update code to work together for setting new password and update encrypted privkey and password hash in db

2025-12-13 07:45:54 +00:00 · 2020-06-08 18:30:29 +02:00 · 2020-06-08 18:30:29 +02:00 · c44184f823
commit c44184f823
parent e7624382ae
12 changed files with 153 additions and 20 deletions
--- a/src/cpp/Crypto/AuthenticatedEncryption.cpp
+++ b/src/cpp/Crypto/AuthenticatedEncryption.cpp
@ -128,6 +128,34 @@ AuthenticatedEncryption::ResultType AuthenticatedEncryption::decrypt(const Memor
 	return AUTH_DECRYPT_OK;
 }
 AuthenticatedEncryption::ResultType AuthenticatedEncryption::decrypt(const std::vector<unsigned char>& encryptedMessage, MemoryBin** message) const
 {
 	assert(message);
 	std::shared_lock<std::shared_mutex> _lock(mWorkingMutex);
 	if (!mEncryptionKey) {
 		return AUTH_NO_KEY;
 	}
 	size_t decryptSize = encryptedMessage.size() - crypto_secretbox_MACBYTES;
 	//unsigned char* decryptBuffer = (unsigned char*)malloc(decryptSize);
 	auto mm = MemoryManager::getInstance();
 	//ObfusArray* decryptedData = new ObfusArray(decryptSize);
 	auto decryptedData = mm->getFreeMemory(decryptSize);
 	unsigned char nonce[crypto_secretbox_NONCEBYTES];
 	// we use a hardcoded value for nonce
 	// TODO: use a dynamic value, save it along with the other parameters
 	memset(nonce, 31, crypto_secretbox_NONCEBYTES);
 	if (crypto_secretbox_open_easy(*decryptedData, encryptedMessage.data(), encryptedMessage.size(), nonce, *mEncryptionKey)) {
 		mm->releaseMemory(decryptedData);
 		return AUTH_DECRYPT_MESSAGE_FAILED;
 	}
 	*message = decryptedData;
 	return AUTH_DECRYPT_OK;
 }
 const char* AuthenticatedEncryption::getErrorMessage(ResultType type)
 {
 	switch (type) {
--- a/src/cpp/Crypto/AuthenticatedEncryption.h
+++ b/src/cpp/Crypto/AuthenticatedEncryption.h
@ -5,6 +5,7 @@
 #include "../SingletonManager/MemoryManager.h"
 #include <shared_mutex>
 #include <vector>
 /*! 
 * 
@ -59,6 +60,11 @@ public:
 	ResultType encrypt(const MemoryBin* message, MemoryBin** encryptedMessage) const;
 	ResultType decrypt(const MemoryBin* encryptedMessage, MemoryBin** message) const;
 	//! \brief same as the other decrypt only in other format
 	//! \param encryptedMessage format from Poco Binary Data from DB, like returned from model/table/user for encrypted private key
 	//! 
 	//! double code, I don't know how to prevent without unnecessary copy of encryptedMessage
 	ResultType decrypt(const std::vector<unsigned char>& encryptedMessage, MemoryBin** message) const;
 	static const char* getErrorMessage(ResultType type);
--- a/src/cpp/Crypto/KeyPairEd25519.cpp
+++ b/src/cpp/Crypto/KeyPairEd25519.cpp
@ -8,10 +8,12 @@
 #include "Passphrase.h"
-KeyPairEd25519::KeyPairEd25519(MemoryBin* privateKey, const unsigned char* publicKey)
+KeyPairEd25519::KeyPairEd25519(MemoryBin* privateKey)
 	: mSodiumSecret(privateKey)
 {
-	memcpy(mSodiumPublic, publicKey, crypto_sign_PUBLICKEYBYTES);
+	//memcpy(mSodiumPublic, publicKey, crypto_sign_PUBLICKEYBYTES);
 	// read pubkey from private key, so we are sure it is the correct pubkey for the private key
 	crypto_sign_ed25519_sk_to_pk(*privateKey, mSodiumPublic);
 }
 KeyPairEd25519::KeyPairEd25519(const unsigned char* publicKey)
--- a/src/cpp/Crypto/KeyPairEd25519.h
+++ b/src/cpp/Crypto/KeyPairEd25519.h
@ -21,7 +21,7 @@ class KeyPairEd25519 : public IKeyPair
 public:
 	//! \param privateKey: take ownership, release after object destruction
 	//! \param publicKey: copy
-	KeyPairEd25519(MemoryBin* privateKey, const unsigned char* publicKey);
