hidden

package
v0.0.0-...-66acf6f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 18, 2024 License: BSD-3-Clause Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const (
	HiddenChainFlagCacheTime = 24 * time.Hour
)
View Source
const (
	MaxDelayInCommittingHiddenLinks = 7 * 24 * time.Hour
)
View Source
const RatchetVersion1 = RatchetVersion(1)

Variables

This section is empty.

Functions

func CheckFeatureGateForSupport

func CheckFeatureGateForSupport(mctx libkb.MetaContext, teamID keybase1.TeamID) (err error)

func CheckFeatureGateForSupportWithRotationType

func CheckFeatureGateForSupportWithRotationType(mctx libkb.MetaContext, teamID keybase1.TeamID, rt keybase1.RotationType) (ret keybase1.RotationType, err error)

func GenerateKeyRotation

func GenerateKeyRotation(mctx libkb.MetaContext, p GenerateKeyRotationParams) (ret *libkb.SigMultiItem, ratchets *keybase1.HiddenTeamChainRatchetSet, err error)

GenerateKeyRotation generates and signs a new sig3 KeyRotation. The result can be passed to sig/multi.json and stored along with other sig1, sig2 or sig3 signatures in an atomic transaction.

func ParseAndVerifyCommittedHiddenLinkID

func ParseAndVerifyCommittedHiddenLinkID(m libkb.MetaContext, teamID keybase1.TeamID, apiRes *libkb.APIRes, blindHash merkletree2.Hash) (hiddenResp *libkb.MerkleHiddenResponse, err error)

func ProcessHiddenResponseFunc

func ProcessHiddenResponseFunc(m libkb.MetaContext, teamID keybase1.TeamID, apiRes *libkb.APIRes, blindRootHashStr string) (hiddenResp *libkb.MerkleHiddenResponse, err error)

func ShouldClearSupportFlagOnError

func ShouldClearSupportFlagOnError(err error) bool

Types

type BlindingKey

type BlindingKey [32]byte

BlindingKey is a 32-byte random byte array that is used to blind ratchets, so that they can be selectively hidden via access control.

type ChainManager

type ChainManager struct {
	// contains filtered or unexported fields
}

ChainManager manages a hidden team chain, and wraps put/gets to mem/disk storage. Accesses are single-flighted by TeamID. Implements that libkb.HiddenTeamChainManager interface.

func NewChainManager

func NewChainManager(g *libkb.GlobalContext) *ChainManager

func NewChainManagerAndInstall

func NewChainManagerAndInstall(g *libkb.GlobalContext) *ChainManager

func (*ChainManager) Advance

func (m *ChainManager) Advance(mctx libkb.MetaContext, dat keybase1.HiddenTeamChain, expectedPrev *keybase1.LinkTriple) (err error)

Advance the stored hidden team storage by the given update. Before this function is called, we should have checked many things:

  • that the PTKs match the unverified seeds sent down by the server.
  • that the postImages of the seedChecks are continuous, given a consistent set of seeds
  • that all full (unstubbed links) have valid reverse signatures
  • that all prevs are self consistent, and consistent with any preloaded data
  • that if the update starts in the middle of the chain, that its head has a prev, and that prev is consistent.
  • that the updates are consistent with any known ratchets

See hidden.go for and the caller of this function for where that happens.

func (*ChainManager) ClearSupportFlagIfFalse

func (m *ChainManager) ClearSupportFlagIfFalse(mctx libkb.MetaContext, teamID keybase1.TeamID)

func (*ChainManager) Freeze

func (m *ChainManager) Freeze(mctx libkb.MetaContext, id keybase1.TeamID) (err error)

func (*ChainManager) HintLatestSeqno

func (m *ChainManager) HintLatestSeqno(mctx libkb.MetaContext, id keybase1.TeamID, q keybase1.Seqno) (err error)

Load hidden team chain data from storage, either mem or disk. Will not hit the network.

func (*ChainManager) Load

Load hidden team chain data from storage, either mem or disk. Will not hit the network.

func (*ChainManager) OnDbNuke

func (m *ChainManager) OnDbNuke(mctx libkb.MetaContext) error

OnDbNuke is called when the disk cache is cleared, which purges the LRU.

func (*ChainManager) OnLogout

func (m *ChainManager) OnLogout(mctx libkb.MetaContext) error

OnLogout is called when the user logs out, which purges the LRU.

