indexeddb: expose new method IndexeddbCryptoStore::open_with_key (#3423)

Allow applications to skip the PBKDF2 operation if they already have a cryptographically secure key,
instead using a simple HKDF to derive a key.

In order to maintain compatibility for existing element-web sessions, if we discover that we have an
existing store that was encrypted with a key derived from PBKDF2, then we reconstruct what
element-web used to do: specifically, we base64-encode the key to obtain the "passphrase" that
was previously passed in. If that matches, we know we've got the right key, and can update the
meta store accordingly.

Part of a resolution to element-hq/element-web#26821.

Signed-off-by: Richard van der Hoff <[email protected]>
Co-authored-by: Damir Jelić <[email protected]>

Author: richvdh

Cargo.lock

@@ -1,4 +1,6 @@
-# unreleased
+# UNRELEASED
+
+- Add new method `IndexeddbCryptoStore::open_with_key`. ([#3423](https://github.com/matrix-org/matrix-rust-sdk/pull/3423))
 
 - `save_change` performance improvement, all encryption and serialization
-  is done now outside of the db transaction.
+  is done now outside of the db transaction.

crates/matrix-sdk-indexeddb/CHANGELOG.md

@@ -38,6 +38,9 @@ tokio = { workspace = true }
 tracing = { workspace = true }
 wasm-bindgen = "0.2.83"
 web-sys = { version = "0.3.57", features = ["IdbKeyRange"] }
+hkdf = "0.12.4"
+zeroize = { workspace = true }
+sha2 = { workspace = true }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 # for wasm32 we need to activate this
@@ -50,6 +53,7 @@ matrix-sdk-base = { workspace = true, features = ["testing"] }
 matrix-sdk-common = { workspace = true, features = ["js"] }
 matrix-sdk-crypto = { workspace = true, features = ["js", "testing"] }
 matrix-sdk-test = { workspace = true }
+rand = { workspace = true }
 tracing-subscriber = { version = "0.3.18", default-features = false, features = ["registry", "tracing-log"] }
 uuid = "1.3.0"
 wasm-bindgen-test = "0.3.33"

crates/matrix-sdk-indexeddb/Cargo.toml

@@ -19,6 +19,7 @@ use std::{
 
 use async_trait::async_trait;
 use gloo_utils::format::JsValueSerdeExt;
+use hkdf::Hkdf;
 use indexed_db_futures::prelude::*;
 use matrix_sdk_crypto::{
     olm::{
@@ -30,6 +31,7 @@ use matrix_sdk_crypto::{
         RoomKeyCounts, RoomSettings,
     },
     types::events::room_key_withheld::RoomKeyWithheldEvent,
+    vodozemac::base64_encode,
     Account, GossipRequest, GossippedSecret, ReadOnlyDevice, ReadOnlyUserIdentities, SecretInfo,
     TrackedUser,
 };
@@ -38,6 +40,7 @@ use ruma::{
     events::secret::request::SecretName, DeviceId, MilliSecondsSinceUnixEpoch, OwnedDeviceId,
     RoomId, TransactionId, UserId,
 };
+use sha2::Sha256;
 use tokio::sync::Mutex;
 use tracing::{debug, warn};
 use wasm_bindgen::JsValue;
@@ -272,34 +275,25 @@ impl IndexeddbCryptoStore {
         IndexeddbCryptoStore::open_with_store_cipher("crypto", None).await
     }
 
-    /// Open a new `IndexeddbCryptoStore` with given name and passphrase
+    /// Open an `IndexeddbCryptoStore` with given name and passphrase.
+    ///
+    /// If the store previously existed, the encryption cipher is initialised
+    /// using the given passphrase and the details from the meta store. If the
+    /// store did not previously exist, a new encryption cipher is derived
+    /// from the passphrase, and the details are stored to the metastore.
+    ///
+    /// The store is then opened, or a new one created, using the encryption
+    /// cipher.
+    ///
+    /// # Arguments
+    ///
+    /// * `prefix` - Common prefix for the names of the two IndexedDB stores.
+    /// * `passphrase` - Passphrase which is used to derive a key to encrypt the
+    ///   key which is used to encrypt the store. Must be the same each time the
+    ///   store is opened.
     pub async fn open_with_passphrase(prefix: &str, passphrase: &str) -> Result<Self> {
-        let name = format!("{prefix:0}::matrix-sdk-crypto-meta");
-
-        debug!("IndexedDbCryptoStore: Opening meta-store {name}");
-        let mut db_req: OpenDbRequest = IdbDatabase::open_u32(&name, 1)?;
-        db_req.set_on_upgrade_needed(Some(|evt: &IdbVersionChangeEvent| -> Result<(), JsValue> {
-            let old_version = evt.old_version() as u32;
-            if old_version < 1 {
-                // migrating to version 1
-                let db = evt.db();
-
-                db.create_object_store("matrix-sdk-crypto")?;
-            }
-            Ok(())
-        }));
-
-        let db: IdbDatabase = db_req.await?;
-
-        let tx: IdbTransaction<'_> =
-            db.transaction_on_one_with_mode("matrix-sdk-crypto", IdbTransactionMode::Readonly)?;
-        let ob = tx.object_store("matrix-sdk-crypto")?;
-
-        let store_cipher: Option<Vec<u8>> = ob
-            .get(&JsValue::from_str(keys::STORE_CIPHER))?
-            .await?
-            .map(|k| k.into_serde())
-            .transpose()?;
+        let db = open_meta_db(prefix).await?;
+        let store_cipher = load_store_cipher(&db).await?;
 
         let store_cipher = match store_cipher {
             Some(cipher) => {
@@ -315,17 +309,58 @@ impl IndexeddbCryptoStore {
                 #[cfg(test)]
                 let export = cipher._insecure_export_fast_for_testing(passphrase);
 
-                let tx: IdbTransaction<'_> = db.transaction_on_one_with_mode(
-                    "matrix-sdk-crypto",
-                    IdbTransactionMode::Readwrite,
-                )?;
-                let ob = tx.object_store("matrix-sdk-crypto")?;
-
-                ob.put_key_val(
-                    &JsValue::from_str(keys::STORE_CIPHER),
-                    &JsValue::from_serde(&export.map_err(CryptoStoreError::backend)?)?,
-                )?;
-                tx.await.into_result()?;
+                let export = export.map_err(CryptoStoreError::backend)?;
+
+                save_store_cipher(&db, &export).await?;
+                cipher
+            }
+        };
+
+        // Must release the database access manually as it's not done when
+        // dropping it.
+        db.close();
+
+        IndexeddbCryptoStore::open_with_store_cipher(prefix, Some(store_cipher.into())).await
+    }
+
+    /// Open an `IndexeddbCryptoStore` with given name and key.
+    ///
+    /// If the store previously existed, the encryption cipher is initialised
+    /// using the given key and the details from the meta store. If the store
+    /// did not previously exist, a new encryption cipher is derived from
+    /// the passphrase, and the details are stored to the metastore.
+    ///
+    /// The store is then opened, or a new one created, using the encryption
+    /// cipher.
+    ///
+    /// # Arguments
+    ///
+    /// * `prefix` - Common prefix for the names of the two IndexedDB stores.
+    /// * `key` - Key with which to encrypt the key which is used to encrypt the
+    ///   store. Must be the same each time the store is opened.
+    pub async fn open_with_key(prefix: &str, key: &[u8; 32]) -> Result<Self> {
+        // The application might also use the provided key for something else, so to
+        // avoid key reuse, we pass the provided key through an HKDF
+        let mut chacha_key = zeroize::Zeroizing::new([0u8; 32]);
+        const HKDF_INFO: &[u8] = b"CRYPTOSTORE_CIPHER";
+        let hkdf = Hkdf::<Sha256>::new(None, key);
+        hkdf.expand(HKDF_INFO, &mut *chacha_key)
+            .expect("We should be able to generate a 32-byte key");
+
+        let db = open_meta_db(prefix).await?;
+        let store_cipher = load_store_cipher(&db).await?;
+
+        let store_cipher = match store_cipher {
+            Some(cipher) => {
+                debug!("IndexedDbCryptoStore: decrypting store cipher");
+                import_store_cipher_with_key(&chacha_key, key, &cipher, &db).await?
+            }
+            None => {
+                debug!("IndexedDbCryptoStore: encrypting new store cipher");
+                let cipher = StoreCipher::new().map_err(CryptoStoreError::backend)?;
+                let export =
+                    cipher.export_with_key(&chacha_key).map_err(CryptoStoreError::backend)?;
+                save_store_cipher(&db, &export).await?;
                 cipher
             }
         };
@@ -1289,6 +1324,114 @@ impl Drop for IndexeddbCryptoStore {
     }
 }
 