+	KeyPairEd25519(MemoryBin* privateKey);
 	KeyPairEd25519(const unsigned char* publicKey);
 	~KeyPairEd25519();
@ -38,10 +38,16 @@ public:
 	inline bool isTheSame(const KeyPairEd25519& b) const {
 		return 0 == sodium_memcmp(mSodiumPublic, b.mSodiumPublic, crypto_sign_PUBLICKEYBYTES);
 	}
 	inline bool isTheSame(const unsigned char* pubkey) const {
 		return 0 == sodium_memcmp(mSodiumPublic, pubkey, crypto_sign_PUBLICKEYBYTES);
 	}
 	inline bool operator == (const KeyPairEd25519& b) const { return isTheSame(b);  }
 	inline bool operator != (const KeyPairEd25519& b) const { return !isTheSame(b); }
 	inline bool operator == (const unsigned char* b) const { return isTheSame(b); }
 	inline bool operator != (const unsigned char* b) const { return !isTheSame(b); }
 	inline bool hasPrivateKey() const { return mSodiumSecret != nullptr; }
 	//! \brief only way to get a private key.. encrypted
--- a/src/cpp/HTTPInterface/AdminUserPasswordReset.cpp
+++ b/src/cpp/HTTPInterface/AdminUserPasswordReset.cpp
@ -207,7 +207,7 @@ void AdminUserPasswordReset::handleRequest(Poco::Net::HTTPServerRequest& request
 	responseStream << "</li>\n";
 	responseStream << "\t\t\t<li>Private Key verschlüsselt: ";
 #line 92 "F:\\Gradido\\gradido_login_server\\src\\cpsp\\adminUserPasswordReset.cpsp"
-	responseStream << ( std::to_string(userModel->existPrivateKeyCrypted()) );
+	responseStream << ( std::to_string(userModel->hasPrivateKeyEncrypted()) );
 	responseStream << "</li>\n";
 	responseStream << "\t\t\t<li>Passwort gesetzt: ";
 #line 93 "F:\\Gradido\\gradido_login_server\\src\\cpsp\\adminUserPasswordReset.cpsp"
--- a/src/cpp/controller/User.cpp
+++ b/src/cpp/controller/User.cpp
@ -3,10 +3,12 @@
 #include "sodium.h"
 #include "../SingletonManager/SessionManager.h"
 #include "../lib/DataTypeConverter.h"
 namespace controller {
 	User::User(model::table::User* dbModel)
-		: mPassword(nullptr)
+		: mPassword(nullptr), mGradidoKeyPair(nullptr)
 	{
 		mDBModel = dbModel;
 	}
@ -15,6 +17,11 @@ namespace controller {
 	{
 		if (mPassword) {
 			delete mPassword;
 			mPassword = nullptr;
 		}
 		if (mGradidoKeyPair) {
 			delete mGradidoKeyPair;
 			mGradidoKeyPair = nullptr;
 		}
 	}
@ -115,4 +122,45 @@ namespace controller {
 		return json;
 	}
 	int User::setPassword(AuthenticatedEncryption* passwd) 
 	{
 		std::unique_lock<std::shared_mutex> _lock(mSharedMutex);
 		auto model = getModel();
 		const static char* function_name = "controller::User::setPassword";
 		if (mPassword) 
 		{
 			if (mPassword == passwd) return 0;
 			// if password exist but gradido key pair not, try to load key pair
 			if ((!mGradidoKeyPair || !mGradidoKeyPair->hasPrivateKey()) && model->hasPrivateKeyEncrypted()) {
 				//if (!mGradidoKeyPair) mGradidoKeyPair = new KeyPairEd25519;
 				MemoryBin* clear_private_key = nullptr;
 				if (AuthenticatedEncryption::AUTH_DECRYPT_OK == mPassword->decrypt(model->getPrivateKeyEncrypted(), &clear_private_key)) {
 					if (mGradidoKeyPair) delete mGradidoKeyPair;
 					mGradidoKeyPair = new KeyPairEd25519(clear_private_key);
 					// check if saved pubkey and from private key extracted pubkey match
 					if (*mGradidoKeyPair != model->getPublicKey()) {
 						delete mGradidoKeyPair;
 						mGradidoKeyPair = nullptr;
 						return -1;
 					}
 				}
 			}
 			delete passwd;
 		}
 		// replace old password with new
 		mPassword = passwd;
 		// set new encrypted password and hash
