Merge pull request #4686 from matrix-org/dbkr/recovery_keys_over_passphrases

Use recovery keys over passphrases
This commit is contained in:
David Baker 2020-06-15 11:30:30 +01:00 committed by GitHub
commit 8ebae4c3b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 426 additions and 399 deletions

View file

@ -98,3 +98,7 @@ limitations under the License.
} }
} }
} }
.mx_CompleteSecurity_resetText {
padding-top: 20px;
}

View file

@ -73,33 +73,42 @@ limitations under the License.
margin-left: 20px; margin-left: 20px;
} }
.mx_CreateSecretStorageDialog_recoveryKeyHeader {
margin-bottom: 1em;
}
.mx_CreateSecretStorageDialog_recoveryKeyContainer { .mx_CreateSecretStorageDialog_recoveryKeyContainer {
display: flex; width: 380px;
margin-left: auto;
margin-right: auto;
} }
.mx_CreateSecretStorageDialog_recoveryKey { .mx_CreateSecretStorageDialog_recoveryKey {
width: 262px; font-weight: bold;
text-align: center;
padding: 20px; padding: 20px;
color: $info-plinth-fg-color; color: $info-plinth-fg-color;
background-color: $info-plinth-bg-color; background-color: $info-plinth-bg-color;
margin-right: 12px; border-radius: 6px;
word-spacing: 1em;
margin-bottom: 20px;
} }
.mx_CreateSecretStorageDialog_recoveryKeyButtons { .mx_CreateSecretStorageDialog_recoveryKeyButtons {
flex: 1;
display: flex; display: flex;
justify-content: space-between;
align-items: center; align-items: center;
} }
.mx_CreateSecretStorageDialog_recoveryKeyButtons .mx_AccessibleButton { .mx_CreateSecretStorageDialog_recoveryKeyButtons .mx_AccessibleButton {
margin-right: 10px; width: 160px;
} padding-left: 0px;
padding-right: 0px;
.mx_CreateSecretStorageDialog_recoveryKeyButtons button {
flex: 1;
white-space: nowrap; white-space: nowrap;
} }
.mx_CreateSecretStorageDialog_continueSpinner {
margin-top: 33px;
text-align: right;
}
.mx_CreateSecretStorageDialog_continueSpinner img {
width: 20px;
height: 20px;
}

View file

@ -30,6 +30,8 @@ import {encodeBase64} from "matrix-js-sdk/src/crypto/olmlib";
// operation ends. // operation ends.
let secretStorageKeys = {}; let secretStorageKeys = {};
let secretStorageBeingAccessed = false; let secretStorageBeingAccessed = false;
// Stores the 'passphraseOnly' option for the active storage access operation
let passphraseOnlyOption = null;
function isCachingAllowed() { function isCachingAllowed() {
return ( return (
@ -99,6 +101,7 @@ async function getSecretStorageKey({ keys: keyInfos }, ssssItemName) {
const key = await inputToKey(input); const key = await inputToKey(input);
return await MatrixClientPeg.get().checkSecretStorageKey(key, info); return await MatrixClientPeg.get().checkSecretStorageKey(key, info);
}, },
passphraseOnly: passphraseOnlyOption,
}, },
/* className= */ null, /* className= */ null,
/* isPriorityModal= */ false, /* isPriorityModal= */ false,
@ -213,19 +216,27 @@ export async function promptForBackupPassphrase() {
* *
* @param {Function} [func] An operation to perform once secret storage has been * @param {Function} [func] An operation to perform once secret storage has been
* bootstrapped. Optional. * bootstrapped. Optional.
* @param {bool} [forceReset] Reset secret storage even if it's already set up * @param {object} [opts] Named options
* @param {bool} [opts.forceReset] Reset secret storage even if it's already set up
* @param {object} [opts.withKeys] Map of key ID to key for SSSS keys that the client
* already has available. If a key is not supplied here, the user will be prompted.
* @param {bool} [opts.passphraseOnly] If true, do not prompt for recovery key or to reset keys
*/ */
export async function accessSecretStorage(func = async () => { }, forceReset = false) { export async function accessSecretStorage(
func = async () => { }, opts = {},
) {
const cli = MatrixClientPeg.get(); const cli = MatrixClientPeg.get();
secretStorageBeingAccessed = true; secretStorageBeingAccessed = true;
passphraseOnlyOption = opts.passphraseOnly;
secretStorageKeys = Object.assign({}, opts.withKeys || {});
try { try {
if (!await cli.hasSecretStorageKey() || forceReset) { if (!await cli.hasSecretStorageKey() || opts.forceReset) {
// This dialog calls bootstrap itself after guiding the user through // This dialog calls bootstrap itself after guiding the user through
// passphrase creation. // passphrase creation.
const { finished } = Modal.createTrackedDialogAsync('Create Secret Storage dialog', '', const { finished } = Modal.createTrackedDialogAsync('Create Secret Storage dialog', '',
import("./async-components/views/dialogs/secretstorage/CreateSecretStorageDialog"), import("./async-components/views/dialogs/secretstorage/CreateSecretStorageDialog"),
{ {
force: forceReset, force: opts.forceReset,
}, },
null, /* priority = */ false, /* static = */ true, null, /* priority = */ false, /* static = */ true,
); );
@ -263,5 +274,6 @@ export async function accessSecretStorage(func = async () => { }, forceReset = f
if (!isCachingAllowed()) { if (!isCachingAllowed()) {
secretStorageKeys = {}; secretStorageKeys = {};
} }
passphraseOnlyOption = null;
} }
} }

