Merge branch 'release/2.0.3'

.github/workflows/build.yml

@@ -8,6 +8,8 @@ jobs:
     if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
       - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
       - uses: actions/setup-java@v1
         with:
           java-version: 11
@@ -17,12 +19,28 @@ jobs:
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
         run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         id: buildAndTest
-        run: mvn -B clean install jacoco:report -Pcoverage,dependency-check
+        run: >
+          mvn -B verify
+          jacoco:report
+          org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          -Pcoverage,dependency-check
+          -Dsonar.projectKey=cryptomator_cryptolib
+          -Dsonar.organization=cryptomator
+          -Dsonar.host.url=https://sonarcloud.io
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - name: Upload code coverage report
         id: codacyCoverageReporter
         run: bash <(curl -Ls https://coverage.codacy.com/get.sh)

README.md

@@ -1,7 +1,7 @@
 [![Build](https://github.com/cryptomator/cryptolib/workflows/Build/badge.svg)](https://github.com/cryptomator/cryptolib/actions?query=workflow%3ABuild)
-[![Codacy Badge](https://api.codacy.com/project/badge/Grade/9d736fe3e9e14dfb8a65949abbe8f712)](https://www.codacy.com/gh/cryptomator/cryptolib/dashboard)
-[![Codacy Badge](https://api.codacy.com/project/badge/Coverage/9d736fe3e9e14dfb8a65949abbe8f712)](https://www.codacy.com/gh/cryptomator/cryptolib/dashboard)
-[![Known Vulnerabilities](https://snyk.io/test/github/cryptomator/cryptolib/badge.svg)](https://snyk.io/test/github/cryptomator/cryptolib)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_cryptolib&metric=alert_status)](https://sonarcloud.io/dashboard?id=cryptomator_cryptolib)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_cryptolib&metric=coverage)](https://sonarcloud.io/dashboard?id=cryptomator_cryptolib)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_cryptolib&metric=vulnerabilities)](https://sonarcloud.io/dashboard?id=cryptomator_cryptolib)
 [![Maven Central](https://img.shields.io/maven-central/v/org.cryptomator/cryptolib.svg?maxAge=86400)](https://repo1.maven.org/maven2/org/cryptomator/cryptolib/)
 [![Javadocs](http://www.javadoc.io/badge/org.cryptomator/cryptolib.svg)](http://www.javadoc.io/doc/org.cryptomator/cryptolib)
 

pom.xml

@@ -2,7 +2,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptolib</artifactId>
-	<version>2.0.2</version>
+	<version>2.0.3</version>
 	<name>Cryptomator Crypto Library</name>
 	<description>This library contains all cryptographic functions that are used by Cryptomator.</description>
 	<url>https://github.com/cryptomator/cryptolib</url>
@@ -18,9 +18,10 @@
 		<maven.compiler.release>8</maven.compiler.release>
 
 		<!-- dependencies -->
-		<gson.version>2.8.7</gson.version>
+		<gson.version>2.8.9</gson.version>
 		<guava.version>30.1.1-jre</guava.version>
 		<siv-mode.version>1.4.3</siv-mode.version>
+		<bouncycastle.version>1.69</bouncycastle.version>
 		<slf4j.version>1.7.31</slf4j.version>
 