 		model->setPasswordHashed(mPassword->getKeyHashed());
 		auto encryptedPrivateKey = mGradidoKeyPair->getCryptedPrivKey(mPassword);
 		model->setPrivateKey(encryptedPrivateKey);
 		MemoryManager::getInstance()->releaseMemory(encryptedPrivateKey);
 		// save changes to db
 		return model->updatePrivkeyAndPasswordHash();
 	}
 }
--- a/src/cpp/controller/User.h
+++ b/src/cpp/controller/User.h
@ -2,7 +2,8 @@
 #define GRADIDO_LOGIN_SERVER_CONTROLLER_USER_INCLUDE
 #include "../model/table/User.h"
-#include "../Crypto/AuthenticatedEncryption.h"
+//#include "../Crypto/AuthenticatedEncryption.h"
 #include "../Crypto/KeyPairEd25519.h"
 #include <shared_mutex>
@ -42,13 +43,12 @@ namespace controller {
 		// ***********************************************************************************
 		// password related
-		//! \brief 
+		//! \brief set authenticated encryption and save hash in db, should also re encrypt private key if exist
 		//! \param passwd take owner ship 
-		inline void setPassword(AuthenticatedEncryption* passwd) { 
+		//! \return 0 = new and current passwords are the same
-			std::unique_lock<std::shared_mutex> _lock(mSharedMutex);
+		//! \return 1 = password changed, private key re-encrypted and saved into db
-			if (mPassword) delete passwd;
+		//! \return -1 = stored pubkey and private key didn't match
-			mPassword = passwd; 
+		int setPassword(AuthenticatedEncryption* passwd); 
 		}
 		inline const AuthenticatedEncryption* getPassword() {
 			std::shared_lock<std::shared_mutex> _lock(mSharedMutex);
@ -60,6 +60,7 @@ namespace controller {
 		std::string mPublicHex;
 		AuthenticatedEncryption* mPassword;
 		KeyPairEd25519*          mGradidoKeyPair;
 		mutable std::shared_mutex mSharedMutex;
 	};
--- a/src/cpp/model/User.cpp
+++ b/src/cpp/model/User.cpp
@ -426,8 +426,8 @@ User::User(Poco::AutoPtr<controller::User> ctrl_user)
 		mPublicHex = std::string((char*)(*hexStringTemp));
 		mm->releaseMemory(hexStringTemp);
 	}
-	if (model->existPrivateKeyCrypted()) {
+	if (model->hasPrivateKeyEncrypted()) {
-		auto privKeyVetor = model->getPrivateKeyCrypted();
+		auto privKeyVetor = model->getPrivateKeyEncrypted();
 		mPrivateKey = mm->getFreeMemory(privKeyVetor.size());
 		memcpy(*mPrivateKey, privKeyVetor.data(), privKeyVetor.size());
 	}
--- a/src/cpp/model/table/User.cpp
+++ b/src/cpp/model/table/User.cpp
@ -143,7 +143,10 @@ namespace model {
 		size_t User::updatePrivkey() 
 		{ 
 			lock(); 
-			if (mPrivateKey.isNull()) return 0;
+			if (mPrivateKey.isNull()) {
 				unlock();
 				return 0;
 			}
 			auto result = updateIntoDB("privkey", mPrivateKey.value()); 
 			unlock(); 
 			return result; 
@ -151,12 +154,45 @@ namespace model {
 		size_t User::updatePublickey()
 		{
 			lock();
-			if (mPublicKey.isNull()) return 0;
+			if (mPublicKey.isNull()) {
 				unlock();
 				return 0;
 			}
 			auto result = updateIntoDB("pubkey", mPublicKey.value());
 			unlock();
 			return result;
 		}
 		size_t User::updatePrivkeyAndPasswordHash()
 		{
 			lock();
 			if (mPrivateKey.isNull() || !mPasswordHashed || !mID) {
 				unlock();
 				return 0;
 			}
 			auto cm = ConnectionManager::getInstance();
 			auto session = cm->getConnection(CONNECTION_MYSQL_LOGIN_SERVER);
 			Poco::Data::Statement update(session);
 			update << "UPDATE users SET password = ?, privkey = ? where id = ?;",
 				bind(mPasswordHashed), use(mPrivateKey), use(mID);
 			size_t resultCount = 0;
 			try {
 				return update.execute();
 			}