func (*ChainManager) Ratchet

Ratchet should be called when we know about advances in this chain but don't necessarily have the links to back the ratchet up. We'll check them later when next we refresh. But we do check that the ratchet is consistent with the known data (and ratchets) that we have.

func (*ChainManager) Shutdown

func (m *ChainManager) Shutdown(mctx libkb.MetaContext)

func (*ChainManager) Tail

Tail returns the furthest known tail of the hidden team chain, as known to our local cache. Needed when posting new main chain links that point back to the most recently known tail.

func (*ChainManager) TeamSupportsHiddenChain

func (m *ChainManager) TeamSupportsHiddenChain(mctx libkb.MetaContext, id keybase1.TeamID) (state bool, err error)

func (*ChainManager) Tombstone

func (m *ChainManager) Tombstone(mctx libkb.MetaContext, id keybase1.TeamID) (err error)

type EncodedRatchetBlindingKeySet

type EncodedRatchetBlindingKeySet string

EncodedRatchetBlindingKeySet is a b64-encoded, msgpacked map of a RatchetBlindingKeySet, used to POST up to the server 1 new ratchet. Note that even in the case of multiple signatures (inside a TX), it only is really necessary to ratchet the hidden chain once. So this suffices.

func (EncodedRatchetBlindingKeySet) AddToJSONPayload

func (e EncodedRatchetBlindingKeySet) AddToJSONPayload(p libkb.JSONPayload)

AddToJSONPayload is used to add the ratching blinding information to an API POST

func (EncodedRatchetBlindingKeySet) IsNil

func (EncodedRatchetBlindingKeySet) String

type GenerateError

type GenerateError struct {
	// contains filtered or unexported fields
}

func NewGenerateError

func NewGenerateError(format string, args ...interface{}) GenerateError

func (GenerateError) Error

func (e GenerateError) Error() string

type GenerateKeyRotationParams

type GenerateKeyRotationParams struct {
	TeamID           keybase1.TeamID
	IsPublic         bool
	IsImplicit       bool
	MerkleRoot       *libkb.MerkleRoot
	Me               libkb.UserForSignatures
	SigningKey       libkb.GenericKey
	MainPrev         keybase1.LinkTriple
	HiddenPrev       *keybase1.LinkTriple
	Gen              keybase1.PerTeamKeyGeneration
	NewSigningKey    libkb.NaclSigningKeyPair
	NewEncryptionKey libkb.NaclDHKeyPair
	Check            keybase1.PerTeamSeedCheck
	Admin            *sig3.ChainLocation
}

GenerateKeyRotationParams are for generating a sig3 KeyRotation to store on the hidden team chain. Fill in all parameters of the struct (there were too many to pass as a list)

type HiddenChainNotSupportedError

type HiddenChainNotSupportedError struct {
	// contains filtered or unexported fields
}

func NewHiddenChainNotSupportedError

func NewHiddenChainNotSupportedError(teamID keybase1.TeamID) HiddenChainNotSupportedError

func (HiddenChainNotSupportedError) Error

type LoaderError

type LoaderError struct {
	// contains filtered or unexported fields
}

func NewLoaderError

func NewLoaderError(format string, args ...interface{}) LoaderError

func (LoaderError) Error

func (e LoaderError) Error() string

type LoaderPackage

type LoaderPackage struct {
	// contains filtered or unexported fields
}

LoaderPackage contains a snapshot of the hidden team chain, used during the process of loading a team. It additionally can have new chain links loaded from the server, since it might need to be queried in the process of loading the team as if the new links were already committed to the data store.

func NewLoaderPackage

func NewLoaderPackage(mctx libkb.MetaContext, id keybase1.TeamID,
	getter func() (keybase1.KID, keybase1.PerTeamKeyGeneration, keybase1.TeamRole, error)) (ret *LoaderPackage, err error)

NewLoaderPackage creates a loader package that can work in the FTL of slow team loading settings. As a preliminary, it loads any stored hidden team data for the team from local storage. The getter function is used to get a recent PTK for this team, which is needed to poll the Merkle Tree endpoint when asking "does a hidden team chain exist for this team?"

func NewLoaderPackageForPrecheck

func NewLoaderPackageForPrecheck(mctx libkb.MetaContext, id keybase1.TeamID, data *keybase1.HiddenTeamChain) *LoaderPackage

