feat: remove IVs from secrets model

purefunctor · May 2, 2024 · 907e8fa · 907e8fa
1 parent b8dbdd2
commit 907e8fa
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 85 deletions.
diff --git a/lib/backend/Routes/Api/Secrets.ml b/lib/backend/Routes/Api/Secrets.ml
@@ -20,38 +20,29 @@ let get_secrets request (user_id : int32) =
       {
         user_id = _;
         encrypted_master_key;
-        master_key_iv;
         encrypted_protection_key;
-        protection_key_iv;
         exported_protection_key;
         encrypted_verification_key;
-        verification_key_iv;
         exported_verification_key;
       } ->
       Lwt.return_ok
       @@ Some
            {
              encrypted_master_key;
-             master_key_iv;
              encrypted_protection_key;
-             protection_key_iv;
              exported_protection_key;
              encrypted_verification_key;
-             verification_key_iv;
              exported_verification_key;
            }
   | None -> Lwt.return_ok None
 
 let insert_secrets request (user_id : int32)
     ({
        encrypted_master_key;
-       master_key_iv;
        encrypted_protection_key;
        exported_protection_key;
-       protection_key_iv;
        encrypted_verification_key;
        exported_verification_key;
-       verification_key_iv;
      } :
       register_keys_payload) =
   let open Lwt_result.Syntax in
@@ -63,10 +54,9 @@ let insert_secrets request (user_id : int32)
   if has_keys then Lwt.return_ok false
   else
     let* () =
-      Models.Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_verification_key
-        ~encrypted_verification_key ~verification_key_iv
-        ~exported_protection_key connection
+      Models.Secrets.insert ~user_id ~encrypted_master_key
+        ~encrypted_protection_key ~exported_verification_key
+        ~encrypted_verification_key ~exported_protection_key connection
     in
     Lwt.return_ok true
 

diff --git a/lib/frontend/js/pages/GetStartedPageGenerateHooks.re b/lib/frontend/js/pages/GetStartedPageGenerateHooks.re
@@ -78,20 +78,14 @@ let useGenerateKeys = () => {
       push({kind: Loading, message: "Submitting"});
       let registerKeysPayload: Types_universal.Definitions_t.register_keys_payload = {
         encrypted_master_key: wrappedMasterKey |> Base64_js.ArrayBuffer.encode,
-        master_key_iv:
-          clientSecrets.masterKeyIv |> Base64_js.Uint8Array.encode,
         encrypted_protection_key:
           wrappedProtectionKey |> Base64_js.ArrayBuffer.encode,
         exported_protection_key:
           exportedProtectionKey |> Base64_js.ArrayBuffer.encode,
-        protection_key_iv:
-          clientSecrets.protectionKeyIv |> Base64_js.Uint8Array.encode,
         encrypted_verification_key:
           wrappedVerificationKey |> Base64_js.ArrayBuffer.encode,
         exported_verification_key:
           exportedVerificationKey |> Base64_js.ArrayBuffer.encode,
-        verification_key_iv:
-          clientSecrets.verificationKeyIv |> Base64_js.Uint8Array.encode,
       };
       let* _ = ApiSecrets.post(registerKeysPayload);
       let* _ = sleep(500);

diff --git a/lib/models/Secrets.ml b/lib/models/Secrets.ml
@@ -3,12 +3,9 @@ open Utils
 type t = {
   user_id : int32;
   encrypted_master_key : string;
-  master_key_iv : string;
   encrypted_protection_key : string;
-  protection_key_iv : string;
   exported_protection_key : string;
   encrypted_verification_key : string;
-  verification_key_iv : string;
   exported_verification_key : string;
 }
 
@@ -20,14 +17,11 @@ CREATE TABLE IF NOT EXISTS secrets (
   user_id INT PRIMARY KEY REFERENCES users(id),
 
   encrypted_master_key BYTEA NOT NULL,
-  master_key_iv BYTEA NOT NULL,
 
   encrypted_protection_key BYTEA NOT NULL,
-  protection_key_iv BYTEA NOT NULL,
   exported_protection_key BYTEA NOT NULL,
 
   encrypted_verification_key BYTEA NOT NULL,
-  verification_key_iv BYTEA NOT NULL,
   exported_verification_key BYTEA NOT NULL
 );   
 |sql}]
@@ -41,14 +35,11 @@ SELECT
   @int32{user_id},
 
   @Base64Octets{encrypted_master_key},
-  @Base64Octets{master_key_iv},
 
   @Base64Octets{encrypted_protection_key},
-  @Base64Octets{protection_key_iv},
   @Base64Octets{exported_protection_key},
 
   @Base64Octets{encrypted_verification_key},
-  @Base64Octets{verification_key_iv},
   @Base64Octets{exported_verification_key}
 FROM
   secrets
@@ -65,14 +56,11 @@ SELECT
   @int32{user_id},
 
