diff --git a/.github/workflows/at_server.yaml b/.github/workflows/at_server.yaml index 72f28c302..1501ddc07 100644 --- a/.github/workflows/at_server.yaml +++ b/.github/workflows/at_server.yaml @@ -179,7 +179,7 @@ jobs: run: | echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - if: ${{ matrix.dart-channel == 'stable' && startsWith(github.ref, 'refs/tags/') }} - uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0.0 + uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1 with: subject-path: 'sboms/**' diff --git a/.github/workflows/promote_canary.yaml b/.github/workflows/promote_canary.yaml index de14d87c1..ebfea0c7a 100644 --- a/.github/workflows/promote_canary.yaml +++ b/.github/workflows/promote_canary.yaml @@ -164,7 +164,7 @@ jobs: working-directory: sboms run: | echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - - uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0.0 + - uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1 with: subject-path: 'sboms/**' diff --git a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart index 0677432e0..d74b98f36 100644 --- a/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart +++ b/packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart @@ -249,9 +249,6 @@ class EnrollVerbHandler extends AbstractVerbHandler { final inboundConnectionMetadata = atConnection.metaData as InboundConnectionMetadata; inboundConnectionMetadata.enrollmentId = newEnrollmentId; - // Store default encryption private key and self encryption key(both encrypted) - // for future retrieval - await _storeEncryptionKeys(newEnrollmentId, enrollParams, currentAtSign); // store this apkam as default pkam public key for old clients // The keys with AT_PKAM_PUBLIC_KEY does not sync to client. await keyStore.put(AtConstants.atPkamPublicKey, @@ -409,12 +406,18 @@ class EnrollVerbHandler extends AbstractVerbHandler { String newEnrollmentId, EnrollParams enrollParams, String atSign) async { var privateKeyJson = {}; privateKeyJson['value'] = enrollParams.encryptedDefaultEncryptionPrivateKey; + if (enrollParams.encPrivateKeyIV != null) { + privateKeyJson['iv'] = enrollParams.encPrivateKeyIV; + } await keyStore.put( '$newEnrollmentId.${AtConstants.defaultEncryptionPrivateKey}.$enrollManageNamespace$atSign', AtData()..data = jsonEncode(privateKeyJson), skipCommit: true); var selfKeyJson = {}; selfKeyJson['value'] = enrollParams.encryptedDefaultSelfEncryptionKey; + if (enrollParams.selfEncKeyIV != null) { + selfKeyJson['iv'] = enrollParams.selfEncKeyIV; + } await keyStore.put( '$newEnrollmentId.${AtConstants.defaultSelfEncryptionKey}.$enrollManageNamespace$atSign', AtData()..data = jsonEncode(selfKeyJson), diff --git a/packages/at_secondary_server/pubspec.yaml b/packages/at_secondary_server/pubspec.yaml index e30b53f07..fc4553d6b 100644 --- a/packages/at_secondary_server/pubspec.yaml +++ b/packages/at_secondary_server/pubspec.yaml @@ -19,7 +19,7 @@ dependencies: basic_utils: 5.7.0 ecdsa: 0.1.0 encrypt: 5.0.3 - at_commons: 5.1.0 + at_commons: 5.1.1 at_utils: 3.0.19 at_chops: 2.2.0 at_lookup: 3.0.49 diff --git a/tests/at_functional_test/test/enroll_verb_test.dart b/tests/at_functional_test/test/enroll_verb_test.dart index 004a31a10..aea2bf7fd 100644 --- a/tests/at_functional_test/test/enroll_verb_test.dart +++ b/tests/at_functional_test/test/enroll_verb_test.dart @@ -1,6 +1,7 @@ import 'dart:convert'; import 'dart:io'; +import 'package:at_chops/at_chops.dart'; import 'package:at_commons/at_commons.dart'; import 'package:at_demo_data/at_demo_data.dart' as at_demos; import 'package:at_demo_data/at_demo_data.dart'; @@ -274,35 +275,6 @@ void main() { expect(llookupResponseMap['errorCode'], 'AT0009'); expect(llookupResponseMap['errorDescription'], 'UnAuthorized client in request : Connection with enrollment ID $enrollmentId is not authorized to llookup key: $enrollmentKey'); - - // keys:get:self should return default self encryption key - var selfKey = '$enrollmentId.default_self_enc_key.__manage$firstAtSign'; - String selfKeyResponse = - await socketConnection2.sendRequestToServer('keys:get:self'); - expect(selfKeyResponse.contains(selfKey), true); - - // keys:get:private should return private encryption key - var privateKey = - '$enrollmentId.default_enc_private_key.__manage$firstAtSign'; - String privateKeyResponse = - await socketConnection2.sendRequestToServer('keys:get:private'); - expect(privateKeyResponse.contains(privateKey), true); - - // keys:get:keyName should return the enrollment key with __manage namespace - String selfKeyGetResponse = await socketConnection2 - .sendRequestToServer('keys:get:keyName:$selfKey'); - expect( - selfKeyGetResponse - .contains('${apkamEncryptedKeysMap['encryptedSelfEncKey']}'), - true); - - // keys:get:keyName should return the enrollment key with __manage namespace - String privateKeyGetResponse = await socketConnection2 - .sendRequestToServer('keys:get:keyName:$privateKey'); - expect( - privateKeyGetResponse.contains( - '${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}'), - true); }); test( @@ -387,8 +359,12 @@ void main() { var secondEnrollId = enrollJson['enrollmentId']; // connect to the first client to approve the enroll request + final encryptionPrivateKeyIV = + base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes); + final selfEncryptionKeyIV = + base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes); String approveResponse = (await firstAtSignConnection.sendRequestToServer( - 'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}"}')) + 'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encPrivateKeyIV":"$encryptionPrivateKeyIV","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}","selfEncKeyIV":"$selfEncryptionKeyIV"}')) .replaceFirst('data:', ''); var approveJson = jsonDecode(approveResponse); expect(approveJson['status'], 'approved'); @@ -406,12 +382,27 @@ void main() { await socketConnection2.sendRequestToServer('keys:get:self'); expect(selfKeyResponse.contains(selfKey), true); + String selfKeyGetResponse = await socketConnection2 + .sendRequestToServer('keys:get:keyName:$selfKey'); + selfKeyGetResponse = selfKeyGetResponse.replaceFirst('data:', ''); + var selfKeyResponseJson = jsonDecode(selfKeyGetResponse); + expect(selfKeyResponseJson['value'], + apkamEncryptedKeysMap['encryptedSelfEncKey']); + expect(selfKeyResponseJson['iv'], selfEncryptionKeyIV); + // keys:get:private should return private encryption key var privateKey = '$secondEnrollId.default_enc_private_key.__manage$firstAtSign'; String privateKeyResponse = await socketConnection2.sendRequestToServer('keys:get:private'); expect(privateKeyResponse.contains(privateKey), true); + String privateKeyGetResponse = await socketConnection2 + .sendRequestToServer('keys:get:keyName:$privateKey'); + privateKeyGetResponse = privateKeyGetResponse.replaceFirst('data:', ''); + var privateKeyResponseJson = jsonDecode(privateKeyGetResponse); + expect(privateKeyResponseJson['value'], + apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']); + expect(privateKeyResponseJson['iv'], encryptionPrivateKeyIV); }); test(