View file

@ -20,25 +20,23 @@ import PropTypes from 'prop-types';
import * as sdk from '../../../../index'; import * as sdk from '../../../../index';
import {MatrixClientPeg} from '../../../../MatrixClientPeg'; import {MatrixClientPeg} from '../../../../MatrixClientPeg';
import FileSaver from 'file-saver'; import FileSaver from 'file-saver';
import {_t, _td} from '../../../../languageHandler'; import {_t} from '../../../../languageHandler';
import Modal from '../../../../Modal'; import Modal from '../../../../Modal';
import { promptForBackupPassphrase } from '../../../../CrossSigningManager'; import { promptForBackupPassphrase } from '../../../../CrossSigningManager';
import {copyNode} from "../../../../utils/strings"; import {copyNode} from "../../../../utils/strings";
import {SSOAuthEntry} from "../../../../components/views/auth/InteractiveAuthEntryComponents"; import {SSOAuthEntry} from "../../../../components/views/auth/InteractiveAuthEntryComponents";
import PassphraseField from "../../../../components/views/auth/PassphraseField"; import AccessibleButton from "../../../../components/views/elements/AccessibleButton";
import DialogButtons from "../../../../components/views/elements/DialogButtons";
import InlineSpinner from "../../../../components/views/elements/InlineSpinner";
const PHASE_LOADING = 0; const PHASE_LOADING = 0;
const PHASE_LOADERROR = 1; const PHASE_LOADERROR = 1;
const PHASE_MIGRATE = 2; const PHASE_MIGRATE = 2;
const PHASE_PASSPHRASE = 3; const PHASE_INTRO = 3;
const PHASE_PASSPHRASE_CONFIRM = 4; const PHASE_SHOWKEY = 4;
const PHASE_SHOWKEY = 5; const PHASE_STORING = 5;
const PHASE_KEEPITSAFE = 6; const PHASE_CONFIRM_SKIP = 6;
const PHASE_STORING = 7;
const PHASE_DONE = 8;
const PHASE_CONFIRM_SKIP = 9;
const PASSWORD_MIN_SCORE = 4; // So secure, many characters, much complex, wow, etc, etc.
/* /*
* Walks the user through the process of creating a passphrase to guard Secure * Walks the user through the process of creating a passphrase to guard Secure
@ -65,34 +63,32 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
this.state = { this.state = {
phase: PHASE_LOADING, phase: PHASE_LOADING,
passPhrase: '',
passPhraseValid: false,
passPhraseConfirm: '',
copied: false,
downloaded: false, downloaded: false,
copied: false,
backupInfo: null, backupInfo: null,
backupInfoFetched: false,
backupInfoFetchError: null,
backupSigStatus: null, backupSigStatus: null,
// does the server offer a UI auth flow with just m.login.password // does the server offer a UI auth flow with just m.login.password
// for /keys/device_signing/upload? // for /keys/device_signing/upload? (If we have an account password, we
// assume that it can)
canUploadKeysWithPasswordOnly: null, canUploadKeysWithPasswordOnly: null,
canUploadKeyCheckInProgress: false,
accountPassword: props.accountPassword || "", accountPassword: props.accountPassword || "",
accountPasswordCorrect: null, accountPasswordCorrect: null,
// status of the key backup toggle switch // No toggle for this: if we really don't want one, remove it & just hard code true
useKeyBackup: true, useKeyBackup: true,
}; };
if (props.accountPassword) {
// If we have an account password, we assume we can upload keys with
// just a password (otherwise leave it as null so we poll to check)
this.state.canUploadKeysWithPasswordOnly = true;
}
this._passphraseField = createRef(); this._passphraseField = createRef();
this._fetchBackupInfo(); this.loadData();
if (this.state.accountPassword) {
// If we have an account password in memory, let's simplify and
// assume it means password auth is also supported for device
// signing key upload as well. This avoids hitting the server to
// test auth flows, which may be slow under high load.
this.state.canUploadKeysWithPasswordOnly = true;
} else {
this._queryKeyUploadAuth();
}
MatrixClientPeg.get().on('crypto.keyBackupStatus', this._onKeyBackupStatusChange); MatrixClientPeg.get().on('crypto.keyBackupStatus', this._onKeyBackupStatusChange);
} }
@ -109,13 +105,11 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
MatrixClientPeg.get().isCryptoEnabled() && await MatrixClientPeg.get().isKeyBackupTrusted(backupInfo) MatrixClientPeg.get().isCryptoEnabled() && await MatrixClientPeg.get().isKeyBackupTrusted(backupInfo)
); );
const { force } = this.props;
const phase = (backupInfo && !force) ? PHASE_MIGRATE : PHASE_PASSPHRASE;
this.setState({ this.setState({
phase, backupInfoFetched: true,
backupInfo, backupInfo,
backupSigStatus, backupSigStatus,
backupInfoFetchError: null,
}); });
return { return {
@ -123,20 +117,25 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
backupSigStatus, backupSigStatus,
}; };
} catch (e) { } catch (e) {
this.setState({phase: PHASE_LOADERROR}); this.setState({backupInfoFetchError: e});
} }
} }
async _queryKeyUploadAuth() { async _queryKeyUploadAuth() {
try { try {
this.setState({canUploadKeyCheckInProgress: true});
await MatrixClientPeg.get().uploadDeviceSigningKeys(null, {}); await MatrixClientPeg.get().uploadDeviceSigningKeys(null, {});
// We should never get here: the server should always require // We should never get here: the server should always require
// UI auth to upload device signing keys. If we do, we upload // UI auth to upload device signing keys. If we do, we upload
// no keys which would be a no-op. // no keys which would be a no-op.
console.log("uploadDeviceSigningKeys unexpectedly succeeded without UI auth!"); console.log("uploadDeviceSigningKeys unexpectedly succeeded without UI auth!");
this.setState({canUploadKeyCheckInProgress: false});
} catch (error) { } catch (error) {
if (!error.data || !error.data.flows) { if (!error.data || !error.data.flows) {
console.log("uploadDeviceSigningKeys advertised no flows!"); console.log("uploadDeviceSigningKeys advertised no flows!");
this.setState({
canUploadKeyCheckInProgress: false,
});
return; return;
} }
const canUploadKeysWithPasswordOnly = error.data.flows.some(f => { const canUploadKeysWithPasswordOnly = error.data.flows.some(f => {
@ -144,10 +143,18 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
}); });
this.setState({ this.setState({
canUploadKeysWithPasswordOnly, canUploadKeysWithPasswordOnly,
canUploadKeyCheckInProgress: false,
}); });
} }
} }
async _createRecoveryKey() {
this._recoveryKey = await MatrixClientPeg.get().createRecoveryKeyFromPassphrase();
this.setState({
phase: PHASE_SHOWKEY,
});
}
_onKeyBackupStatusChange = () => { _onKeyBackupStatusChange = () => {
if (this.state.phase === PHASE_MIGRATE) this._fetchBackupInfo(); if (this.state.phase === PHASE_MIGRATE) this._fetchBackupInfo();
} }
@ -156,12 +163,6 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
this._recoveryKeyNode = n; this._recoveryKeyNode = n;
} }
_onUseKeyBackupChange = (enabled) => {
this.setState({
useKeyBackup: enabled,
});
}
_onMigrateFormSubmit = (e) => { _onMigrateFormSubmit = (e) => {
e.preventDefault(); e.preventDefault();
if (this.state.backupSigStatus.usable) { if (this.state.backupSigStatus.usable) {
@ -171,12 +172,15 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
} }
} }
_onIntroContinueClick = () => {
this._createRecoveryKey();
}
_onCopyClick = () => { _onCopyClick = () => {
const successful = copyNode(this._recoveryKeyNode); const successful = copyNode(this._recoveryKeyNode);
if (successful) { if (successful) {
this.setState({ this.setState({
copied: true, copied: true,
phase: PHASE_KEEPITSAFE,
}); });
} }
} }
@ -186,10 +190,8 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
type: 'text/plain;charset=us-ascii', type: 'text/plain;charset=us-ascii',
}); });
FileSaver.saveAs(blob, 'recovery-key.txt'); FileSaver.saveAs(blob, 'recovery-key.txt');
this.setState({ this.setState({
downloaded: true, downloaded: true,
phase: PHASE_KEEPITSAFE,
}); });
} }
@ -245,7 +247,9 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
_bootstrapSecretStorage = async () => { _bootstrapSecretStorage = async () => {
this.setState({ this.setState({
phase: PHASE_STORING, // we use LOADING here rather than STORING as STORING still shows the 'show key'
// screen which is not relevant: LOADING is just a generic spinner.
phase: PHASE_LOADING,
error: null, error: null,
}); });
@ -286,9 +290,7 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
}, },
}); });
} }
this.setState({ this.props.onFinished(true);
phase: PHASE_DONE,
});
} catch (e) { } catch (e) {
if (this.state.canUploadKeysWithPasswordOnly && e.httpStatus === 401 && e.data.flows) { if (this.state.canUploadKeysWithPasswordOnly && e.httpStatus === 401 && e.data.flows) {
this.setState({ this.setState({
@ -307,10 +309,6 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
this.props.onFinished(false); this.props.onFinished(false);
} }
_onDone = () => {
this.props.onFinished(true);
}
_restoreBackup = async () => { _restoreBackup = async () => {
