[WIP] Signatures and encryption: Preliminary work

.flowconfig

@@ -11,7 +11,7 @@
 .*/frontend/assets/.*
 .*/frontend/controller/service-worker.js
 .*/frontend/utils/blockies.js
-.*/frontend/utils/crypto.js
+#.*/frontend/utils/crypto.js
 .*/frontend/utils/flowTyper.js
 .*/frontend/utils/vuexQueue.js
 .*/historical/.*

backend/database.js

@@ -37,7 +37,7 @@ export default (sbp('sbp/selectors/register', {
           const json = `"${strToB64(entry.serialize())}"`
           if (currentHEAD !== hash) {
             this.push(prefix + json)
-            currentHEAD = entry.message().previousHEAD
+            currentHEAD = entry.head().previousHEAD
             prefix = ','
           } else {
             this.push(prefix + json + ']')

frontend/controller/actions/chatroom.js

@@ -11,6 +11,7 @@ export default (sbp('sbp/selectors/register', {
     try {
       return await sbp('chelonia/out/registerContract', {
         ...omit(params, ['options']), // any 'options' are for this action, not for Chelonia
+        keys: [],
         contractName: 'gi.contracts/chatroom'
       })
     } catch (e) {

frontend/controller/actions/group.js

@@ -93,6 +93,7 @@ export default (sbp('sbp/selectors/register', {
       const message = await sbp('chelonia/out/registerContract', {
         contractName: 'gi.contracts/group',
         publishOptions,
+        keys: [],
         data: {
           invites: {
             [initialInvite.inviteSecret]: initialInvite

frontend/controller/actions/identity.js

@@ -1,14 +1,23 @@
 'use strict'
 
 import sbp from '@sbp/sbp'
+import { keyId, keygen, deriveKeyFromPassword, serializeKey, encrypt } from '@utils/crypto.js'
 import { GIErrorUIRuntimeError } from '@model/errors.js'
 import L, { LError } from '@view-utils/translations.js'
 import { imageUpload } from '@utils/image.js'
 import './mailbox.js'
 
 import { encryptedAction } from './utils.js'
+import { GIMessage } from '~/shared/domains/chelonia/GIMessage.js'
+
+// eslint-disable-next-line camelcase
+const salt_TODO_CHANGEME_NEEDS_TO_BE_DYNAMIC = 'SALT CHANGEME'
 
 export default (sbp('sbp/selectors/register', {
+  'gi.actions/identity/retrieveSalt': async (username: string, password: string) => {
+    // TODO RETRIEVE FROM SERVER
+    return await Promise.resolve(salt_TODO_CHANGEME_NEEDS_TO_BE_DYNAMIC)
+  },
   'gi.actions/identity/create': async function ({
     data: { username, email, password, picture },
     options: { sync = true } = {},
@@ -39,22 +48,106 @@ export default (sbp('sbp/selectors/register', {
     // and do this outside of a try block so that if it throws the error just gets passed up
     const mailbox = await sbp('gi.actions/mailbox/create', { options: { sync: true } })
     const mailboxID = mailbox.contractID()
+
+    // Create the necessary keys to initialise the contract
+    // TODO: The salt needs to be dynamically generated
+    // eslint-disable-next-line camelcase
+    const salt = salt_TODO_CHANGEME_NEEDS_TO_BE_DYNAMIC
+    const IPK = await deriveKeyFromPassword('edwards25519sha512batch', password, salt)
+    const IEK = await deriveKeyFromPassword('curve25519xsalsa20poly1305', password, salt)
+    const CSK = keygen('edwards25519sha512batch')
+    const CEK = keygen('curve25519xsalsa20poly1305')
+
+    // Key IDs
+    const IPKid = keyId(IPK)
+    const IEKid = keyId(IEK)
+    const CSKid = keyId(CSK)
+    const CEKid = keyId(CEK)
+
+    // Public keys to be stored in the contract
+    const IPKp = serializeKey(IPK, false)
+    const IEKp = serializeKey(IEK, false)
+    const CSKp = serializeKey(CSK, false)
+    const CEKp = serializeKey(CEK, false)
+
+    // Secret keys to be stored encrypted in the contract
+    const CSKs = encrypt(IEK, serializeKey(CSK, true))
+    const CEKs = encrypt(IEK, serializeKey(CEK, true))
+
     let userID
     // next create the identity contract itself and associate it with the mailbox
     try {
-      const user = await sbp('chelonia/out/registerContract', {
+      const user = await sbp('chelonia/with-env', '', {
+        additionalKeys: {
+          [IPKid]: IPK,
+          [CSKid]: CSK,
+          [CEKid]: CEK
+        }
+      }, ['chelonia/out/registerContract', {
         contractName: 'gi.contracts/identity',
         publishOptions,
+        signingKeyId: IPKid,
+        actionSigningKeyId: CSKid,
+        actionEncryptionKeyId: CEKid,
         data: {
           attributes: { username, email, picture: finalPicture }
-        }
-      })
+        },
+        keys: [
+          {
+            id: IPKid,
+            type: IPK.type,
+            data: IPKp,
+            perm: [GIMessage.OP_CONTRACT, GIMessage.OP_KEY_ADD, GIMessage.OP_KEY_DEL],
+            meta: {
+              type: 'ipk'
+            }
+          },
+          {
+            id: IEKid,
+            type: IEK.type,
+            data: IEKp,
+            perm: ['gi.contracts/identity/keymeta'],
+            meta: {
+              type: 'iek'
+            }
+          },
+          {
+            id: CSKid,
+            type: CSK.type,
+            data: CSKp,
+            perm: [GIMessage.OP_ACTION_UNENCRYPTED, GIMessage.OP_ACTION_ENCRYPTED, GIMessage.OP_ATOMIC, GIMessage.OP_CONTRACT_AUTH, GIMessage.OP_CONTRACT_DEAUTH],
+            meta: {
+              type: 'csk',
+              private: {
+                keyId: IEKid,
+                content: CSKs
+              }
+            }
+          },
+          {
+            id: CEKid,
+            type: CEK.type,
+            data: CEKp,
+            perm: [GIMessage.OP_ACTION_ENCRYPTED],
+            meta: {
+              type: 'cek',
+              private: {
+                keyId: IEKid,
+                content: CEKs
+              }
+            }
+          }
+        ]
+      }])
       userID = user.contractID()
       if (sync) {
-        await sbp('chelonia/contract/sync', userID)
+        await sbp('chelonia/with-env', userID, { additionalKeys: { [IEKid]: IEK } }, ['chelonia/contract/sync', userID])
       }
       await sbp('gi.actions/identity/setAttributes', {
-        contractID: userID, data: { mailbox: mailboxID }
+        contractID: userID,
+        data: { mailbox: mailboxID },
+        signingKeyId: CSKid,
+        encryptionKeyId: CEKid
       })
     } catch (e) {
       console.error('gi.actions/identity/create failed!', e)
@@ -98,17 +191,22 @@ export default (sbp('sbp/selectors/register', {
   }) {
     // TODO: Insert cryptography here
     const userId = await sbp('namespace/lookup', username)
+
     if (!userId) {
       throw new GIErrorUIRuntimeError(L('Invalid username or password'))
     }
 
+    const salt = await sbp('gi.actions/identity/retrieveSalt', username, password)
+    const IEK = await deriveKeyFromPassword('curve25519xsalsa20poly1305', password, salt)
+    const IEKid = keyId(IEK)
+
     try {
       console.debug(`Retrieved identity ${userId}`)
       // TODO: move the login vuex action code into this function (see #804)
-      await sbp('state/vuex/dispatch', 'login', { username, identityContractID: userId })
+      await sbp('chelonia/with-env', userId, { additionalKeys: { [IEKid]: IEK } }, ['state/vuex/dispatch', 'login', { username, identityContractID: userId }])
 
       if (sync) {
-        await sbp('chelonia/contract/sync', userId)
+        await sbp('chelonia/with-env', userId, { additionalKeys: { [IEKid]: IEK } }, ['chelonia/contract/sync', userId])
       }
 
       return userId

frontend/controller/actions/mailbox.js

@@ -14,8 +14,9 @@ export default (sbp('sbp/selectors/register', {
   }): Promise<GIMessage> {
     try {
       const mailbox = await sbp('chelonia/out/registerContract', {
-        contractName: 'gi.contracts/mailbox', publishOptions, data
+        contractName: 'gi.contracts/mailbox', publishOptions, keys: [], data
       })
+      console.log('gi.actions/mailbox/create', { mailbox })
       if (sync) {
         await sbp('chelonia/contract/sync', mailbox.contractID())
       }

frontend/controller/actions/types.js

@@ -11,9 +11,15 @@ export type GIRegParams = {
 
 // keep in sync with ChelActionParams
 export type GIActionParams = {
+  action: string;
   contractID: string;
   data: Object;
-  options?: Object; // these are options for the action wrapper
-  hooks?: Object;
-  publishOptions?: Object
+  signingKeyId: string;
+  encryptionKeyId: ?string;
+  hooks?: {
+    prepublishContract?: (Object) => void;
+    prepublish?: (Object) => void;
+    postpublish?: (Object) => void;
+  };
+  publishOptions?: { maxAttempts: number };
 }

frontend/controller/actions/utils.js

@@ -9,8 +9,12 @@ export function encryptedAction (action: string, humanError: string | Function):
   return {
     [action]: async function (params: GIActionParams) {
       try {
+        const state = await sbp('chelonia/latestContractState', params.contractID)
         return await sbp('chelonia/out/actionEncrypted', {
-          ...params, action: action.replace('gi.actions', 'gi.contracts')
+          signingKeyId: (state?._vm?.authorizedKeys?.find((k) => k.meta?.type === 'csk')?.id: ?string),
+          encryptionKeyId: (state?._vm?.authorizedKeys?.find((k) => k.meta?.type === 'cek')?.id: ?string),
+          ...params,
+          action: action.replace('gi.actions', 'gi.contracts')
         })
       } catch (e) {
         console.error(`${action} failed!`, e)