NewLoaderPackageForPrecheck makes a loader package just for the purposes of prechecking a link we're about to send up to the server. It doesn't bother to load the team from storage.

func (*LoaderPackage) AddRatchet

func (l *LoaderPackage) AddRatchet(mctx libkb.MetaContext, r SCTeamRatchet, ctime int, typ keybase1.RatchetType) (err error)

AddRatchet is called whenever we pull a ratchet out of a visible team link. The first thing we'll need to do is to make sure that we can look the unblinded ratchet up using the blinding keys we got down from the server. Then we'll check the ratchets again the old (loaded) and new (downloaded) data. Finally, we'll ensure that this ratchet doesn't clash another ratchet that came down in this update. If all checks work, then add this ratchet to the set of all new ratchets, and also the max ratchet set that we're keeping locally.

func (*LoaderPackage) AddRatchets

func (l *LoaderPackage) AddRatchets(mctx libkb.MetaContext, v []SCTeamRatchet, ctime int, typ keybase1.RatchetType) (err error)

AddRatchets calls AddRatchet on each SCTeamRatchet in v.

func (*LoaderPackage) AddUnblindedRatchet

func (l *LoaderPackage) AddUnblindedRatchet(mctx libkb.MetaContext, tail *sig3.Tail, ctime int, typ keybase1.RatchetType) (err error)

func (*LoaderPackage) ChainData

func (l *LoaderPackage) ChainData() *keybase1.HiddenTeamChain

ChainData returns the merge of the preloaded hidden chain data and the recently downloaded chain update.

func (*LoaderPackage) CheckHiddenMerklePathResponseAndAddRatchets

func (l *LoaderPackage) CheckHiddenMerklePathResponseAndAddRatchets(mctx libkb.MetaContext, hiddenResp *libkb.MerkleHiddenResponse) (hiddenIsFresh bool, err error)

func (*LoaderPackage) CheckNoPTK

func (l *LoaderPackage) CheckNoPTK(mctx libkb.MetaContext, g keybase1.PerTeamKeyGeneration) (err error)

func (*LoaderPackage) CheckPTKsForDuplicates

func (l *LoaderPackage) CheckPTKsForDuplicates(mctx libkb.MetaContext, getter func(g keybase1.PerTeamKeyGeneration) bool) error

CheckPTKsForDuplicates checks that the new per-team-keys don't duplicate keys we've gotten along the visible chain, via the given getter.

func (*LoaderPackage) CheckParentPointersOnFastLoad

func (l *LoaderPackage) CheckParentPointersOnFastLoad(mctx libkb.MetaContext, team *keybase1.FastTeamData) (err error)

CheckParentPointersOnFastLoad looks at all of the new hidden links we got down and makes sure that they the point to loaded links in the visible chain. Because it's a fast load, the pointers can dangle.

func (*LoaderPackage) CheckParentPointersOnFullLoad

func (l *LoaderPackage) CheckParentPointersOnFullLoad(mctx libkb.MetaContext, team *keybase1.TeamData) (err error)

CheckParentPointersOnFullLoad looks at all of the new hidden links we got down and makes sure that they the point to loaded links in the visible chain. Because it's a full load, the pointers must land. They can dangle on FTL loads, for instance.

func (*LoaderPackage) CheckUpdatesAgainstSeeds

func (l *LoaderPackage) CheckUpdatesAgainstSeeds(mctx libkb.MetaContext, f func(keybase1.PerTeamKeyGeneration) *keybase1.PerTeamSeedCheck) (err error)

CheckUpdatesAgainstSeeds checks the update inside this loader package against unverified team seeds. It enforces equality and will error out if not. Through this check, a client can convince itself that the recent keyers knew the old keys.

func (*LoaderPackage) CheckUpdatesAgainstSeedsWithMap

func (l *LoaderPackage) CheckUpdatesAgainstSeedsWithMap(mctx libkb.MetaContext, seeds map[keybase1.PerTeamKeyGeneration]keybase1.PerTeamKeySeedItem) (err error)

func (*LoaderPackage) Commit

func (l *LoaderPackage) Commit(mctx libkb.MetaContext) error

Commit the update from the server to main HiddenTeamChain storage.

func (*LoaderPackage) DisableHiddenChainData

func (l *LoaderPackage) DisableHiddenChainData()