   @Base64Octets{encrypted_master_key},
-  @Base64Octets{master_key_iv},
 
   @Base64Octets{encrypted_protection_key},
-  @Base64Octets{protection_key_iv},
   @Base64Octets{exported_protection_key},
 
   @Base64Octets{encrypted_verification_key},
-  @Base64Octets{verification_key_iv},
   @Base64Octets{exported_verification_key}
 FROM
   secrets
@@ -93,28 +81,22 @@ INSERT INTO secrets (
   user_id,
 
   encrypted_master_key,
-  master_key_iv,
 
   encrypted_protection_key,
-  protection_key_iv,
   exported_protection_key,
 
   encrypted_verification_key,
-  verification_key_iv,
   exported_verification_key
 )
 VALUES(
   %int32{user_id},
 
   %Base64Octets{encrypted_master_key},
-  %Base64Octets{master_key_iv},
 
   %Base64Octets{encrypted_protection_key},
-  %Base64Octets{protection_key_iv},
   %Base64Octets{exported_protection_key},
 
   %Base64Octets{encrypted_verification_key},
-  %Base64Octets{verification_key_iv},
   %Base64Octets{exported_verification_key}
 );
 |sql}]
diff --git a/lib/models/Secrets.mli b/lib/models/Secrets.mli
@@ -5,21 +5,15 @@ type t = {
   encrypted_master_key : string;
       (** The symmetric key used to encrypt the {!encrypted_protection_key}
           and {!encrypted_verification_key}. *)
-  master_key_iv : string;
-      (** The [iv] used to encrypt the {!encrypted_master_key}. *)
   encrypted_protection_key : string;
       (** The private key used to decrypt the "[EphemeralKey]" that's passed
           alongside a message. *)
-  protection_key_iv : string;
-      (** The [iv] used to encrypt the {!encrypted_protection_key}.  *)
   exported_protection_key : string;
       (** The public key used to encrypt the "[EphemeralKey]" that's passed
           alongside a message. *)
   encrypted_verification_key : string;
       (** The private key used to produce the signature that's passed alongside
           a message. *)
-  verification_key_iv : string;
-      (** The [iv] used to encrypt the {!encrypted_verification_key}. *)
   exported_verification_key : string;
       (** The public key used to verify the signature that's passed alongside
           a message. *)
@@ -46,12 +40,9 @@ val get_by_username :
 val insert :
   user_id:int32 ->
   encrypted_master_key:string ->
-  master_key_iv:string ->
   encrypted_protection_key:string ->
-  protection_key_iv:string ->
   exported_protection_key:string ->
   encrypted_verification_key:string ->
-  verification_key_iv:string ->
   exported_verification_key:string ->
   (module Rapper_helper.CONNECTION) ->
   (unit, [> Caqti_error.call_or_retrieve ]) result Lwt.t

diff --git a/lib/types/definitions.atd b/lib/types/definitions.atd
@@ -19,13 +19,10 @@ type register_user_payload = {
 
 type register_keys_payload = {
   encrypted_master_key: string;
-  master_key_iv: string;
   encrypted_protection_key: string;
   exported_protection_key: string;
-  protection_key_iv: string;
   encrypted_verification_key: string;
   exported_verification_key: string;
-  verification_key_iv: string;
 }
 
 type register_response = {

diff --git a/test/backend/Secrets_Api_test.ml b/test/backend/Secrets_Api_test.ml
@@ -35,21 +35,15 @@ let register_fake_user () =
 
 let make_payload generate =
   let encrypted_master_key = generate () in
-  let master_key_iv = generate () in
   let encrypted_protection_key = generate () in
-  let protection_key_iv = generate () in
   let encrypted_verification_key = generate () in
-  let verification_key_iv = generate () in
   let exported_protection_key = generate () in
   let exported_verification_key = generate () in
   string_of_register_keys_payload
     {
       encrypted_master_key;
-      master_key_iv;
       encrypted_protection_key;
-      protection_key_iv;
       encrypted_verification_key;
-      verification_key_iv;
       exported_protection_key;
       exported_verification_key;
     }

