master key is locked');
|
||||
}
|
||||
this._updateActivity();
|
||||
const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, this._keyHandle, encryptedBytes);
|
||||
return new Uint8Array(decrypted);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -13440,10 +13416,10 @@ class SecureMasterKeyManager {
|
||||
* Securely wipe master key from memory
|
||||
*/
|
||||
_secureWipeMasterKey() {
|
||||
if (this._masterKey) {
|
||||
if (this._keyHandle) {
|
||||
// CryptoKey objects are automatically garbage collected
|
||||
// but we clear the reference immediately
|
||||
this._masterKey = null;
|
||||
this._keyHandle = null;
|
||||
}
|
||||
this._clearTimers();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user