Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/e2ee use hardware token secure storage #5877

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Feature/e2ee use hardware token secure storage #5877

wants to merge 3 commits into from
+2,551 −447

Conversation

mgallien
Copy link
Collaborator

Close #5685

github-actions[bot]
github-actions bot requested changes Jul 10, 2023
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ clang-tidy found issue(s) with the introduced code (1/1)

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 820e33a to 2273a3f Compare July 27, 2023 13:09
@sonarqubecloud
Copy link

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 6 Code Smells

61.9% 61.9% Coverage
0.0% 0.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@codecov
Copy link

codecov bot commented Jul 27, 2023
edited
Loading

Codecov Report

Attention: Patch coverage is 30.88235% with 188 lines in your changes missing coverage. Please review.

Project coverage is 59.59%. Comparing base (3dc583c) to head (d254c34).
Report is 1054 commits behind head on master.

Current head d254c34 differs from pull request most recent head 2000d62

Please upload reports for the commit 2000d62 to get more accurate results.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5877      +/-   ##
==========================================
- Coverage   60.79%   59.59%   -1.21%     
==========================================
  Files         145      145              
  Lines       18836    19011     +175     
==========================================
- Hits        11451    11329     -122     
- Misses       7385     7682     +297
Files Coverage Δ
src/libsync/account.h 42.85% <ø> (ø)
src/libsync/clientsideencryption.h 47.05% <100.00%> (+11.34%) ⬆️
src/libsync/clientsideencryptionjobs.h 10.00% <ø> (ø)
src/libsync/discovery.cpp 86.39% <ø> (-0.14%) ⬇️
src/libsync/updatefiledropmetadata.cpp 58.77% <100.00%> (ø)
...libsync/abstractpropagateremotedeleteencrypted.cpp 0.00% <0.00%> (ø)
src/libsync/encryptfolderjob.cpp 0.00% <0.00%> (ø)
src/libsync/propagateuploadencrypted.cpp 0.00% <0.00%> (ø)
src/libsync/syncengine.cpp 80.05% <0.00%> (+0.13%) ⬆️
src/libsync/account.cpp 42.75% <0.00%> (-1.69%) ⬇️
... and 2 more

... and 32 files with indirect coverage changes

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 2 times, most recently from 7b12e07 to eb9dcfd Compare July 28, 2023 10:55
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 4 times, most recently from 13d5810 to bf78e6a Compare August 18, 2023 08:11
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from bf78e6a to 1ce0ffb Compare August 22, 2023 20:10
@mgallien
Copy link
Collaborator Author

updating the linux CI images to add support for this PR
nextcloud/docker-ci#582

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 1ce0ffb to 6b3beec Compare August 29, 2023 11:26
@mgallien
Copy link
Collaborator Author

add support to build libp11 in KDE's Craft nextcloud/desktop-client-blueprints#8
temporarily put into our own blueprints repository
pending review upstream

@mgallien
Copy link
Collaborator Author

upstream review of the Craft blueprint
https://invent.kde.org/packaging/craft-blueprints-kde/-/merge_requests/654

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 3 times, most recently from d254c34 to 0567e97 Compare September 4, 2023 13:44
@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 4, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 1 Security Hotspot
Code Smell B 64 Code Smells

24.3% 24.3% Coverage
0.0% 0.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@nextcloud nextcloud deleted a comment from github-actions bot Sep 4, 2023
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 0567e97 to 81d494a Compare September 8, 2023 08:34
claucambra
claucambra reviewed Sep 9, 2023
View reviewed changes
NEXTCLOUD.cmake Outdated Show resolved Hide resolved
NEXTCLOUD.cmake Outdated Show resolved Hide resolved
@claucambra
Copy link
Collaborator

Realised this was still a draft half-way through

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 2 times, most recently from ff7edeb to 85e00fc Compare September 18, 2023 13:42
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 4 times, most recently from e5d881d to cd56880 Compare September 21, 2023 21:05
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 45bb571 to 5cc95f1 Compare September 25, 2024 07:38
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 5cc95f1 to 8b9f325 Compare October 2, 2024 07:55
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 8b9f325 to 587765d Compare November 19, 2024 08:35
@mgallien mgallien modified the milestones: 3.15.0, 3.16.0 Nov 19, 2024
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 5 times, most recently from c21a03e to d0b3504 Compare December 6, 2024 13:46
@nextcloud-desktop-bot
Copy link

AppImage file: nextcloud-PR-5877-d0b350418ff6305334fc9b68f887c6bac7cabf7d-x86_64.AppImage

To test this change/fix you can simply download above AppImage file and test it.

Please make sure to quit your existing Nextcloud app and backup your data.