DisableHiddenChainData tells the LoaderPackage to disable reading and consuming of hidden chain data. On if we are a subteam reader, or if we are feature-flagged off

func (*LoaderPackage) HasReaderPerTeamKeyAtGeneration

func (l *LoaderPackage) HasReaderPerTeamKeyAtGeneration(gen keybase1.PerTeamKeyGeneration) bool

HasReaderPerTeamKeyAtGeneration returns true if the LoaderPackage has a sigchain entry for the PTK at the given generation. Whether in the preloaded data or the update.

func (*LoaderPackage) HiddenChainDataEnabled

func (l *LoaderPackage) HiddenChainDataEnabled() bool

HiddenChainDataEnabled is true if we are doing a full hidden chain load (and off if we're skipping due to the above).

func (*LoaderPackage) IsStale

func (l *LoaderPackage) IsStale() bool

IsStale returns true if we got a gregor hint from the server that there is a new link and we haven't pulled it down yet from the server.

func (*LoaderPackage) LastCommittedSeqno

func (l *LoaderPackage) LastCommittedSeqno() (ret keybase1.Seqno)

LastCommittedSeqno returns the greatest sequence number which we have seen committed by the server, to prevent rollbacks to the blind tree sigchain. It does not include the seqno in the update which was recently received from the server. It returns 0 if we have never seen a non empty link committed to the blind tree before.

func (*LoaderPackage) LastFullSeqno

func (l *LoaderPackage) LastFullSeqno() keybase1.Seqno

LastFullSeqno returns the last seqno before the end of the chain, or before an unstubbed hole is found (as a result of FTL).

func (*LoaderPackage) LastReaderKeyRotator

func (l *LoaderPackage) LastReaderKeyRotator(mctx libkb.MetaContext) *keybase1.Signer

LastReaderKeyRotator returns a signer object that signifies the last KID/UID pair to sign a reader PTK into this chain.

func (*LoaderPackage) LastSeqno

func (l *LoaderPackage) LastSeqno() keybase1.Seqno

LastSeqno returns the last seqno when the preloaded sequence and the update are taken together.

func (*LoaderPackage) Load

func (l *LoaderPackage) Load(mctx libkb.MetaContext) (err error)

Load in data from storage for this chain. We're going to make a deep copy so that we don't worry about mutating the object in the storage layer's memory LRU.

func (*LoaderPackage) MaxRatchet

func (l *LoaderPackage) MaxRatchet() (ret keybase1.Seqno)

MaxRatchet returns the greatest sequence number across all ratchets in the loaded data and also in the data from the recent update from the server.

func (*LoaderPackage) MaxReaderPerTeamKeyGeneration

func (l *LoaderPackage) MaxReaderPerTeamKeyGeneration() keybase1.PerTeamKeyGeneration

MaxReaderTeamKeyGeneration returns the highest Reader PTK generation from the preloaded and hidden data.

func (*LoaderPackage) RatchetBlindingKeySet

func (l *LoaderPackage) RatchetBlindingKeySet() *RatchetBlindingKeySet

func (*LoaderPackage) SetLastCommittedSeqno

func (l *LoaderPackage) SetLastCommittedSeqno(mctx libkb.MetaContext, lcs keybase1.Seqno) error

func (*LoaderPackage) SetRatchetBlindingKeySet

func (l *LoaderPackage) SetRatchetBlindingKeySet(r *RatchetBlindingKeySet)

func (*LoaderPackage) Update

func (l *LoaderPackage) Update(mctx libkb.MetaContext, update []sig3.ExportJSON, maxUncommittedSeqnoPromised keybase1.Seqno) (err error)

Update combines the preloaded data with any downloaded updates from the server, and stores the result local to this object.

func (*LoaderPackage) UpdateTeamMetadata

func (l *LoaderPackage) UpdateTeamMetadata(encKID keybase1.KID, encKIDGen keybase1.PerTeamKeyGeneration, role keybase1.TeamRole)

func (*LoaderPackage) VerifyOldChainLinksAreCommitted

func (l *LoaderPackage) VerifyOldChainLinksAreCommitted(mctx libkb.MetaContext, newCommittedSeqno keybase1.Seqno) error

