/**
* Encrypt keyfile to multiple users
* @param Session $session
* @param array $users list of users which should be able to access the file
* @param string $filePath path of the file to be shared
* @return bool
*/
public function setSharedFileKeyfiles(Session $session, array $users, $filePath)
{
// Make sure users are capable of sharing
$filteredUids = $this->filterShareReadyUsers($users);
// If we're attempting to share to unready users
if (!empty($filteredUids['unready'])) {
\OCP\Util::writeLog('Encryption library', 'Sharing to these user(s) failed as they are unready for encryption:"' . print_r($filteredUids['unready'], 1), \OCP\Util::WARN);
return false;
}
// Get public keys for each user, ready for generating sharekeys
$userPubKeys = Keymanager::getPublicKeys($this->view, $filteredUids['ready']);
// Note proxy status then disable it
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Get the current users's private key for decrypting existing keyfile
$privateKey = $session->getPrivateKey();
try {
// Decrypt keyfile
$plainKeyfile = $this->decryptKeyfile($filePath, $privateKey);
// Re-enc keyfile to (additional) sharekeys
$multiEncKey = Crypt::multiKeyEncrypt($plainKeyfile, $userPubKeys);
} catch (Exceptions\EncryptionException $e) {
$msg = 'set shareFileKeyFailed (code: ' . $e->getCode() . '): ' . $e->getMessage();
\OCP\Util::writeLog('files_encryption', $msg, \OCP\Util::FATAL);
return false;
} catch (\Exception $e) {
$msg = 'set shareFileKeyFailed (unknown error): ' . $e->getMessage();
\OCP\Util::writeLog('files_encryption', $msg, \OCP\Util::FATAL);
return false;
}
// Save the recrypted key to it's owner's keyfiles directory
// Save new sharekeys to all necessary user directory
if (!Keymanager::setFileKey($this->view, $this, $filePath, $multiEncKey['data']) || !Keymanager::setShareKeys($this->view, $this, $filePath, $multiEncKey['keys'])) {
\OCP\Util::writeLog('Encryption library', 'Keyfiles could not be saved for users sharing ' . $filePath, \OCP\Util::ERROR);
return false;
}
// Return proxy to original status
\OC_FileProxy::$enabled = $proxyStatus;
return true;
}
/**
* Change a user's encryption passphrase
* @param array $params keys: uid, password
*/
public static function setPassphrase($params)
{
if (\OCP\App::isEnabled('files_encryption') === false) {
return true;
}
// Only attempt to change passphrase if server-side encryption
// is in use (client-side encryption does not have access to
// the necessary keys)
if (Crypt::mode() === 'server') {
$view = new \OC\Files\View('/');
$session = new Session($view);
// Get existing decrypted private key
$privateKey = $session->getPrivateKey();
if ($params['uid'] === \OCP\User::getUser() && $privateKey) {
// Encrypt private key with new user pwd as passphrase
$encryptedPrivateKey = Crypt::symmetricEncryptFileContent($privateKey, $params['password'], Helper::getCipher());
// Save private key
if ($encryptedPrivateKey) {
Keymanager::setPrivateKey($encryptedPrivateKey, \OCP\User::getUser());
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
// NOTE: Session does not need to be updated as the
// private key has not changed, only the passphrase
// used to decrypt it has changed
} else {
// admin changed the password for a different user, create new keys and reencrypt file keys
$user = $params['uid'];
$util = new Util($view, $user);
$recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null;
// we generate new keys if...
// ...we have a recovery password and the user enabled the recovery key
// ...encryption was activated for the first time (no keys exists)
// ...the user doesn't have any files
if ($util->recoveryEnabledForUser() && $recoveryPassword || !$util->userKeysExists() || !$view->file_exists($user . '/files')) {
// backup old keys
$util->backupAllKeys('recovery');
$newUserPassword = $params['password'];
// make sure that the users home is mounted
\OC\Files\Filesystem::initMountPoints($user);
$keypair = Crypt::createKeypair();
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Save public key
Keymanager::setPublicKey($keypair['publicKey'], $user);
// Encrypt private key with new password
$encryptedKey = Crypt::symmetricEncryptFileContent($keypair['privateKey'], $newUserPassword, Helper::getCipher());
if ($encryptedKey) {
Keymanager::setPrivateKey($encryptedKey, $user);
if ($recoveryPassword) {
// if recovery key is set we can re-encrypt the key files
$util = new Util($view, $user);
$util->recoverUsersFiles($recoveryPassword);
}
} else {
\OCP\Util::writeLog('files_encryption', 'Could not update users encryption password', \OCP\Util::ERROR);
}
\OC_FileProxy::$enabled = $proxyStatus;
}
}
}
}