@Rello Rello assigned Rello and mgallien and unassigned Rello Jan 24, 2025
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch 5 times, most recently from 764b03c to fb7a5d1 Compare January 29, 2025 13:14
@mgallien
Copy link
Collaborator Author

pushed an extra commit to fix automated tests regression
still one test for v2 end-to-end encryption that is broken
there is also SecureFileDropTest that is broken
that is mainly due to the different APIs to handle keys that do not work with the input test data
I will look into it later

@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from ac822c5 to 2918188 Compare January 30, 2025 12:10
nilsding
nilsding requested changes Jan 30, 2025
View reviewed changes
Copy link
Member

@nilsding nilsding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can not re-enable encryption again using the mnemonic on my local dev setup, the logs end up as:

2025-01-30 15:53:04:246 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:411 ]:        decryptStringSymmetric cipherTXT:  "[some long base64-encoded data]"
2025-01-30 15:53:04:246 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:412 ]:        decryptStringSymmetric IV:  "mz5pa1Z6Pdd52ODQ"
2025-01-30 15:53:04:246 [ debug nextcloud.sync.clientsideencryption.encryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:605 ]     [ OCC::EncryptionHelper::encryptStringAsymmetric ]:     use certificate on software storage
2025-01-30 15:53:04:246 [ debug nextcloud.sync.clientsideencryption.decryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:639 ]     [ OCC::EncryptionHelper::decryptStringAsymmetric ]:     use certificate on software storage
2025-01-30 15:53:04:247 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:1340 ]:       invalid private key

compared with a build from master:

2025-01-30 15:48:21:362 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:397 ]:        decryptStringSymmetric cipherTXT:  "[ literally the same base64-encoded data as before ]"
2025-01-30 15:48:21:362 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:398 ]:        decryptStringSymmetric IV:  "mz5pa1Z6Pdd52ODQ"
2025-01-30 15:48:21:363 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:780 ]:        Encryption Length: 256
2025-01-30 15:48:21:363 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:789 ]:        "JSFgOuKEtqhyy/x7O83WCzRqFYqVHWlK5gacuiRTaAwCtzy+gQyhUKFIwdzkSrdbnp6oGVFJtWETCg958z9o+2NnpzTITztbG7gj63m+BmdJZ0MmsvNhQdyve1Xh7dRpOjDHGnPEdYM56OgxhX/4mUmsOF2fOxz5X4LCmLA0tdkrMpsK3ik/IamEg3lBuwNyKziaHXnwevHwLXykiz+xHmFzCDuG3t7i3EbuNmwjEuUnpK5XB3PrMA9WjiorBZFfyjjmswZukfjYwQxr8YH2+OCzQ9f/gjsf95EWSrFuQCGg54lRYo8ShH6A58nUQ9BwQHsxePoMJcT5RFZuKg3qFg=="
2025-01-30 15:48:21:363 [ info nextcloud.e2e /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:685 ]:      Start to work the decryption.
2025-01-30 15:48:21:363 [ info nextcloud.e2e /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:725 ]:      Size of output is:  256
2025-01-30 15:48:21:363 [ info nextcloud.e2e /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:726 ]:      Size of data is:  256
2025-01-30 15:48:21:364 [ info nextcloud.e2e /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:736 ]:      data decrypted successfully
2025-01-30 15:48:21:364 [ info nextcloud.sync.clientsideencryption /home/jyrki/src/nextcloud/desktop/src/libsync/clientsideencryption.cpp:742 ]:        "2O/mI1YxdS4UpeHoZLpJQln9XSXuX7ao+SX4Mm9DJlmACDT1ajyrUAqLWhehPxZMjwtva7B5bmk2P4OgvsPifQ=="

src/libsync/clientsideencryption.h Outdated Show resolved Hide resolved
src/libsync/clientsideencryption.h Outdated Show resolved Hide resolved
src/gui/accountmanager.cpp Outdated Show resolved Hide resolved
@mgallien
add support to use PKCS#11 harware token to store certifice for e2ee
7342546 
Close #5685

Signed-off-by: Matthieu Gallien <[email protected]>
@mgallien
partial fix for broken automated tests
c06a94c 
will use different validation method for hardware stored certificates
and pure software certificates emited by the nextcloud server

Signed-off-by: Matthieu Gallien <[email protected]>
@mgallien
disable some parts of the auto tests for end-to-end encryption
790dbe1 
those tests are now broken and we think they do not bring much value

for now parts of them will be disabled until we get better automated
tests

realized while doing this that the secure drop tests are not independent
of each other

Signed-off-by: Matthieu Gallien <[email protected]>
@mgallien mgallien force-pushed the feature/e2eeUseHardwareTokenSecureStorage branch from 2918188 to 790dbe1 Compare January 31, 2025 17:02
@github-actions GitHub Actions
Copy link

Artifact containing the AppImage: nextcloud-appimage-pr-5877.zip

SHA256 checksum: c85de3b8eeb212b26ffb0ecfe7d3c9092b5226a8166b739fd5e1bf51ada06044

To test this change/fix you can download the above artifact file, unzip it, and run it.

Please make sure to quit your existing Nextcloud app and backup your data.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
19 Security Hotspots
19.9% Coverage on New Code (required ≥ 80%)
E Reliability Rating on New Code (required ≥ A)
C Maintainability Rating on New Code (required ≥ A)
742 New Code Smells (required ≤ 0)
2 New Bugs (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@claucambra claucambra claucambra left review comments

@github-actions github-actions[bot] github-actions[bot] requested changes

@nilsding nilsding nilsding requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@mgallien mgallien

Labels
Prio: high
Projects
💻 Desktop Clients team
Status: 🏗️ In progress
Milestone
3.16.0
Development

Successfully merging this pull request may close these issues.

Add option to store key on user device when end-to-end encryption is enabled
5 participants
@mgallien @claucambra @nextcloud-desktop-bot @nilsding @Rello