VerifyOldChainLinksAreCommitted checks that uncommitted links which we previously got from the server have indeed been included in the blind tree (the server has a short grace period to do this to account for potential downtime)

type ManagerError

type ManagerError struct {
	// contains filtered or unexported fields
}

func NewManagerError

func NewManagerError(format string, args ...interface{}) ManagerError

func (ManagerError) Error

func (e ManagerError) Error() string

type ParentPointerError

type ParentPointerError struct {
	// contains filtered or unexported fields
}

func (ParentPointerError) Error

func (e ParentPointerError) Error() string

type Ratchet

type Ratchet struct {
	// contains filtered or unexported fields
}

Ratchet is an object that's used in the teams/teams* and teams/transaction* world to make a visible team chain link incorporate one hidden team ratchet. This means we have to post data both into the signature field (the blinded ratchet) and also data into the sig POST, the blinding keys, etc. This little object conveniniently encapsulates all of that.

func MakeRatchet

func MakeRatchet(mctx libkb.MetaContext, state *keybase1.HiddenTeamChain) (ret *Ratchet, err error)

MakeRatchet constructs a new Ratchet object for the given team's hidden tail, blinds it with a randomly-generated blinding key, and then packages all relevant info up into and encoding that can be easily posted to the API server.

func (*Ratchet) AddToJSONPayload

func (r *Ratchet) AddToJSONPayload(p libkb.JSONPayload)

AddToJSONPayload is used to add the ratching blinding information to an API POST

func (*Ratchet) ToSigPayload

func (r *Ratchet) ToSigPayload() (ret EncodedRatchetBlindingKeySet)

func (*Ratchet) ToTeamSection

func (r *Ratchet) ToTeamSection() []SCTeamRatchet

type RatchetBlind

type RatchetBlind struct {
	Hash SCTeamRatchet `codec:"r"`
	Key  BlindingKey   `codec:"k"`
}

type RatchetBlindingKeySet

type RatchetBlindingKeySet struct {
	// contains filtered or unexported fields
}

RatchetBlindingKeySet is sent down from the server when we are reading a set of blinding ratchets from the team/get response.

func (*RatchetBlindingKeySet) Add

func (r *RatchetBlindingKeySet) Add(ratchet Ratchet)

func (RatchetBlindingKeySet) AddToJSONPayload

func (r RatchetBlindingKeySet) AddToJSONPayload(p libkb.JSONPayload) error

func (*RatchetBlindingKeySet) Get

func (r *RatchetBlindingKeySet) Get(ratchet SCTeamRatchet) *sig3.Tail

Get the chain tail that corresponds to the given ratchet. Return nil if we fail to find it, and an object if we find it.

func (*RatchetBlindingKeySet) UnmarshalJSON

func (r *RatchetBlindingKeySet) UnmarshalJSON(b []byte) error

UnmarshalJSON is implicitly used in rawTeam-based API calls to move RatchetBlindingKeySets into and out of JSON from the hidden team chain.

type RatchetError

type RatchetError struct {
	// contains filtered or unexported fields
}

func (RatchetError) Error

func (e RatchetError) Error() string

type RatchetObj

type RatchetObj struct {
	Body         sig3.Tail      `codec:"b"`
	RatchetBlind RatchetBlind   `codec:"r"`
	Version      RatchetVersion `codec:"v"`
}

type RatchetVersion

type RatchetVersion int

RatchetVersion is always 1, for now.

type RepeatPTKGenerationError

type RepeatPTKGenerationError struct {
	// contains filtered or unexported fields
}

func (RepeatPTKGenerationError) Error

func (e RepeatPTKGenerationError) Error() string

type SCTeamRatchet

type SCTeamRatchet [32]byte

SCTeamRatchet is the result of HMAC-SHA512(k,v)[0:32], where k is a random Blinding Key, and v is the msgpack of a sig3.Tail.

func (*SCTeamRatchet) MarshalJSON

func (r *SCTeamRatchet) MarshalJSON() ([]byte, error)

func (SCTeamRatchet) String

func (r SCTeamRatchet) String() string

func (*SCTeamRatchet) UnmarshalJSON

func (r *SCTeamRatchet) UnmarshalJSON(b []byte) error

UnmarshalJSON is implicitly used in chain_parse.go move SCTeamRatchets into and out of JSON from the hidden team chain.

type TombstonedError

type TombstonedError struct {
	// contains filtered or unexported fields
}

func NewTombstonedError

func NewTombstonedError(format string, args ...interface{}) TombstonedError

func (TombstonedError) Error

func (e TombstonedError) Error() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL