Merge branch 'feature/refactored-access-grant' into feature/deprecate-vault-admin-password

overheadhunter · overheadhunter · commit 6e3da2cb7c61 · 2023-08-03T20:51:34.000+02:00
diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -32,7 +32,7 @@ hub.keycloak.oidc.cryptomator-client-id=cryptomator
 %dev.quarkus.keycloak.devservices.realm-name=cryptomator
 %dev.quarkus.keycloak.devservices.port=8180
 %dev.quarkus.keycloak.devservices.service-name=quarkus-cryptomator-hub
-%dev.quarkus.keycloak.devservices.image-name=ghcr.io/cryptomator/keycloak:21.1.2
+%dev.quarkus.keycloak.devservices.image-name=ghcr.io/cryptomator/keycloak:22.0.1
 %dev.quarkus.oidc.devui.grant.type=code
 # OIDC will be mocked during unit tests. Use fake auth url to prevent dev services to start:
 %test.quarkus.oidc.auth-server-url=http://localhost:43210/dev/null
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -55,7 +55,7 @@
     "file-saver": "^2.0.5",
     "jdenticon": "^3.2.0",
     "jszip": "^3.10.1",
-    "keycloak-js": "^21.1.2",
+    "keycloak-js": "^22.0.1",
     "miscreant": "^0.3.2",
     "rfc4648": "^1.5.2",
     "semver": "^7.5.3",
diff --git a/frontend/src/common/jwe.ts b/frontend/src/common/jwe.ts
@@ -37,8 +37,8 @@ export class ConcatKDF {
 export type JWEHeader = {
   readonly alg: 'ECDH-ES' | 'PBES2-HS512+A256KW',
   readonly enc: 'A256GCM' | 'A128GCM',
-  readonly apu: string,
-  readonly apv: string,
+  readonly apu?: string,
+  readonly apv?: string,
   readonly epk?: JsonWebKey,
   readonly p2c?: number,
   readonly p2s?: string
@@ -213,8 +213,8 @@ export class ECDH_ES {
     let derivedKey = new Uint8Array();
     try {
       const algorithmId = ECDH_ES.lengthPrefixed(new TextEncoder().encode(header.enc));
-      const partyUInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apu, { loose: true }));
-      const partyVInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apv, { loose: true }));
+      const partyUInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apu || '', { loose: true }));
+      const partyVInfo = ECDH_ES.lengthPrefixed(base64url.parse(header.apv || '', { loose: true }));
       const suppPubInfo = new ArrayBuffer(4);
       new DataView(suppPubInfo).setUint32(0, desiredKeyBytes * 8, false);
       agreedKey = new Uint8Array(await crypto.subtle.deriveBits(
diff --git a/frontend/test/common/jwe.spec.ts b/frontend/test/common/jwe.spec.ts
@@ -91,48 +91,36 @@ describe('JWE', () => {
   });
 
   describe('ECDH_ES', () => {
-    /**
-     * Test vectors from https://www.rfc-editor.org/rfc/rfc7518#appendix-C
-     */
-    it('should derive expected key using ECDH-ES', async () => {
-      const alicePub: JsonWebKey = {
-        kty: 'EC',
-        crv: 'P-256',
-        x: 'gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0',
-        y: 'SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps'
-      };
-      const alicePriv: JsonWebKey = {
-        ...alicePub,
-        d: '0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo'
-      };
-      const alice = await crypto.subtle.importKey(
-        'jwk',
-        alicePriv,
-        {
-          name: 'ECDH',
-          namedCurve: 'P-256'
-        },
-        false,
-        ['deriveBits']
-      );
+    // Test vectors from https://www.rfc-editor.org/rfc/rfc7518#appendix-C
+    const alicePub: JsonWebKey = {
+      kty: 'EC',
+      crv: 'P-256',
+      x: 'gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0',
+      y: 'SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps'
+    };
+    const alicePriv: JsonWebKey = {
+      ...alicePub,
+      d: '0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo'
+    };
+    let alice: CryptoKey;
+    const bobPub: JsonWebKey = {
+      kty: 'EC',
+      crv: 'P-256',
+      x: 'weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ',
+      y: 'e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck'
+    };
+    let bob: CryptoKey;
+
+    beforeEach(async () => {
+      const importParams: EcKeyImportParams = { name: 'ECDH', namedCurve: 'P-256' };
+      alice = await crypto.subtle.importKey('jwk', alicePriv, importParams, false, ['deriveBits']);
+      bob = await crypto.subtle.importKey('jwk', bobPub, importParams, false, []);
       expect(alice.type, 'alice\'s key type').to.eql('private');
-      const bob = await crypto.subtle.importKey(
-        'jwk',
-        {
-          kty: 'EC',
-          crv: 'P-256',
-          x: 'weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ',
-          y: 'e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck'
-        },
-        {
-          name: 'ECDH',
-          namedCurve: 'P-256'
-        },
-        false,
-        []
-      );
       expect(bob.type, 'bob\'s key type').to.eql('public');
+    });
 
+    it('should derive expected key using ECDH-ES', async () => {
+      // Test vectors from https://www.rfc-editor.org/rfc/rfc7518#appendix-C
       const apu = new Uint8Array([65, 108, 105, 99, 101]);
       const apv = new Uint8Array([66, 111, 98]);
       const header: JWEHeader = {
@@ -146,5 +134,18 @@ describe('JWE', () => {
       const derivedBytes = await crypto.subtle.exportKey('raw', derived);
       expect(new Uint8Array(derivedBytes), 'derived key').to.eql(new Uint8Array([86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16, 26]));
     });
+
+    it('should derive content key despite missing apu/apv', async () => {
+      const header: JWEHeader = {
+        alg: 'ECDH-ES', // not relevant for this test
+        enc: 'A128GCM',
+        epk: alicePub,
+        apu: undefined,
+        apv: undefined
+      };
+      const derived = await ECDH_ES.deriveContentKey(bob, alice, 256, 16, header, true);
+      const derivedBytes = await crypto.subtle.exportKey('raw', derived);
+      expect(new Uint8Array(derivedBytes), 'derived key').to.eql(new Uint8Array([187, 151, 171, 93, 14, 133, 109, 143, 143, 192, 62, 38, 91, 36, 42, 125]));
+    });
   });
 });
diff --git a/keycloak/Dockerfile b/keycloak/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/keycloak/keycloak:21.1.2 as builder
+FROM quay.io/keycloak/keycloak:22.0.1 as builder
 ENV KC_HEALTH_ENABLED=true
 ENV KC_METRICS_ENABLED=true
 ENV KC_HTTP_RELATIVE_PATH=/kc
@@ -11,7 +11,7 @@ FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
 RUN mkdir -p /mnt/rootfs
 RUN dnf install --installroot /mnt/rootfs curl --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
 
-FROM quay.io/keycloak/keycloak:21.1.2
+FROM quay.io/keycloak/keycloak:22.0.1
 LABEL maintainer="info@skymatic.de"
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
 COPY --from=ubi-micro-build /mnt/rootfs /