// It's possible we'll need the backup key later on for bootstrapping, // It's possible we'll need the backup key later on for bootstrapping,
// so let's stash it here, rather than prompting for it twice. // so let's stash it here, rather than prompting for it twice.
@ -337,88 +335,41 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
} }
} }
_onShowKeyContinueClick = () => {
this._bootstrapSecretStorage();
}
_onLoadRetryClick = () => { _onLoadRetryClick = () => {
this.loadData();
}
async loadData() {
this.setState({phase: PHASE_LOADING}); this.setState({phase: PHASE_LOADING});
this._fetchBackupInfo(); const proms = [];
if (!this.state.backupInfoFetched) proms.push(this._fetchBackupInfo());
if (this.state.canUploadKeysWithPasswordOnly === null) proms.push(this._queryKeyUploadAuth());
await Promise.all(proms);
if (this.state.canUploadKeysWithPasswordOnly === null || this.state.backupInfoFetchError) {
this.setState({phase: PHASE_LOADERROR});
} else if (this.state.backupInfo && !this.props.force) {
this.setState({phase: PHASE_MIGRATE});
} else {
this.setState({phase: PHASE_INTRO});
}
} }
_onSkipSetupClick = () => { _onSkipSetupClick = () => {
this.setState({phase: PHASE_CONFIRM_SKIP}); this.setState({phase: PHASE_CONFIRM_SKIP});
} }
_onSetUpClick = () => { _onGoBackClick = () => {
this.setState({phase: PHASE_PASSPHRASE}); if (this.state.backupInfo && !this.props.force) {
} this.setState({phase: PHASE_MIGRATE});
} else {
_onSkipPassPhraseClick = async () => { this.setState({phase: PHASE_INTRO});
this._recoveryKey =
await MatrixClientPeg.get().createRecoveryKeyFromPassphrase();
this.setState({
copied: false,
downloaded: false,
phase: PHASE_SHOWKEY,
});
}
_onPassPhraseNextClick = async (e) => {
e.preventDefault();
if (!this._passphraseField.current) return; // unmounting
await this._passphraseField.current.validate({ allowEmpty: false });
if (!this._passphraseField.current.state.valid) {
this._passphraseField.current.focus();
this._passphraseField.current.validate({ allowEmpty: false, focused: true });
return;
} }
this.setState({phase: PHASE_PASSPHRASE_CONFIRM});
};
_onPassPhraseConfirmNextClick = async (e) => {
e.preventDefault();
if (this.state.passPhrase !== this.state.passPhraseConfirm) return;
this._recoveryKey =
await MatrixClientPeg.get().createRecoveryKeyFromPassphrase(this.state.passPhrase);
this.setState({
copied: false,
downloaded: false,
phase: PHASE_SHOWKEY,
});
}
_onSetAgainClick = () => {
this.setState({
passPhrase: '',
passPhraseValid: false,
passPhraseConfirm: '',
phase: PHASE_PASSPHRASE,
});
}
_onKeepItSafeBackClick = () => {
this.setState({
phase: PHASE_SHOWKEY,
});
}
_onPassPhraseValidate = (result) => {
this.setState({
passPhraseValid: result.valid,
});
};
_onPassPhraseChange = (e) => {
this.setState({
passPhrase: e.target.value,
});
}
_onPassPhraseConfirmChange = (e) => {
this.setState({
passPhraseConfirm: e.target.value,
});
} }
_onAccountPasswordChange = (e) => { _onAccountPasswordChange = (e) => {
@ -433,12 +384,14 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
// Once we're confident enough in this (and it's supported enough) we can do // Once we're confident enough in this (and it's supported enough) we can do
// it automatically. // it automatically.
// https://github.com/vector-im/riot-web/issues/11696 // https://github.com/vector-im/riot-web/issues/11696
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
const Field = sdk.getComponent('views.elements.Field'); const Field = sdk.getComponent('views.elements.Field');
let authPrompt; let authPrompt;
let nextCaption = _t("Next"); let nextCaption = _t("Next");
if (this.state.canUploadKeysWithPasswordOnly) { if (!this.state.backupSigStatus.usable) {
authPrompt = null;
nextCaption = _t("Upload");
} else if (this.state.canUploadKeysWithPasswordOnly && !this.props.accountPassword) {
authPrompt = <div> authPrompt = <div>
<div>{_t("Enter your account password to confirm the upgrade:")}</div> <div>{_t("Enter your account password to confirm the upgrade:")}</div>
<div><Field <div><Field
@ -450,11 +403,6 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
autoFocus={true} autoFocus={true}
/></div> /></div>
</div>; </div>;
} else if (!this.state.backupSigStatus.usable) {
authPrompt = <div>
<div>{_t("Restore your key backup to upgrade your encryption")}</div>
</div>;
nextCaption = _t("Restore");
} else { } else {
authPrompt = <p> authPrompt = <p>
{_t("You'll need to authenticate with the server to confirm the upgrade.")} {_t("You'll need to authenticate with the server to confirm the upgrade.")}
@ -463,9 +411,9 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
return <form onSubmit={this._onMigrateFormSubmit}> return <form onSubmit={this._onMigrateFormSubmit}>
<p>{_t( <p>{_t(
"Upgrade this session to allow it to verify other sessions, " + "Upgrade your Recovery Key to store encryption keys & secrets " +
"granting them access to encrypted messages and marking them " + "with your account data. If you lose access to this login you'll " +
"as trusted for other users.", "need it to unlock your data.",
)}</p> )}</p>
<div>{authPrompt}</div> <div>{authPrompt}</div>
<DialogButtons <DialogButtons
@ -481,185 +429,49 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
</form>; </form>;
} }
_renderPhasePassPhrase() { _renderPhaseShowKey() {
const DialogButtons = sdk.getComponent('views.elements.DialogButtons'); let continueButton;
const AccessibleButton = sdk.getComponent('elements.AccessibleButton'); if (this.state.phase === PHASE_SHOWKEY) {
const LabelledToggleSwitch = sdk.getComponent('views.elements.LabelledToggleSwitch'); continueButton = <DialogButtons primaryButton={_t("Continue")}
disabled={!this.state.downloaded && !this.state.copied}
return <form onSubmit={this._onPassPhraseNextClick}> onPrimaryButtonClick={this._onShowKeyContinueClick}
<p>{_t(
"Set a recovery passphrase to secure encrypted information and recover it if you log out. " +
"This should be different to your account password:",
)}</p>
<div className="mx_CreateSecretStorageDialog_passPhraseContainer">
<PassphraseField
className="mx_CreateSecretStorageDialog_passPhraseField"
onChange={this._onPassPhraseChange}
minScore={PASSWORD_MIN_SCORE}
value={this.state.passPhrase}
onValidate={this._onPassPhraseValidate}
fieldRef={this._passphraseField}
autoFocus={true}
label={_td("Enter a recovery passphrase")}
labelEnterPassword={_td("Enter a recovery passphrase")}
labelStrongPassword={_td("Great! This recovery passphrase looks strong enough.")}
labelAllowedButUnsafe={_td("Great! This recovery passphrase looks strong enough.")}
/>
</div>
<LabelledToggleSwitch
label={ _t("Back up encrypted message keys")}
onChange={this._onUseKeyBackupChange} value={this.state.useKeyBackup}
/>
<DialogButtons
primaryButton={_t('Continue')}
onPrimaryButtonClick={this._onPassPhraseNextClick}
hasCancel={false} hasCancel={false}
disabled={!this.state.passPhraseValid} />;
> } else {
<button type="button" continueButton = <div className="mx_CreateSecretStorageDialog_continueSpinner">
onClick={this._onSkipSetupClick} <InlineSpinner />
className="danger"
>{_t("Skip")}</button>
</DialogButtons>
<details>
<summary>{_t("Advanced")}</summary>
<AccessibleButton kind='primary' onClick={this._onSkipPassPhraseClick} >
{_t("Set up with a recovery key")}
</AccessibleButton>
</details>
</form>;
}
_renderPhasePassPhraseConfirm() {
const AccessibleButton = sdk.getComponent('elements.AccessibleButton');
const Field = sdk.getComponent('views.elements.Field');
let matchText;
let changeText;
if (this.state.passPhraseConfirm === this.state.passPhrase) {
matchText = _t("That matches!");
changeText = _t("Use a different passphrase?");
} else if (!this.state.passPhrase.startsWith(this.state.passPhraseConfirm)) {
// only tell them they're wrong if they've actually gone wrong.
// Security concious readers will note that if you left riot-web unattended
// on this screen, this would make it easy for a malicious person to guess
// your passphrase one letter at a time, but they could get this faster by
// just opening the browser's developer tools and reading it.
// Note that not having typed anything at all will not hit this clause and
// fall through so empty box === no hint.
matchText = _t("That doesn't match.");
changeText = _t("Go back to set it again.");
}
let passPhraseMatch = null;
if (matchText) {
passPhraseMatch = <div>
<div>{matchText}</div>
<div>
<AccessibleButton element="span" className="mx_linkButton" onClick={this._onSetAgainClick}>
{changeText}
</AccessibleButton>
</div>
</div>; </div>;
} }
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
return <form onSubmit={this._onPassPhraseConfirmNextClick}>
<p>{_t(
"Enter your recovery passphrase a second time to confirm it.",
)}</p>
<div className="mx_CreateSecretStorageDialog_passPhraseContainer">
<Field
type="password"
onChange={this._onPassPhraseConfirmChange}