 		<!-- test dependencies -->
@@ -60,6 +61,14 @@
 			<version>${siv-mode.version}</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk15on</artifactId>
+			<version>${bouncycastle.version}</version>
+			<!-- see maven-shade-plugin; we don't want this as a transitive dependency in other projects -->
+			<optional>true</optional>
+		</dependency>
+
 		<dependency>
 			<groupId>com.google.code.gson</groupId>
 			<artifactId>gson</artifactId>
@@ -147,19 +156,81 @@
 					<encoding>UTF-8</encoding>
 					<showWarnings>true</showWarnings>
 				</configuration>
+			</plugin>
+			<plugin>
+				<artifactId>maven-shade-plugin</artifactId>
+				<version>3.2.4</version>
 				<executions>
 					<execution>
-						<id>java9</id>
-						<phase>compile</phase>
+						<phase>package</phase>
 						<goals>
-							<goal>compile</goal>
+							<goal>shade</goal>
 						</goals>
 						<configuration>
-							<release>9</release>
-							<compileSourceRoots>
-								<compileSourceRoot>${project.basedir}/src/main/java9</compileSourceRoot>
-							</compileSourceRoots>
-							<multiReleaseOutput>true</multiReleaseOutput>
+							<minimizeJar>true</minimizeJar>
+							<keepDependenciesWithProvidedScope>false</keepDependenciesWithProvidedScope>
+							<createDependencyReducedPom>false</createDependencyReducedPom>
+							<createSourcesJar>false</createSourcesJar>
+							<artifactSet>
+								<includes>
+									<include>org.bouncycastle:*</include>
+								</includes>
+							</artifactSet>
+							<relocations>
+								<relocation>
+									<pattern>org.bouncycastle</pattern>
+									<shadedPattern>org.cryptomator.cryptolib.org.bouncycastle</shadedPattern>
+								</relocation>
+							</relocations>
+							<filters>
+								<filter>
+									<artifact>org.bouncycastle:*</artifact>
+									<excludes>
+										<exclude>META-INF/**</exclude>
+									</excludes>
+								</filter>
+							</filters>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.moditect</groupId>
+				<artifactId>moditect-maven-plugin</artifactId>
+				<version>1.0.0.RC1</version>
+				<executions>
+					<execution>
+						<id>add-module-infos</id>
+						<phase>package</phase>
+						<goals>
+							<goal>add-module-info</goal>
+						</goals>
+						<configuration>
+							<jvmVersion>9</jvmVersion>
+							<overwriteExistingFiles>true</overwriteExistingFiles>
+							<module>
+								<moduleInfoSource>
+									module org.cryptomator.cryptolib {
+										requires org.cryptomator.siv;
+										requires com.google.gson;
+										requires com.google.common;
+										requires org.slf4j;
+
+										exports org.cryptomator.cryptolib.api;
+										exports org.cryptomator.cryptolib.common;
+
+										opens org.cryptomator.cryptolib.common to com.google.gson;
+
+										uses org.cryptomator.cryptolib.api.CryptorProvider;
+
+										provides org.cryptomator.cryptolib.api.CryptorProvider
+											with org.cryptomator.cryptolib.v1.CryptorProviderImpl, org.cryptomator.cryptolib.v2.CryptorProviderImpl;
+									}
+								</moduleInfoSource>
+							</module>
+							<jdepsExtraArgs>
+								<arg>--multi-release=9</arg>
+							</jdepsExtraArgs>
 						</configuration>
 					</execution>
 				</executions>
@@ -336,7 +407,7 @@
 						<extensions>true</extensions>
 						<configuration>
 							<serverId>ossrh</serverId>
-							<nexusUrl>https://oss.sonatype.org/</nexusUrl>
+							<nexusUrl>https://s01.oss.sonatype.org</nexusUrl>
 							<autoReleaseAfterClose>true</autoReleaseAfterClose>
 						</configuration>
 					</plugin>

src/main/java/org/cryptomator/cryptolib/common/DecryptingReadableByteChannel.java

@@ -11,7 +11,6 @@
 import org.cryptomator.cryptolib.api.AuthenticationFailedException;
 import org.cryptomator.cryptolib.api.Cryptor;
 import org.cryptomator.cryptolib.api.FileHeader;
-import org.cryptomator.cryptolib.common.ByteBuffers;
 
 import java.io.EOFException;
 import java.io.IOException;

src/main/java/org/cryptomator/cryptolib/common/DestroyableSecretKey.java

@@ -29,7 +29,7 @@
  */
 public class DestroyableSecretKey implements SecretKey, AutoCloseable {
 
-	private transient final byte[] key;
+	private final transient byte[] key;
 	private final String algorithm;
 	private boolean destroyed;
 

src/main/java/org/cryptomator/cryptolib/common/ECKeyPair.java

@@ -0,0 +1,65 @@
+package org.cryptomator.cryptolib.common;
+
+import com.google.common.base.Preconditions;
+
+import javax.security.auth.Destroyable;
+import java.security.KeyPair;
+import java.security.MessageDigest;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.util.Arrays;
+import java.util.Objects;
+
+public class ECKeyPair implements Destroyable {
+
+	private final KeyPair keyPair;
+	private boolean destroyed;
+
+	ECKeyPair(KeyPair keyPair) {
+		Preconditions.checkArgument(keyPair.getPrivate() instanceof ECPrivateKey);
+		Preconditions.checkArgument(keyPair.getPublic() instanceof ECPublicKey);
+		this.keyPair = keyPair;
+	}
+
+	public KeyPair keyPair() {
+		return keyPair;
+	}
+
+	public ECPrivateKey getPrivate() {
+		Preconditions.checkState(!destroyed);
+		assert keyPair.getPrivate() instanceof ECPrivateKey;
+		return (ECPrivateKey) keyPair.getPrivate();
+	}
+
+	public ECPublicKey getPublic() {
+		Preconditions.checkState(!destroyed);
+		assert keyPair.getPublic() instanceof ECPublicKey;
+		return (ECPublicKey) keyPair.getPublic();
+	}
+
+	@Override
+	public boolean isDestroyed() {
+		return destroyed;
+	}
+
+	@Override
+	public void destroy() {
+		Destroyables.destroySilently(keyPair.getPrivate());
+		destroyed = true;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (o == null || getClass() != o.getClass()) return false;
+		ECKeyPair that = (ECKeyPair) o;
+		return MessageDigest.isEqual(this.getPublic().getEncoded(), that.getPublic().getEncoded());
+	}
+
+	@Override
+	public int hashCode() {
+		int result = Objects.hash(keyPair.getPublic().getAlgorithm());
+		result = 31 * result + Arrays.hashCode(keyPair.getPublic().getEncoded());
+		return result;
+	}
+}

src/main/java/org/cryptomator/cryptolib/common/EncryptingReadableByteChannel.java