+/// Open the meta store.
+///
+/// The meta store contains details about the encryption of the main store.
+async fn open_meta_db(prefix: &str) -> Result<IdbDatabase, IndexeddbCryptoStoreError> {
+    let name = format!("{prefix:0}::matrix-sdk-crypto-meta");
+
+    debug!("IndexedDbCryptoStore: Opening meta-store {name}");
+    let mut db_req: OpenDbRequest = IdbDatabase::open_u32(&name, 1)?;
+    db_req.set_on_upgrade_needed(Some(|evt: &IdbVersionChangeEvent| -> Result<(), JsValue> {
+        let old_version = evt.old_version() as u32;
+        if old_version < 1 {
+            // migrating to version 1
+            let db = evt.db();
+
+            db.create_object_store("matrix-sdk-crypto")?;
+        }
+        Ok(())
+    }));
+
+    Ok(db_req.await?)
+}
+
+/// Load the serialised store cipher from the meta store.
+///
+/// # Arguments:
+///
+/// * `meta_db`: Connection to the meta store, as returned by [`open_meta_db`].
+///
+/// # Returns:
+///
+/// The serialised `StoreCipher` object.
+async fn load_store_cipher(
+    meta_db: &IdbDatabase,
+) -> Result<Option<Vec<u8>>, IndexeddbCryptoStoreError> {
+    let tx: IdbTransaction<'_> =
+        meta_db.transaction_on_one_with_mode("matrix-sdk-crypto", IdbTransactionMode::Readonly)?;
+    let ob = tx.object_store("matrix-sdk-crypto")?;
+
+    let store_cipher: Option<Vec<u8>> = ob
+        .get(&JsValue::from_str(keys::STORE_CIPHER))?
+        .await?
+        .map(|k| k.into_serde())
+        .transpose()?;
+    Ok(store_cipher)
+}
+
+/// Save the serialised store cipher to the meta store.
+///
+/// # Arguments:
+///
+/// * `meta_db`: Connection to the meta store, as returned by [`open_meta_db`].
+/// * `store_cipher`: The serialised `StoreCipher` object.
+async fn save_store_cipher(
+    db: &IdbDatabase,
+    export: &Vec<u8>,
+) -> Result<(), IndexeddbCryptoStoreError> {
+    let tx: IdbTransaction<'_> =
+        db.transaction_on_one_with_mode("matrix-sdk-crypto", IdbTransactionMode::Readwrite)?;
+    let ob = tx.object_store("matrix-sdk-crypto")?;
+
+    ob.put_key_val(&JsValue::from_str(keys::STORE_CIPHER), &JsValue::from_serde(&export)?)?;
+    tx.await.into_result()?;
+    Ok(())
+}
+
+/// Given a serialised store cipher, try importing with the given key.
+///
+/// This is a helper for [`IndexeddbCryptoStore::open_with_key`].
+///
+/// # Arguments
+///
+/// * `chacha_key`: The key to use with [`StoreCipher::import_with_key`].
+///   Derived from `original_key` via an HKDF.
+/// * `original_key`: The key provided by the application. Used to provide a
+///   migration path from an older key derivation system.
+/// * `serialised_cipher`: The serialized `EncryptedStoreCipher`, retrieved from
+///   the database.
+/// * `db`: Connection to the database.
+async fn import_store_cipher_with_key(
+    chacha_key: &[u8; 32],
+    original_key: &[u8],
+    serialised_cipher: &[u8],
+    db: &IdbDatabase,
+) -> Result<StoreCipher, IndexeddbCryptoStoreError> {
+    let cipher = match StoreCipher::import_with_key(chacha_key, serialised_cipher) {
+        Ok(cipher) => cipher,
+        Err(matrix_sdk_store_encryption::Error::KdfMismatch) => {
+            // Old versions of the matrix-js-sdk used to base64-encode their encryption
+            // key, and pass it into [`IndexeddbCryptoStore::open_with_passphrase`]. For
+            // backwards compatibility, we fall back to that if we discover we have a cipher
+            // encrypted with a KDF when we expected it to be encrypted directly with a key.
+            let cipher = StoreCipher::import(&base64_encode(original_key), serialised_cipher)
+                .map_err(|_| CryptoStoreError::UnpicklingError)?;
+
+            // Loading the cipher with the passphrase was successful. Let's update the
+            // stored version of the cipher so that it is encrypted with a key,
+            // to save doing this again.
+            debug!("IndexedDbCryptoStore: Migrating passphrase-encrypted store cipher to key-encryption");
+
+            let export = cipher.export_with_key(chacha_key).map_err(CryptoStoreError::backend)?;
+            save_store_cipher(db, &export).await?;
+            cipher
+        }
+        Err(_) => Err(CryptoStoreError::UnpicklingError)?,
+    };
+    Ok(cipher)
+}
+
 /// Fetch items from an object store in batches, transform each item using
 /// the supplied function, and stuff the transformed items into a single
 /// vector to return.
@@ -1546,7 +1689,14 @@ mod tests {
 
 #[cfg(all(test, target_arch = "wasm32"))]
 mod encrypted_tests {
-    use matrix_sdk_crypto::cryptostore_integration_tests;
+    use matrix_sdk_crypto::{
+        cryptostore_integration_tests,
+        olm::Account,
+        store::{CryptoStore, PendingChanges},
+        vodozemac::base64_encode,
+    };
+    use matrix_sdk_test::async_test;
+    use ruma::{device_id, user_id};
 
     use super::IndexeddbCryptoStore;
 
@@ -1561,4 +1711,36 @@ mod encrypted_tests {
             .expect("Can't create a passphrase protected store")
     }
     cryptostore_integration_tests!();
+
+    /// Test that we can migrate a store created with a passphrase, to being
+    /// encrypted with a key instead.
+    #[async_test]
+    async fn migrate_passphrase_to_key() {
+        let store_name = "test_migrate_passphrase_to_key";
+        let passdata: [u8; 32] = rand::random();
+        let b64_passdata = base64_encode(passdata);
+
+        // Initialise the store with some account data
+        let store = IndexeddbCryptoStore::open_with_passphrase(&store_name, &b64_passdata)
+            .await
+            .expect("Can't create a passphrase-protected store");
+
+        store
+            .save_pending_changes(PendingChanges {
+                account: Some(Account::with_device_id(
+                    user_id!("@alice:example.org"),
+                    device_id!("ALICEDEVICE"),
+                )),
+            })
+            .await
+            .expect("Can't save account");
+
+        // Now reopen the store, passing the key directly rather than as a b64 string.
+        let store = IndexeddbCryptoStore::open_with_key(&store_name, &passdata)
+            .await
+            .expect("Can't create a key-protected store");
+        let loaded_account =
+            store.load_account().await.expect("Can't load account").expect("Account was not saved");
+        assert_eq!(loaded_account.user_id, user_id!("@alice:example.org"));
+    }
 }