value={this.state.passPhraseConfirm}
className="mx_CreateSecretStorageDialog_passPhraseField"
label={_t("Confirm your recovery passphrase")}
autoFocus={true}
autoComplete="new-password"
/>
<div className="mx_CreateSecretStorageDialog_passPhraseMatch">
{passPhraseMatch}
</div>
</div>
<DialogButtons
primaryButton={_t('Continue')}
onPrimaryButtonClick={this._onPassPhraseConfirmNextClick}
hasCancel={false}
disabled={this.state.passPhrase !== this.state.passPhraseConfirm}
>
<button type="button"
onClick={this._onSkipSetupClick}
className="danger"
>{_t("Skip")}</button>
</DialogButtons>
</form>;
}
_renderPhaseShowKey() {
const AccessibleButton = sdk.getComponent('elements.AccessibleButton');
return <div> return <div>
<p>{_t( <p>{_t(
"Your recovery key is a safety net - you can use it to restore " + "Store your Recovery Key somewhere safe, it can be used to unlock your encrypted messages & data.",
"access to your encrypted messages if you forget your recovery passphrase.",
)}</p>
<p>{_t(
"Keep a copy of it somewhere secure, like a password manager or even a safe.",
)}</p> )}</p>
<div className="mx_CreateSecretStorageDialog_primaryContainer"> <div className="mx_CreateSecretStorageDialog_primaryContainer">
<div className="mx_CreateSecretStorageDialog_recoveryKeyHeader">
{_t("Your recovery key")}
</div>
<div className="mx_CreateSecretStorageDialog_recoveryKeyContainer"> <div className="mx_CreateSecretStorageDialog_recoveryKeyContainer">
<div className="mx_CreateSecretStorageDialog_recoveryKey"> <div className="mx_CreateSecretStorageDialog_recoveryKey">
<code ref={this._collectRecoveryKeyNode}>{this._recoveryKey.encodedPrivateKey}</code> <code ref={this._collectRecoveryKeyNode}>{this._recoveryKey.encodedPrivateKey}</code>
</div> </div>
<div className="mx_CreateSecretStorageDialog_recoveryKeyButtons"> <div className="mx_CreateSecretStorageDialog_recoveryKeyButtons">
<AccessibleButton kind='primary' className="mx_Dialog_primary"
onClick={this._onDownloadClick}
disabled={this.state.phase === PHASE_STORING}
>
{_t("Download")}
</AccessibleButton>
<span>{_t("or")}</span>
<AccessibleButton <AccessibleButton
kind='primary' kind='primary'
className="mx_Dialog_primary mx_CreateSecretStorageDialog_recoveryKeyButtons_copyBtn" className="mx_Dialog_primary mx_CreateSecretStorageDialog_recoveryKeyButtons_copyBtn"
onClick={this._onCopyClick} onClick={this._onCopyClick}
disabled={this.state.phase === PHASE_STORING}
> >
{_t("Copy")} {this.state.copied ? _t("Copied!") : _t("Copy")}
</AccessibleButton>
<AccessibleButton kind='primary' className="mx_Dialog_primary" onClick={this._onDownloadClick}>
{_t("Download")}
</AccessibleButton> </AccessibleButton>
</div> </div>
</div> </div>
</div> </div>
</div>; {continueButton}
}
_renderPhaseKeepItSafe() {
let introText;
if (this.state.copied) {
introText = _t(
"Your recovery key has been <b>copied to your clipboard</b>, paste it to:",
{}, {b: s => <b>{s}</b>},
);
} else if (this.state.downloaded) {
introText = _t(
"Your recovery key is in your <b>Downloads</b> folder.",
{}, {b: s => <b>{s}</b>},
);
}
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
return <div>
{introText}
<ul>
<li>{_t("<b>Print it</b> and store it somewhere safe", {}, {b: s => <b>{s}</b>})}</li>
<li>{_t("<b>Save it</b> on a USB key or backup drive", {}, {b: s => <b>{s}</b>})}</li>
<li>{_t("<b>Copy it</b> to your personal cloud storage", {}, {b: s => <b>{s}</b>})}</li>
</ul>
<DialogButtons primaryButton={_t("Continue")}
onPrimaryButtonClick={this._bootstrapSecretStorage}
hasCancel={false}>
<button onClick={this._onKeepItSafeBackClick}>{_t("Back")}</button>
</DialogButtons>
</div>; </div>;
} }
@ -671,7 +483,6 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
} }
_renderPhaseLoadError() { _renderPhaseLoadError() {
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
return <div> return <div>
<p>{_t("Unable to query secret storage status")}</p> <p>{_t("Unable to query secret storage status")}</p>
<div className="mx_Dialog_buttons"> <div className="mx_Dialog_buttons">
@ -684,29 +495,44 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
</div>; </div>;
} }
_renderPhaseDone() { _renderPhaseIntro() {
const DialogButtons = sdk.getComponent('views.elements.DialogButtons'); let cancelButton;
if (this.props.force) {
// if this is a forced key reset then aborting will just leave the old keys
// in place, and is thereforece just 'cancel'
cancelButton = <button type="button" onClick={this._onCancel}>{_t('Cancel')}</button>;
} else {
// if it's setting up from scratch then aborting leaves the user without
// crypto set up, so they skipping the setup.
cancelButton = <button type="button"
className="danger" onClick={this._onSkipSetupClick}
>{_t('Skip')}</button>;
}
return <div> return <div>
<p>{_t( <p>{_t(
"You can now verify your other devices, " + "Create a Recovery Key to store encryption keys & secrets with your account data. " +
"and other users to keep your chats safe.", "If you lose access to this login youll need it to unlock your data.",
)}</p> )}</p>
<DialogButtons primaryButton={_t('OK')} <div className="mx_Dialog_buttons">
onPrimaryButtonClick={this._onDone} <DialogButtons primaryButton={_t('Continue')}
hasCancel={false} onPrimaryButtonClick={this._onIntroContinueClick}
/> hasCancel={false}
>
{cancelButton}
</DialogButtons>
</div>
</div>; </div>;
} }
_renderPhaseSkipConfirm() { _renderPhaseSkipConfirm() {
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
return <div> return <div>
{_t( {_t(
"Without completing security on this session, it wont have " + "Without completing security on this session, it wont have " +
"access to encrypted messages.", "access to encrypted messages.",
)} )}
<DialogButtons primaryButton={_t('Go back')} <DialogButtons primaryButton={_t('Go back')}
onPrimaryButtonClick={this._onSetUpClick} onPrimaryButtonClick={this._onGoBackClick}
hasCancel={false} hasCancel={false}
> >
<button type="button" className="danger" onClick={this._onCancel}>{_t('Skip')}</button> <button type="button" className="danger" onClick={this._onCancel}>{_t('Skip')}</button>
@ -716,21 +542,15 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
_titleForPhase(phase) { _titleForPhase(phase) {
switch (phase) { switch (phase) {
case PHASE_INTRO:
return _t('Create a Recovery Key');
case PHASE_MIGRATE: case PHASE_MIGRATE:
return _t('Upgrade your encryption'); return _t('Upgrade your Recovery Key');
case PHASE_PASSPHRASE:
return _t('Set up encryption');
case PHASE_PASSPHRASE_CONFIRM:
return _t('Confirm recovery passphrase');
case PHASE_CONFIRM_SKIP: case PHASE_CONFIRM_SKIP:
return _t('Are you sure?'); return _t('Are you sure?');
case PHASE_SHOWKEY: case PHASE_SHOWKEY:
case PHASE_KEEPITSAFE:
return _t('Make a copy of your recovery key');
case PHASE_STORING: case PHASE_STORING:
return _t('Setting up keys'); return _t('Store your Recovery Key');
case PHASE_DONE:
return _t("You're done!");
default: default:
return ''; return '';
} }
@ -741,7 +561,6 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
let content; let content;
if (this.state.error) { if (this.state.error) {
const DialogButtons = sdk.getComponent('views.elements.DialogButtons');
content = <div> content = <div>
<p>{_t("Unable to set up secret storage")}</p> <p>{_t("Unable to set up secret storage")}</p>
<div className="mx_Dialog_buttons"> <div className="mx_Dialog_buttons">
@ -760,26 +579,15 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
case PHASE_LOADERROR: case PHASE_LOADERROR:
content = this._renderPhaseLoadError(); content = this._renderPhaseLoadError();
break; break;
case PHASE_INTRO:
content = this._renderPhaseIntro();
break;
case PHASE_MIGRATE: case PHASE_MIGRATE:
content = this._renderPhaseMigrate(); content = this._renderPhaseMigrate();
break; break;
case PHASE_PASSPHRASE:
content = this._renderPhasePassPhrase();
break;
case PHASE_PASSPHRASE_CONFIRM:
content = this._renderPhasePassPhraseConfirm();
break;
case PHASE_SHOWKEY: case PHASE_SHOWKEY:
content = this._renderPhaseShowKey();
break;
case PHASE_KEEPITSAFE:
content = this._renderPhaseKeepItSafe();
break;
case PHASE_STORING: case PHASE_STORING:
content = this._renderBusyPhase(); content = this._renderPhaseShowKey();
break;
case PHASE_DONE:
content = this._renderPhaseDone();
break; break;
case PHASE_CONFIRM_SKIP: case PHASE_CONFIRM_SKIP:
content = this._renderPhaseSkipConfirm(); content = this._renderPhaseSkipConfirm();
@ -797,7 +605,7 @@ export default class CreateSecretStorageDialog extends React.PureComponent {
onFinished={this.props.onFinished} onFinished={this.props.onFinished}
title={this._titleForPhase(this.state.phase)} title={this._titleForPhase(this.state.phase)}
headerImage={headerImage} headerImage={headerImage}
hasCancel={this.props.hasCancel && [PHASE_PASSPHRASE].includes(this.state.phase)} hasCancel={this.props.hasCancel}
fixedWidth={false} fixedWidth={false}
> >
<div> <div>