@@ -2,7 +2,6 @@
 
 import org.cryptomator.cryptolib.api.Cryptor;
 import org.cryptomator.cryptolib.api.FileHeader;
-import org.cryptomator.cryptolib.common.ByteBuffers;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;

src/main/java/org/cryptomator/cryptolib/common/EncryptingWritableByteChannel.java

@@ -8,14 +8,13 @@
  *******************************************************************************/
 package org.cryptomator.cryptolib.common;
 
+import org.cryptomator.cryptolib.api.Cryptor;
+import org.cryptomator.cryptolib.api.FileHeader;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.WritableByteChannel;
 
-import org.cryptomator.cryptolib.api.Cryptor;
-import org.cryptomator.cryptolib.api.FileHeader;
-import org.cryptomator.cryptolib.common.ByteBuffers;
-
 public class EncryptingWritableByteChannel implements WritableByteChannel {
 
 	private final WritableByteChannel delegate;

src/main/java/org/cryptomator/cryptolib/common/MasterkeyHubAccess.java

@@ -0,0 +1,65 @@
+package org.cryptomator.cryptolib.common;
+
+import com.google.common.io.BaseEncoding;
+import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.cryptomator.cryptolib.ecies.EncryptedMessage;
+import org.cryptomator.cryptolib.ecies.ECIntegratedEncryptionScheme;
+
+import javax.crypto.AEADBadTagException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Arrays;
+
+public class MasterkeyHubAccess {
+
+	private static final BaseEncoding BASE64_URL = BaseEncoding.base64Url().omitPadding();
+
+	private MasterkeyHubAccess() {
+	}
+
+	/**
+	 * Decrypts a masterkey retrieved from Cryptomator Hub
+	 *
+	 * @param devicePrivateKey  Private key of the device this ciphertext is intended for
+	 * @param encodedCiphertext The encrypted masterkey
+	 * @param encodedEphPubKey  The ephemeral public key to be used to derive a secret shared between message sender and this device
+	 * @return The decrypted masterkey
+	 * @throws MasterkeyLoadingFailedException If the parameters don't match and decryption fails
+	 */
+	public static Masterkey decryptMasterkey(ECPrivateKey devicePrivateKey, String encodedCiphertext, String encodedEphPubKey) throws MasterkeyLoadingFailedException {
+		byte[] cleartext = new byte[0];
+		try {
+			EncryptedMessage message = decode(encodedCiphertext, encodedEphPubKey);
+			cleartext = ECIntegratedEncryptionScheme.HUB.decrypt(devicePrivateKey, message);
+			return new Masterkey(cleartext);
+		} catch (IllegalArgumentException | AEADBadTagException e) {
+			throw new MasterkeyLoadingFailedException("Key and ciphertext don't match", e);
+		} finally {
+			Arrays.fill(cleartext, (byte) 0x00);
+		}
+	}
+
+	private static EncryptedMessage decode(String encodedCiphertext, String encodedEphPubKey) throws IllegalArgumentException {
+		byte[] ciphertext = BASE64_URL.decode(encodedCiphertext);
+		byte[] keyBytes = BASE64_URL.decode(encodedEphPubKey);
+		try {
+			PublicKey key = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(keyBytes));
+			if (key instanceof ECPublicKey) {
+				return new EncryptedMessage((ECPublicKey) key, ciphertext);
+			} else {
+				throw new IllegalArgumentException("Key not an EC public key.");
+			}
+		} catch (InvalidKeySpecException e) {
+			throw new IllegalArgumentException("Invalid license public key", e);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+
+}

src/main/java/org/cryptomator/cryptolib/common/MessageDigestSupplier.java

@@ -14,6 +14,7 @@
 public final class MessageDigestSupplier {
 
 	public static final MessageDigestSupplier SHA1 = new MessageDigestSupplier("SHA-1");
+	public static final MessageDigestSupplier SHA256 = new MessageDigestSupplier("SHA-256");
 
 	private final String digestAlgorithm;
 	private final ThreadLocal<MessageDigest> threadLocal;