 			catch (Poco::Exception& ex) {
 				lock("User::updatePrivkeyAndPasswordHash");
 				addError(new ParamError(getTableName(), "mysql error by insert", ex.displayText().data()));
 				addError(new ParamError(getTableName(), "data set: ", toString().data()));
 				unlock();
 			}
 			//printf("data valid: %s\n", toString().data());
 			return 0;
 		}
 		/*
 		std::string mEmail;
--- a/src/cpp/model/table/User.h
+++ b/src/cpp/model/table/User.h
@ -45,7 +45,7 @@ namespace model {
 			// specific db operation
 			size_t updatePrivkey();
 			size_t updatePublickey();
-			
+			size_t updatePrivkeyAndPasswordHash();
 			// default getter unlocked
 			inline const std::string& getEmail() const { return mEmail; }
@ -56,8 +56,8 @@ namespace model {
 			inline const unsigned char* getPublicKey() const { if (mPublicKey.isNull()) return nullptr; return mPublicKey.value().content().data(); }
 			std::string getPublicKeyHex() const;
-			inline bool existPrivateKeyCrypted() const { return !mPrivateKey.isNull(); }
+			inline bool hasPrivateKeyEncrypted() const { return !mPrivateKey.isNull(); }
-			inline const std::vector<unsigned char>& getPrivateKeyCrypted() const { return mPrivateKey.value().content(); }
+			inline const std::vector<unsigned char>& getPrivateKeyEncrypted() const { return mPrivateKey.value().content(); }
 			inline bool isEmailChecked() const { return mEmailChecked; }
 			inline const std::string& getLanguageKey() const { return mLanguageKey; }
--- a/src/cpp/tasks/AuthenticatedEncryptionCreateKeyTask.cpp
+++ b/src/cpp/tasks/AuthenticatedEncryptionCreateKeyTask.cpp
@ -4,6 +4,8 @@
 #include "../SingletonManager/SingletonTaskObserver.h"
 #include "../SingletonManager/ErrorManager.h"
 #include "../lib/Profiler.h"
 AuthenticatedEncryptionCreateKeyTask::AuthenticatedEncryptionCreateKeyTask(Poco::AutoPtr<controller::User> user, const std::string& passwd)
 	: UniLib::controller::CPUTask(ServerConfig::g_CryptoCPUScheduler), mUser(user), mPassword(passwd)
 {
@ -20,6 +22,7 @@ int AuthenticatedEncryptionCreateKeyTask::run()
 	auto em = ErrorManager::getInstance();
 	const static char* function_name = "AuthenticatedEncryptionCreateKeyTask::run";
 	auto authenticated_encryption = new AuthenticatedEncryption;
 	Profiler timeUsed;
 	if (AuthenticatedEncryption::AUTH_ENCRYPT_OK != authenticated_encryption->createKey(mUser->getModel()->getEmail(), mPassword)) {
 		em->addError(new Error(function_name, "error creating key"));
 		em->addError(new ParamError(function_name, "for email", mUser->getModel()->getEmail()));
@ -27,7 +30,10 @@ int AuthenticatedEncryptionCreateKeyTask::run()
 		em->sendErrorsAsEmail();
 		return -1;
 	}
 	printf("create password time: %s\n", timeUsed.string().data());
 	timeUsed.reset();
 	mUser->setPassword(authenticated_encryption);
 	printf("set password time: %s\n", timeUsed.string().data());
 	return 0;
 }
--- a/src/cpsp/adminUserPasswordReset.cpsp
+++ b/src/cpsp/adminUserPasswordReset.cpsp
@ -89,7 +89,7 @@ enum PageState
 			<li><%= userModel->getEmail() %></li>
 			<li>Public Key: <%= userModel->getPublicKeyHex() %></li>
 			<li>E-Mail überprüft: <%= std::to_string(userModel->isEmailChecked()) %></li>
-			<li>Private Key verschlüsselt: <%= std::to_string(userModel->existPrivateKeyCrypted()) %></li>
+			<li>Private Key verschlüsselt: <%= std::to_string(userModel->hasPrivateKeyEncrypted()) %></li>
 			<li>Passwort gesetzt: <%= std::to_string(userModel->getPasswordHashed() != 0) %></li>
 		</ul>
 	<% } %>