View file

@ -21,6 +21,7 @@ import * as sdk from '../../../index';
import { import {
SetupEncryptionStore, SetupEncryptionStore,
PHASE_INTRO, PHASE_INTRO,
PHASE_RECOVERY_KEY,
PHASE_BUSY, PHASE_BUSY,
PHASE_DONE, PHASE_DONE,
PHASE_CONFIRM_SKIP, PHASE_CONFIRM_SKIP,
@ -61,6 +62,9 @@ export default class CompleteSecurity extends React.Component {
if (phase === PHASE_INTRO) { if (phase === PHASE_INTRO) {
icon = <span className="mx_CompleteSecurity_headerIcon mx_E2EIcon_warning" />; icon = <span className="mx_CompleteSecurity_headerIcon mx_E2EIcon_warning" />;
title = _t("Verify this login"); title = _t("Verify this login");
} else if (phase === PHASE_RECOVERY_KEY) {
icon = <span className="mx_CompleteSecurity_headerIcon mx_E2EIcon_verified" />;
title = _t("Recovery Key");
} else if (phase === PHASE_DONE) { } else if (phase === PHASE_DONE) {
icon = <span className="mx_CompleteSecurity_headerIcon mx_E2EIcon_verified" />; icon = <span className="mx_CompleteSecurity_headerIcon mx_E2EIcon_verified" />;
title = _t("Session verified"); title = _t("Session verified");

View file

@ -19,15 +19,26 @@ import PropTypes from 'prop-types';
import { _t } from '../../../languageHandler'; import { _t } from '../../../languageHandler';
import { MatrixClientPeg } from '../../../MatrixClientPeg'; import { MatrixClientPeg } from '../../../MatrixClientPeg';
import * as sdk from '../../../index'; import * as sdk from '../../../index';
import withValidation from '../../views/elements/Validation';
import { decodeRecoveryKey } from 'matrix-js-sdk/src/crypto/recoverykey';
import { import {
SetupEncryptionStore, SetupEncryptionStore,
PHASE_INTRO, PHASE_INTRO,
PHASE_RECOVERY_KEY,
PHASE_BUSY, PHASE_BUSY,
PHASE_DONE, PHASE_DONE,
PHASE_CONFIRM_SKIP, PHASE_CONFIRM_SKIP,
PHASE_FINISHED, PHASE_FINISHED,
} from '../../../stores/SetupEncryptionStore'; } from '../../../stores/SetupEncryptionStore';
function keyHasPassphrase(keyInfo) {
return (
keyInfo.passphrase &&
keyInfo.passphrase.salt &&
keyInfo.passphrase.iterations
);
}
export default class SetupEncryptionBody extends React.Component { export default class SetupEncryptionBody extends React.Component {
static propTypes = { static propTypes = {
onFinished: PropTypes.func.isRequired, onFinished: PropTypes.func.isRequired,
@ -45,6 +56,11 @@ export default class SetupEncryptionBody extends React.Component {
// Because of the latter, it lives in the state. // Because of the latter, it lives in the state.
verificationRequest: store.verificationRequest, verificationRequest: store.verificationRequest,
backupInfo: store.backupInfo, backupInfo: store.backupInfo,
recoveryKey: '',
// whether the recovery key is a valid recovery key
recoveryKeyValid: null,
// whether the recovery key is the correct key or not
recoveryKeyCorrect: null,
}; };
} }
@ -67,9 +83,19 @@ export default class SetupEncryptionBody extends React.Component {
store.stop(); store.stop();
} }
_onUsePassphraseClick = async () => { _onResetClick = () => {
const store = SetupEncryptionStore.sharedInstance(); const store = SetupEncryptionStore.sharedInstance();
store.usePassPhrase(); store.startKeyReset();
}
_onUseRecoveryKeyClick = async () => {
const store = SetupEncryptionStore.sharedInstance();
store.useRecoveryKey();
}
_onRecoveryKeyCancelClick() {
const store = SetupEncryptionStore.sharedInstance();
store.cancelUseRecoveryKey();
} }
onSkipClick = () => { onSkipClick = () => {
@ -92,6 +118,66 @@ export default class SetupEncryptionBody extends React.Component {
store.done(); store.done();
} }
_onUsePassphraseClick = () => {
const store = SetupEncryptionStore.sharedInstance();
store.usePassPhrase();
}
_onRecoveryKeyChange = (e) => {
this.setState({recoveryKey: e.target.value});
}
_onRecoveryKeyValidate = async (fieldState) => {
const result = await this._validateRecoveryKey(fieldState);
this.setState({recoveryKeyValid: result.valid});
return result;
}
_validateRecoveryKey = withValidation({
rules: [
{
key: "required",
test: async (state) => {
try {
const decodedKey = decodeRecoveryKey(state.value);
const correct = await MatrixClientPeg.get().checkSecretStorageKey(
decodedKey, SetupEncryptionStore.sharedInstance().keyInfo,
);
this.setState({
recoveryKeyValid: true,
recoveryKeyCorrect: correct,
});
return correct;
} catch (e) {
this.setState({
recoveryKeyValid: false,
recoveryKeyCorrect: false,
});
return false;
}
},
invalid: function() {
if (this.state.recoveryKeyValid) {
return _t("This isn't the recovery key for your account");
} else {
return _t("This isn't a valid recovery key");
}
},
valid: function() {
return _t("Looks good!");
},
},
],
})
_onRecoveryKeyFormSubmit = (e) => {
e.preventDefault();
if (!this.state.recoveryKeyCorrect) return;
const store = SetupEncryptionStore.sharedInstance();
store.setupWithRecoveryKey(decodeRecoveryKey(this.state.recoveryKey));
}
render() { render() {
const AccessibleButton = sdk.getComponent("elements.AccessibleButton"); const AccessibleButton = sdk.getComponent("elements.AccessibleButton");
@ -108,6 +194,13 @@ export default class SetupEncryptionBody extends React.Component {
member={MatrixClientPeg.get().getUser(this.state.verificationRequest.otherUserId)} member={MatrixClientPeg.get().getUser(this.state.verificationRequest.otherUserId)}
/>; />;
} else if (phase === PHASE_INTRO) { } else if (phase === PHASE_INTRO) {
const store = SetupEncryptionStore.sharedInstance();
let recoveryKeyPrompt;
if (keyHasPassphrase(store.keyInfo)) {
recoveryKeyPrompt = _t("Use Recovery Key or Passphrase");
} else {
recoveryKeyPrompt = _t("Use Recovery Key");
}
return ( return (
<div> <div>
<p>{_t( <p>{_t(
@ -131,15 +224,67 @@ export default class SetupEncryptionBody extends React.Component {
</div> </div>
<div className="mx_CompleteSecurity_actionRow"> <div className="mx_CompleteSecurity_actionRow">
<AccessibleButton kind="link" onClick={this._onUsePassphraseClick}> <AccessibleButton kind="link" onClick={this._onUseRecoveryKeyClick}>
{_t("Use Recovery Passphrase or Key")} {recoveryKeyPrompt}
</AccessibleButton> </AccessibleButton>
<AccessibleButton kind="danger" onClick={this.onSkipClick}> <AccessibleButton kind="danger" onClick={this.onSkipClick}>
{_t("Skip")} {_t("Skip")}
</AccessibleButton> </AccessibleButton>
</div> </div>
<div className="mx_CompleteSecurity_resetText">{_t(
"If you've forgotten your recovery key you can " +
"<button>set up new recovery options</button>", {}, {
button: sub => <AccessibleButton
element="span" className="mx_linkButton" onClick={this._onResetClick}
>
{sub}
</AccessibleButton>,
},
)}</div>
</div> </div>
); );
} else if (phase === PHASE_RECOVERY_KEY) {
const store = SetupEncryptionStore.sharedInstance();
let keyPrompt;
if (keyHasPassphrase(store.keyInfo)) {
keyPrompt = _t(
"Enter your Recovery Key or enter a <a>Recovery Passphrase</a> to continue.", {},
{
a: sub => <AccessibleButton
element="span"
className="mx_linkButton"
onClick={this._onUsePassphraseClick}
>{sub}</AccessibleButton>,
},
);
} else {
keyPrompt = _t("Enter your Recovery Key to continue.");
}
const Field = sdk.getComponent('elements.Field');
return <form onSubmit={this._onRecoveryKeyFormSubmit}>
<p>{keyPrompt}</p>
<div className="mx_CompleteSecurity_recoveryKeyEntry">
<Field
type="text"
label={_t('Recovery Key')}
value={this.state.recoveryKey}
onChange={this._onRecoveryKeyChange}
onValidate={this._onRecoveryKeyValidate}
/>
</div>
<div className="mx_CompleteSecurity_actionRow">
<AccessibleButton kind="secondary" onClick={this._onRecoveryKeyCancelClick}>
{_t("Cancel")}
</AccessibleButton>
<AccessibleButton kind="primary"
disabled={!this.state.recoveryKeyCorrect}
onClick={this._onRecoveryKeyFormSubmit}
>
{_t("Continue")}
</AccessibleButton>
</div>
</form>;
} else if (phase === PHASE_DONE) { } else if (phase === PHASE_DONE) {
let message; let message;
if (this.state.backupInfo) { if (this.state.backupInfo) {