diff --git a/test/models/Secrets_test.ml b/test/models/Secrets_test.ml
@@ -11,18 +11,15 @@ module Secrets = struct
       [
         field "user_id" (fun k -> k.user_id) int32;
         field "encrypted_master_key" (fun k -> k.encrypted_master_key) string;
-        field "master_key_iv" (fun k -> k.master_key_iv) string;
         field "encrypted_protection_key"
           (fun k -> k.encrypted_protection_key)
           string;
-        field "protection_key_iv" (fun k -> k.protection_key_iv) string;
         field "exported_protection_key"
           (fun k -> k.exported_protection_key)
           string;
         field "encrypted_verification_key"
           (fun k -> k.encrypted_verification_key)
           string;
-        field "verification_key_iv" (fun k -> k.verification_key_iv) string;
         field "exported_verification_key"
           (fun k -> k.exported_verification_key)
           string;
@@ -33,12 +30,9 @@ module Secrets = struct
       [
         Int32.equal x.user_id y.user_id;
         String.equal x.encrypted_master_key y.encrypted_master_key;
-        String.equal x.master_key_iv y.master_key_iv;
         String.equal x.encrypted_protection_key y.encrypted_protection_key;
-        String.equal x.protection_key_iv y.protection_key_iv;
         String.equal x.exported_protection_key y.exported_protection_key;
         String.equal x.encrypted_verification_key y.encrypted_verification_key;
-        String.equal x.verification_key_iv y.verification_key_iv;
         String.equal x.exported_verification_key y.exported_verification_key;
       ]
 end
@@ -47,12 +41,9 @@ let username = "purefunctor"
 let auth_token = String.make 128 ' '
 let client_random = String.make 16 ' ' |> Base64.encode_exn
 let encrypted_master_key = String.make 512 ' ' |> Base64.encode_exn
-let master_key_iv = String.make 12 ' ' |> Base64.encode_exn
 let encrypted_protection_key = String.make 512 ' ' |> Base64.encode_exn
-let protection_key_iv = String.make 12 ' ' |> Base64.encode_exn
 let exported_protection_key = String.make 512 ' ' |> Base64.encode_exn
 let encrypted_verification_key = String.make 512 ' ' |> Base64.encode_exn
-let verification_key_iv = String.make 12 ' ' |> Base64.encode_exn
 let exported_verification_key = String.make 512 ' ' |> Base64.encode_exn
 
 let initialize =
@@ -69,9 +60,8 @@ let insert =
     let* _ = Initialize.initialize db in
     let* user_id, _ = User.insert ~username ~auth_token ~client_random db in
     let* _ =
-      Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_protection_key
-        ~encrypted_verification_key ~verification_key_iv
+      Secrets.insert ~user_id ~encrypted_master_key ~encrypted_protection_key
+        ~exported_protection_key ~encrypted_verification_key
         ~exported_verification_key db
     in
     Lwt.return_ok ()
@@ -84,15 +74,13 @@ let insert_existing =
     let* _ = Initialize.initialize db in
     let* user_id, _ = User.insert ~username ~auth_token ~client_random db in
     let* _ =
-      Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_protection_key
-        ~encrypted_verification_key ~verification_key_iv
+      Secrets.insert ~user_id ~encrypted_master_key ~encrypted_protection_key
+        ~exported_protection_key ~encrypted_verification_key
         ~exported_verification_key db
     in
     let errorful =
-      Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_protection_key
-        ~encrypted_verification_key ~verification_key_iv
+      Secrets.insert ~user_id ~encrypted_master_key ~encrypted_protection_key
+        ~exported_protection_key ~encrypted_verification_key
         ~exported_verification_key db
     in
     Lwt.bind errorful (function
@@ -107,22 +95,18 @@ let get_by_user_id =
     let* _ = Initialize.initialize db in
     let* user_id, _ = User.insert ~username ~auth_token ~client_random db in
     let* _ =
-      Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_protection_key
-        ~encrypted_verification_key ~verification_key_iv
+      Secrets.insert ~user_id ~encrypted_master_key ~encrypted_protection_key
+        ~exported_protection_key ~encrypted_verification_key
         ~exported_verification_key db
     in
     let expected =
       Secrets.
         {
           user_id;
           encrypted_master_key;
-          master_key_iv;
           encrypted_protection_key;
-          protection_key_iv;
           exported_protection_key;
           encrypted_verification_key;
-          verification_key_iv;
           exported_verification_key;
         }
     in
@@ -141,22 +125,18 @@ let get_by_username =
     let* _ = Initialize.initialize db in
     let* user_id, _ = User.insert ~username ~auth_token ~client_random db in
     let* _ =
-      Secrets.insert ~user_id ~encrypted_master_key ~master_key_iv
-        ~encrypted_protection_key ~protection_key_iv ~exported_protection_key
-        ~encrypted_verification_key ~verification_key_iv
+      Secrets.insert ~user_id ~encrypted_master_key ~encrypted_protection_key
+        ~exported_protection_key ~encrypted_verification_key
         ~exported_verification_key db
     in
     let expected =
       Secrets.
         {
           user_id;
           encrypted_master_key;
-          master_key_iv;
           encrypted_protection_key;
-          protection_key_iv;
           exported_protection_key;
           encrypted_verification_key;
-          verification_key_iv;
           exported_verification_key;
         }
     in