/**
* Encrypt keyfile to multiple users
* @param Session $session
* @param array $users list of users which should be able to access the file
* @param string $filePath path of the file to be shared
* @return bool
*/
public function setSharedFileKeyfiles(Session $session, array $users, $filePath)
{
// Make sure users are capable of sharing
$filteredUids = $this->filterShareReadyUsers($users);
// If we're attempting to share to unready users
if (!empty($filteredUids['unready'])) {
\OCP\Util::writeLog('Encryption library', 'Sharing to these user(s) failed as they are unready for encryption:"' . print_r($filteredUids['unready'], 1), \OCP\Util::WARN);
return false;
}
// Get public keys for each user, ready for generating sharekeys
$userPubKeys = Keymanager::getPublicKeys($this->view, $filteredUids['ready']);
// Note proxy status then disable it
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Get the current users's private key for decrypting existing keyfile
$privateKey = $session->getPrivateKey();
try {
// Decrypt keyfile
$plainKeyfile = $this->decryptKeyfile($filePath, $privateKey);
// Re-enc keyfile to (additional) sharekeys
$multiEncKey = Crypt::multiKeyEncrypt($plainKeyfile, $userPubKeys);
} catch (Exceptions\EncryptionException $e) {
$msg = 'set shareFileKeyFailed (code: ' . $e->getCode() . '): ' . $e->getMessage();
\OCP\Util::writeLog('files_encryption', $msg, \OCP\Util::FATAL);
return false;
} catch (\Exception $e) {
$msg = 'set shareFileKeyFailed (unknown error): ' . $e->getMessage();
\OCP\Util::writeLog('files_encryption', $msg, \OCP\Util::FATAL);
return false;
}
// Save the recrypted key to it's owner's keyfiles directory
// Save new sharekeys to all necessary user directory
if (!Keymanager::setFileKey($this->view, $this, $filePath, $multiEncKey['data']) || !Keymanager::setShareKeys($this->view, $this, $filePath, $multiEncKey['keys'])) {
\OCP\Util::writeLog('Encryption library', 'Keyfiles could not be saved for users sharing ' . $filePath, \OCP\Util::ERROR);
return false;
}
// Return proxy to original status
\OC_FileProxy::$enabled = $proxyStatus;
return true;
}
/**
* @return bool
*/
public function stream_close()
{
$this->flush();
// if there is no valid private key return false
if ($this->privateKey === false) {
// cleanup
if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb' && !$this->isLocalTmpFile) {
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if ($this->rootView->file_exists($this->rawPath) && $this->size === 0) {
$this->rootView->unlink($this->rawPath);
}
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
// if private key is not valid redirect user to a error page
\OCA\Encryption\Helper::redirectToErrorPage($this->session);
}
if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb' && $this->isLocalTmpFile === false && $this->size > 0 && $this->unencryptedSize > 0) {
// only write keyfiles if it was a new file
if ($this->newFile === true) {
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Fetch user's public key
$this->publicKey = Keymanager::getPublicKey($this->rootView, $this->keyId);
// Check if OC sharing api is enabled
$sharingEnabled = \OCP\Share::isEnabled();
$util = new Util($this->rootView, $this->userId);
// Get all users sharing the file includes current user
$uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $this->relPath);
$checkedUserIds = $util->filterShareReadyUsers($uniqueUserIds);
// Fetch public keys for all sharing users
$publicKeys = Keymanager::getPublicKeys($this->rootView, $checkedUserIds['ready']);
// Encrypt enc key for all sharing users
$this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys);
// Save the new encrypted file key
Keymanager::setFileKey($this->rootView, $util, $this->relPath, $this->encKeyfiles['data']);
// Save the sharekeys
Keymanager::setShareKeys($this->rootView, $util, $this->relPath, $this->encKeyfiles['keys']);
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
// we need to update the file info for the real file, not for the
// part file.
$path = Helper::stripPartialFileExtension($this->rawPath);
$fileInfo = array('encrypted' => true, 'size' => $this->size, 'unencrypted_size' => $this->unencryptedSize);
// set fileinfo
$this->rootView->putFileInfo($path, $fileInfo);
}
$result = fclose($this->handle);
if ($result === false) {
\OCP\Util::writeLog('Encryption library', 'Could not close stream, file could be corrupted', \OCP\Util::FATAL);
}
return $result;
}
/**
* decrypt given file with recovery key and encrypt it again to the owner and his new key
* @param string $file
* @param string $privateKey recovery key to decrypt the file
*/
private function recoverFile($file, $privateKey)
{
$sharingEnabled = \OCP\Share::isEnabled();
// Find out who, if anyone, is sharing the file
if ($sharingEnabled) {
$result = \OCP\Share::getUsersSharingFile($file, $this->userId, true);
$userIds = $result['users'];
$userIds[] = $this->recoveryKeyId;
if ($result['public']) {
$userIds[] = $this->publicShareKeyId;
}
} else {
$userIds = array($this->userId, $this->recoveryKeyId);
}
$filteredUids = $this->filterShareReadyUsers($userIds);
//decrypt file key
$encKeyfile = Keymanager::getFileKey($this->view, $this, $file);
$shareKey = Keymanager::getShareKey($this->view, $this->recoveryKeyId, $this, $file);
$plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
// encrypt file key again to all users, this time with the new public key for the recovered use
$userPubKeys = Keymanager::getPublicKeys($this->view, $filteredUids['ready']);
$multiEncKey = Crypt::multiKeyEncrypt($plainKeyfile, $userPubKeys);
Keymanager::setFileKey($this->view, $this, $file, $multiEncKey['data']);
Keymanager::setShareKeys($this->view, $this, $file, $multiEncKey['keys']);
}
/**
* @return bool
*/
public function stream_close()
{
$this->flush();
// if there is no valid private key return false
if ($this->privateKey === false) {
// cleanup
if ($this->meta['mode'] !== 'r' && $this->meta['mode'] !== 'rb') {
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
if ($this->rootView->file_exists($this->rawPath) && $this->size === 0) {
$this->rootView->unlink($this->rawPath);
}
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
// if private key is not valid redirect user to a error page
\OCA\Encryption\Helper::redirectToErrorPage();
}
if ($this->meta['mode'] !== 'r' and $this->meta['mode'] !== 'rb' and $this->size > 0) {
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Fetch user's public key
$this->publicKey = Keymanager::getPublicKey($this->rootView, $this->userId);
// Check if OC sharing api is enabled
$sharingEnabled = \OCP\Share::isEnabled();
$util = new Util($this->rootView, $this->userId);
// Get all users sharing the file includes current user
$uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $this->relPath, $this->userId);
// Fetch public keys for all sharing users
$publicKeys = Keymanager::getPublicKeys($this->rootView, $uniqueUserIds);
// Encrypt enc key for all sharing users
$this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys);
// Save the new encrypted file key
Keymanager::setFileKey($this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data']);
// Save the sharekeys
Keymanager::setShareKeys($this->rootView, $this->relPath, $this->encKeyfiles['keys']);
// get file info
$fileInfo = $this->rootView->getFileInfo($this->rawPath);
if (!is_array($fileInfo)) {
$fileInfo = array();
}
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
// set encryption data
$fileInfo['encrypted'] = true;
$fileInfo['size'] = $this->size;
$fileInfo['unencrypted_size'] = $this->unencryptedSize;
// set fileinfo
$this->rootView->putFileInfo($this->rawPath, $fileInfo);
}
return fclose($this->handle);
}