View file

@ -88,7 +88,7 @@ export default class RestoreKeyBackupDialog extends React.PureComponent {
_onResetRecoveryClick = () => { _onResetRecoveryClick = () => {
this.props.onFinished(false); this.props.onFinished(false);
accessSecretStorage(() => {}, /* forceReset = */ true); accessSecretStorage(() => {}, {forceReset: true});
} }
_onRecoveryKeyChange = (e) => { _onRecoveryKeyChange = (e) => {

View file

@ -32,6 +32,9 @@ export default class AccessSecretStorageDialog extends React.PureComponent {
keyInfo: PropTypes.object.isRequired, keyInfo: PropTypes.object.isRequired,
// Function from one of { passphrase, recoveryKey } -> boolean // Function from one of { passphrase, recoveryKey } -> boolean
checkPrivateKey: PropTypes.func.isRequired, checkPrivateKey: PropTypes.func.isRequired,
// If true, only prompt for a passphrase and do not offer to restore with
// a recovery key or reset keys.
passphraseOnly: PropTypes.bool,
} }
constructor(props) { constructor(props) {
@ -58,7 +61,7 @@ export default class AccessSecretStorageDialog extends React.PureComponent {
_onResetRecoveryClick = () => { _onResetRecoveryClick = () => {
// Re-enter the access flow, but resetting storage this time around. // Re-enter the access flow, but resetting storage this time around.
this.props.onFinished(false); this.props.onFinished(false);
accessSecretStorage(() => {}, /* forceReset = */ true); accessSecretStorage(() => {}, {forceReset: true});
} }
_onRecoveryKeyChange = (e) => { _onRecoveryKeyChange = (e) => {
@ -164,7 +167,7 @@ export default class AccessSecretStorageDialog extends React.PureComponent {
primaryDisabled={this.state.passPhrase.length === 0} primaryDisabled={this.state.passPhrase.length === 0}
/> />
</form> </form>
{_t( {this.props.passphraseOnly ? null : _t(
"If you've forgotten your recovery passphrase you can "+ "If you've forgotten your recovery passphrase you can "+
"<button1>use your recovery key</button1> or " + "<button1>use your recovery key</button1> or " +
"<button2>set up new recovery options</button2>." "<button2>set up new recovery options</button2>."
@ -234,7 +237,7 @@ export default class AccessSecretStorageDialog extends React.PureComponent {
primaryDisabled={!this.state.recoveryKeyValid} primaryDisabled={!this.state.recoveryKeyValid}
/> />
</form> </form>
{_t( {this.props.passphraseOnly ? null : _t(
"If you've forgotten your recovery key you can "+ "If you've forgotten your recovery key you can "+
"<button>set up new recovery options</button>." "<button>set up new recovery options</button>."
, {}, { , {}, {

View file

@ -113,7 +113,7 @@ export default class CrossSigningPanel extends React.PureComponent {
_bootstrapSecureSecretStorage = async (forceReset=false) => { _bootstrapSecureSecretStorage = async (forceReset=false) => {
this.setState({ error: null }); this.setState({ error: null });
try { try {
await accessSecretStorage(() => undefined, forceReset); await accessSecretStorage(() => undefined, {forceReset});
} catch (e) { } catch (e) {
this.setState({ error: e }); this.setState({ error: e });
console.error("Error bootstrapping secret storage", e); console.error("Error bootstrapping secret storage", e);

View file

@ -2066,6 +2066,7 @@
"Account settings": "Account settings", "Account settings": "Account settings",
"Could not load user profile": "Could not load user profile", "Could not load user profile": "Could not load user profile",
"Verify this login": "Verify this login", "Verify this login": "Verify this login",
"Recovery Key": "Recovery Key",
"Session verified": "Session verified", "Session verified": "Session verified",
"Failed to send email": "Failed to send email", "Failed to send email": "Failed to send email",
"The email address linked to your account must be entered.": "The email address linked to your account must be entered.", "The email address linked to your account must be entered.": "The email address linked to your account must be entered.",
@ -2119,10 +2120,16 @@
"You can now close this window or <a>log in</a> to your new account.": "You can now close this window or <a>log in</a> to your new account.", "You can now close this window or <a>log in</a> to your new account.": "You can now close this window or <a>log in</a> to your new account.",
"Registration Successful": "Registration Successful", "Registration Successful": "Registration Successful",
"Create your account": "Create your account", "Create your account": "Create your account",
"This isn't the recovery key for your account": "This isn't the recovery key for your account",
"This isn't a valid recovery key": "This isn't a valid recovery key",
"Looks good!": "Looks good!",
"Use Recovery Key or Passphrase": "Use Recovery Key or Passphrase",
"Use Recovery Key": "Use Recovery Key",
"Confirm your identity by verifying this login from one of your other sessions, granting it access to encrypted messages.": "Confirm your identity by verifying this login from one of your other sessions, granting it access to encrypted messages.", "Confirm your identity by verifying this login from one of your other sessions, granting it access to encrypted messages.": "Confirm your identity by verifying this login from one of your other sessions, granting it access to encrypted messages.",
"This requires the latest Riot on your other devices:": "This requires the latest Riot on your other devices:", "This requires the latest Riot on your other devices:": "This requires the latest Riot on your other devices:",
"or another cross-signing capable Matrix client": "or another cross-signing capable Matrix client", "or another cross-signing capable Matrix client": "or another cross-signing capable Matrix client",
"Use Recovery Passphrase or Key": "Use Recovery Passphrase or Key", "Enter your Recovery Key or enter a <a>Recovery Passphrase</a> to continue.": "Enter your Recovery Key or enter a <a>Recovery Passphrase</a> to continue.",
"Enter your Recovery Key to continue.": "Enter your Recovery Key to continue.",
"Your new session is now verified. It has access to your encrypted messages, and other users will see it as trusted.": "Your new session is now verified. It has access to your encrypted messages, and other users will see it as trusted.", "Your new session is now verified. It has access to your encrypted messages, and other users will see it as trusted.": "Your new session is now verified. It has access to your encrypted messages, and other users will see it as trusted.",
"Your new session is now verified. Other users will see it as trusted.": "Your new session is now verified. Other users will see it as trusted.", "Your new session is now verified. Other users will see it as trusted.": "Your new session is now verified. Other users will see it as trusted.",
"Without completing security on this session, it wont have access to encrypted messages.": "Without completing security on this session, it wont have access to encrypted messages.", "Without completing security on this session, it wont have access to encrypted messages.": "Without completing security on this session, it wont have access to encrypted messages.",
@ -2166,47 +2173,43 @@
"Confirm encryption setup": "Confirm encryption setup", "Confirm encryption setup": "Confirm encryption setup",
"Click the button below to confirm setting up encryption.": "Click the button below to confirm setting up encryption.", "Click the button below to confirm setting up encryption.": "Click the button below to confirm setting up encryption.",
"Enter your account password to confirm the upgrade:": "Enter your account password to confirm the upgrade:", "Enter your account password to confirm the upgrade:": "Enter your account password to confirm the upgrade:",
"Restore your key backup to upgrade your encryption": "Restore your key backup to upgrade your encryption",
"Restore": "Restore",
"You'll need to authenticate with the server to confirm the upgrade.": "You'll need to authenticate with the server to confirm the upgrade.", "You'll need to authenticate with the server to confirm the upgrade.": "You'll need to authenticate with the server to confirm the upgrade.",
"Upgrade this session to allow it to verify other sessions, granting them access to encrypted messages and marking them as trusted for other users.": "Upgrade this session to allow it to verify other sessions, granting them access to encrypted messages and marking them as trusted for other users.", "Upgrade your Recovery Key to store encryption keys & secrets with your account data. If you lose access to this login you'll need it to unlock your data.": "Upgrade your Recovery Key to store encryption keys & secrets with your account data. If you lose access to this login you'll need it to unlock your data.",
"Set a recovery passphrase to secure encrypted information and recover it if you log out. This should be different to your account password:": "Set a recovery passphrase to secure encrypted information and recover it if you log out. This should be different to your account password:", "Store your Recovery Key somewhere safe, it can be used to unlock your encrypted messages & data.": "Store your Recovery Key somewhere safe, it can be used to unlock your encrypted messages & data.",
"Download": "Download",
"Copy": "Copy",
"Unable to query secret storage status": "Unable to query secret storage status",
"Retry": "Retry",
"Create a Recovery Key to store encryption keys & secrets with your account data. If you lose access to this login youll need it to unlock your data.": "Create a Recovery Key to store encryption keys & secrets with your account data. If you lose access to this login youll need it to unlock your data.",
"Create a Recovery Key": "Create a Recovery Key",
"Upgrade your Recovery Key": "Upgrade your Recovery Key",
"Store your Recovery Key": "Store your Recovery Key",
"Unable to set up secret storage": "Unable to set up secret storage",
"We'll store an encrypted copy of your keys on our server. Secure your backup with a recovery passphrase.": "We'll store an encrypted copy of your keys on our server. Secure your backup with a recovery passphrase.",
"For maximum security, this should be different from your account password.": "For maximum security, this should be different from your account password.",
"Enter a recovery passphrase": "Enter a recovery passphrase", "Enter a recovery passphrase": "Enter a recovery passphrase",
"Great! This recovery passphrase looks strong enough.": "Great! This recovery passphrase looks strong enough.", "Great! This recovery passphrase looks strong enough.": "Great! This recovery passphrase looks strong enough.",
"Back up encrypted message keys": "Back up encrypted message keys",
"Set up with a recovery key": "Set up with a recovery key", "Set up with a recovery key": "Set up with a recovery key",
"That matches!": "That matches!", "That matches!": "That matches!",
"Use a different passphrase?": "Use a different passphrase?", "Use a different passphrase?": "Use a different passphrase?",
"That doesn't match.": "That doesn't match.", "That doesn't match.": "That doesn't match.",
"Go back to set it again.": "Go back to set it again.", "Go back to set it again.": "Go back to set it again.",
"Enter your recovery passphrase a second time to confirm it.": "Enter your recovery passphrase a second time to confirm it.", "Please enter your recovery passphrase a second time to confirm.": "Please enter your recovery passphrase a second time to confirm.",
"Confirm your recovery passphrase": "Confirm your recovery passphrase", "Repeat your recovery passphrase...": "Repeat your recovery passphrase...",
"Your recovery key is a safety net - you can use it to restore access to your encrypted messages if you forget your recovery passphrase.": "Your recovery key is a safety net - you can use it to restore access to your encrypted messages if you forget your recovery passphrase.", "Your recovery key is a safety net - you can use it to restore access to your encrypted messages if you forget your recovery passphrase.": "Your recovery key is a safety net - you can use it to restore access to your encrypted messages if you forget your recovery passphrase.",
"Keep a copy of it somewhere secure, like a password manager or even a safe.": "Keep a copy of it somewhere secure, like a password manager or even a safe.", "Keep a copy of it somewhere secure, like a password manager or even a safe.": "Keep a copy of it somewhere secure, like a password manager or even a safe.",
"Your recovery key": "Your recovery key", "Your recovery key": "Your recovery key",
"Copy": "Copy",
"Download": "Download",
"Your recovery key has been <b>copied to your clipboard</b>, paste it to:": "Your recovery key has been <b>copied to your clipboard</b>, paste it to:", "Your recovery key has been <b>copied to your clipboard</b>, paste it to:": "Your recovery key has been <b>copied to your clipboard</b>, paste it to:",
"Your recovery key is in your <b>Downloads</b> folder.": "Your recovery key is in your <b>Downloads</b> folder.", "Your recovery key is in your <b>Downloads</b> folder.": "Your recovery key is in your <b>Downloads</b> folder.",
"<b>Print it</b> and store it somewhere safe": "<b>Print it</b> and store it somewhere safe", "<b>Print it</b> and store it somewhere safe": "<b>Print it</b> and store it somewhere safe",
"<b>Save it</b> on a USB key or backup drive": "<b>Save it</b> on a USB key or backup drive", "<b>Save it</b> on a USB key or backup drive": "<b>Save it</b> on a USB key or backup drive",
"<b>Copy it</b> to your personal cloud storage": "<b>Copy it</b> to your personal cloud storage", "<b>Copy it</b> to your personal cloud storage": "<b>Copy it</b> to your personal cloud storage",
"Unable to query secret storage status": "Unable to query secret storage status",
"Retry": "Retry",
"You can now verify your other devices, and other users to keep your chats safe.": "You can now verify your other devices, and other users to keep your chats safe.",
"Upgrade your encryption": "Upgrade your encryption",
"Confirm recovery passphrase": "Confirm recovery passphrase",
"Make a copy of your recovery key": "Make a copy of your recovery key",
"You're done!": "You're done!",
"Unable to set up secret storage": "Unable to set up secret storage",
"We'll store an encrypted copy of your keys on our server. Secure your backup with a recovery passphrase.": "We'll store an encrypted copy of your keys on our server. Secure your backup with a recovery passphrase.",
"For maximum security, this should be different from your account password.": "For maximum security, this should be different from your account password.",
"Please enter your recovery passphrase a second time to confirm.": "Please enter your recovery passphrase a second time to confirm.",
"Repeat your recovery passphrase...": "Repeat your recovery passphrase...",
"Your keys are being backed up (the first backup could take a few minutes).": "Your keys are being backed up (the first backup could take a few minutes).", "Your keys are being backed up (the first backup could take a few minutes).": "Your keys are being backed up (the first backup could take a few minutes).",
"Without setting up Secure Message Recovery, you won't be able to restore your encrypted message history if you log out or use another session.": "Without setting up Secure Message Recovery, you won't be able to restore your encrypted message history if you log out or use another session.", "Without setting up Secure Message Recovery, you won't be able to restore your encrypted message history if you log out or use another session.": "Without setting up Secure Message Recovery, you won't be able to restore your encrypted message history if you log out or use another session.",
"Set up Secure Message Recovery": "Set up Secure Message Recovery", "Set up Secure Message Recovery": "Set up Secure Message Recovery",
"Secure your backup with a recovery passphrase": "Secure your backup with a recovery passphrase", "Secure your backup with a recovery passphrase": "Secure your backup with a recovery passphrase",
"Confirm your recovery passphrase": "Confirm your recovery passphrase",
"Make a copy of your recovery key": "Make a copy of your recovery key",
"Starting backup...": "Starting backup...", "Starting backup...": "Starting backup...",
"Success!": "Success!", "Success!": "Success!",
"Create key backup": "Create key backup", "Create key backup": "Create key backup",

View file

@ -20,10 +20,11 @@ import { accessSecretStorage, AccessCancelledError } from '../CrossSigningManage
import { PHASE_DONE as VERIF_PHASE_DONE } from "matrix-js-sdk/src/crypto/verification/request/VerificationRequest"; import { PHASE_DONE as VERIF_PHASE_DONE } from "matrix-js-sdk/src/crypto/verification/request/VerificationRequest";
export const PHASE_INTRO = 0; export const PHASE_INTRO = 0;
export const PHASE_BUSY = 1; export const PHASE_RECOVERY_KEY = 1;
export const PHASE_DONE = 2; //final done stage, but still showing UX export const PHASE_BUSY = 2;
export const PHASE_CONFIRM_SKIP = 3; export const PHASE_DONE = 3; //final done stage, but still showing UX
export const PHASE_FINISHED = 4; //UX can be closed export const PHASE_CONFIRM_SKIP = 4;
export const PHASE_FINISHED = 5; //UX can be closed
export class SetupEncryptionStore extends EventEmitter { export class SetupEncryptionStore extends EventEmitter {
static sharedInstance() { static sharedInstance() {
@ -36,11 +37,19 @@ export class SetupEncryptionStore extends EventEmitter {
return; return;
} }
this._started = true; this._started = true;
this.phase = PHASE_INTRO; this.phase = PHASE_BUSY;
this.verificationRequest = null; this.verificationRequest = null;
this.backupInfo = null; this.backupInfo = null;
// ID of the key that the secrets we want are encrypted with
this.keyId = null;
// Descriptor of the key that the secrets we want are encrypted with
this.keyInfo = null;
MatrixClientPeg.get().on("crypto.verification.request", this.onVerificationRequest); MatrixClientPeg.get().on("crypto.verification.request", this.onVerificationRequest);
MatrixClientPeg.get().on('userTrustStatusChanged', this._onUserTrustStatusChanged); MatrixClientPeg.get().on('userTrustStatusChanged', this._onUserTrustStatusChanged);
this.fetchKeyInfo();
} }
stop() { stop() {
@ -57,7 +66,49 @@ export class SetupEncryptionStore extends EventEmitter {
} }
} }
async fetchKeyInfo() {
const keys = await MatrixClientPeg.get().isSecretStored('m.cross_signing.master', false);
if (Object.keys(keys).length === 0) {
this.keyId = null;
this.keyInfo = null;
} else {
// If the secret is stored under more than one key, we just pick an arbitrary one
this.keyId = Object.keys(keys)[0];
this.keyInfo = keys[this.keyId];
}
this.phase = PHASE_INTRO;
this.emit("update");
}
async startKeyReset() {
try {
await accessSecretStorage(() => {}, {forceReset: true});
// If the keys are reset, the trust status event will fire and we'll change state
} catch (e) {
// dialog was cancelled - stay on the current screen
}
}
async useRecoveryKey() {
this.phase = PHASE_RECOVERY_KEY;
this.emit("update");
}
cancelUseRecoveryKey() {
this.phase = PHASE_INTRO;
this.emit("update");
}
async setupWithRecoveryKey(recoveryKey) {
this.startTrustCheck({[this.keyId]: recoveryKey});
}
async usePassPhrase() { async usePassPhrase() {
this.startTrustCheck();
}
async startTrustCheck(withKeys) {
this.phase = PHASE_BUSY; this.phase = PHASE_BUSY;
this.emit("update"); this.emit("update");
const cli = MatrixClientPeg.get(); const cli = MatrixClientPeg.get();
@ -84,6 +135,9 @@ export class SetupEncryptionStore extends EventEmitter {
// to advance before this. // to advance before this.
await cli.restoreKeyBackupWithSecretStorage(backupInfo); await cli.restoreKeyBackupWithSecretStorage(backupInfo);
} }
}, {
withKeys,
passphraseOnly: true,
}).catch(reject); }).catch(reject);
} catch (e) { } catch (e) {
console.error(e); console.error(e);

View file

@ -79,20 +79,7 @@ module.exports = async function signup(session, username, password, homeserver)
const acceptButton = await session.query('.mx_InteractiveAuthEntryComponents_termsSubmit'); const acceptButton = await session.query('.mx_InteractiveAuthEntryComponents_termsSubmit');
await acceptButton.click(); await acceptButton.click();
//plow through cross-signing setup by entering arbitrary details const xsignContButton = await session.query('.mx_CreateSecretStorageDialog .mx_Dialog_buttons .mx_Dialog_primary');
//TODO: It's probably important for the tests to know the passphrase
const xsigningPassphrase = 'a7eaXcjpa9!Yl7#V^h$B^%dovHUVX'; // https://xkcd.com/221/
let passphraseField = await session.query('.mx_CreateSecretStorageDialog_passPhraseField input');
await session.replaceInputText(passphraseField, xsigningPassphrase);
await session.delay(1000); // give it a second to analyze our passphrase for security
let xsignContButton = await session.query('.mx_CreateSecretStorageDialog .mx_Dialog_buttons .mx_Dialog_primary');
await xsignContButton.click();
//repeat passphrase entry
passphraseField = await session.query('.mx_CreateSecretStorageDialog_passPhraseField input');
await session.replaceInputText(passphraseField, xsigningPassphrase);
await session.delay(1000); // give it a second to analyze our passphrase for security
xsignContButton = await session.query('.mx_CreateSecretStorageDialog .mx_Dialog_buttons .mx_Dialog_primary');
await xsignContButton.click(); await xsignContButton.click();
//ignore the recovery key //ignore the recovery key
@ -101,13 +88,11 @@ module.exports = async function signup(session, username, password, homeserver)
await copyButton.click(); await copyButton.click();
//acknowledge that we copied the recovery key to a safe place //acknowledge that we copied the recovery key to a safe place
const copyContinueButton = await session.query('.mx_CreateSecretStorageDialog .mx_Dialog_primary'); const copyContinueButton = await session.query(
'.mx_CreateSecretStorageDialog .mx_Dialog_buttons .mx_Dialog_primary',
);
await copyContinueButton.click(); await copyContinueButton.click();
//acknowledge that we're done cross-signing setup and our keys are safe
const doneOkButton = await session.query('.mx_CreateSecretStorageDialog .mx_Dialog_primary');
await doneOkButton.click();
//wait for registration to finish so the hash gets set //wait for registration to finish so the hash gets set
//onhashchange better? //onhashchange better?