split hardware token encryption init process to enable it when needed

if the account is configured to use encryption based on hardware token, the account will have a non empty path to the specific driver switching triggering the initialization process Signed-off-by: Matthieu Gallien <[email protected]>
nextcloud · Aug 17, 2023 · e8e4198 · e8e4198
1 parent 2e5e305
commit e8e4198
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 66 deletions.
diff --git a/src/libsync/account.cpp b/src/libsync/account.cpp
@@ -990,6 +990,16 @@ bool Account::askUserForMnemonic() const
     return _e2eAskUserForMnemonic;
 }
 
+bool Account::useHardwareTokenEncryption() const
+{
+    return !encryptionHardwareTokenDriverPath().isEmpty();
+}
+
+QString Account::encryptionHardwareTokenDriverPath() const
+{
+    return {};
+}
+
 void Account::setAskUserForMnemonic(const bool ask)
 {
     _e2eAskUserForMnemonic = ask;

diff --git a/src/libsync/account.h b/src/libsync/account.h
@@ -87,6 +87,8 @@ class OWNCLOUDSYNC_EXPORT Account : public QObject
     Q_PROPERTY(QUrl url MEMBER _url)
     Q_PROPERTY(bool e2eEncryptionKeysGenerationAllowed MEMBER _e2eEncryptionKeysGenerationAllowed)
     Q_PROPERTY(bool askUserForMnemonic READ askUserForMnemonic WRITE setAskUserForMnemonic NOTIFY askUserForMnemonicChanged)
+    Q_PROPERTY(bool useHardwareTokenEncryption READ useHardwareTokenEncryption NOTIFY useHardwareTokenEncryptionChanged)
+    Q_PROPERTY(QString encryptionHardwareTokenDriverPath READ encryptionHardwareTokenDriverPath NOTIFY encryptionHardwareTokenDriverPathChanged)
 
 public:
     static AccountPtr create();
@@ -323,6 +325,10 @@ class OWNCLOUDSYNC_EXPORT Account : public QObject
 
     [[nodiscard]] bool askUserForMnemonic() const;
 
+    [[nodiscard]] bool useHardwareTokenEncryption() const;
+
+    [[nodiscard]] QString encryptionHardwareTokenDriverPath() const;
+
 public slots:
     /// Used when forgetting credentials
     void clearQNAMCache();
@@ -351,6 +357,8 @@ public slots:
     void accountChangedDisplayName();
     void prettyNameChanged();
     void askUserForMnemonicChanged();
+    void useHardwareTokenEncryptionChanged();
+    void encryptionHardwareTokenDriverPathChanged();
 
     /// Used in RemoteWipe
     void appPasswordRetrieved(QString);

diff --git a/src/libsync/clientsideencryption.cpp b/src/libsync/clientsideencryption.cpp
@@ -961,11 +961,81 @@ std::optional<QByteArray> decryptStringAsymmetricWithToken(ENGINE *sslEngine, PK
 }
 
 
-ClientSideEncryption::ClientSideEncryption()
+ClientSideEncryption::ClientSideEncryption() = default;
+
+const QSslKey &ClientSideEncryption::getPublicKey() const
+{
+    return _publicKey;
+}
+
+void ClientSideEncryption::setPublicKey(const QSslKey &publicKey)
+{
+    _publicKey = publicKey;
+}
+
+const QByteArray &ClientSideEncryption::getPrivateKey() const
+{
+    return _privateKey;
+}
+
+void ClientSideEncryption::setPrivateKey(const QByteArray &privateKey)
+{
+    _privateKey = privateKey;
+}
+
+PKCS11_KEY* ClientSideEncryption::getTokenPublicKey() const
+{
+    return _tokenPublicKey;
+}
+
+PKCS11_KEY* ClientSideEncryption::getTokenPrivateKey() const
+{
+    return _tokenPrivateKey;
+}
+
+bool ClientSideEncryption::useTokenBasedEncryption() const
+{
+    return _tokenPublicKey && _tokenPrivateKey;
+}
+
+const QString &ClientSideEncryption::getMnemonic() const
+{
+    return _mnemonic;
+}
+
+void ClientSideEncryption::setCertificate(const QSslCertificate &certificate)
+{
+    _certificate = certificate;
+}
+
+ENGINE* ClientSideEncryption::sslEngine() const
+{
+    return ENGINE_get_default_RSA();
+}
+
+void ClientSideEncryption::initialize(const AccountPtr &account)
+{
+    Q_ASSERT(account);
+
+    if (account->useHardwareTokenEncryption()) {
+        initializeHardwareTokenEncryption(account);
+    }
+
+    qCInfo(lcCse()) << "Initializing";
+    if (!account->capabilities().clientSideEncryptionAvailable()) {
+        qCInfo(lcCse()) << "No Client side encryption available on server.";
+        emit initializationFinished();
+        return;
+    }
+
+    fetchCertificateFromKeyChain(account);
+}
+
+void ClientSideEncryption::initializeHardwareTokenEncryption(const AccountPtr &account)
 {
     auto ctx = PKCS11_CTX_new();
 
-    auto rc = PKCS11_CTX_load(ctx, "");
+    auto rc = PKCS11_CTX_load(ctx, account->encryptionHardwareTokenDriverPath().toLatin1().constData());
     if (rc) {
         qCWarning(lcCse()) << "loading pkcs11 engine failed:" << ERR_reason_error_string(ERR_get_error());
         rc = 1;
@@ -1071,70 +1141,6 @@ ClientSideEncryption::ClientSideEncryption()
                     << "need login:" << (_tokenPublicKey->needLogin ? "true" : "false");
 }
 
-const QSslKey &ClientSideEncryption::getPublicKey() const
-{
-    return _publicKey;
-}
-
-void ClientSideEncryption::setPublicKey(const QSslKey &publicKey)
-{
-    _publicKey = publicKey;
-}
-
-const QByteArray &ClientSideEncryption::getPrivateKey() const
-{
-    return _privateKey;
-}
-
-void ClientSideEncryption::setPrivateKey(const QByteArray &privateKey)
-{
-    _privateKey = privateKey;
-}
-
-PKCS11_KEY* ClientSideEncryption::getTokenPublicKey() const
-{
-    return _tokenPublicKey;
-}
-
-PKCS11_KEY* ClientSideEncryption::getTokenPrivateKey() const
-{
-    return _tokenPrivateKey;
-}
-
-bool ClientSideEncryption::useTokenBasedEncryption() const
-{
-    return _tokenPublicKey && _tokenPrivateKey;
-}
-
-const QString &ClientSideEncryption::getMnemonic() const
-{
-    return _mnemonic;
-}
-
-void ClientSideEncryption::setCertificate(const QSslCertificate &certificate)
-{
-    _certificate = certificate;
-}
-
-ENGINE* ClientSideEncryption::sslEngine() const
-{
-    return ENGINE_get_default_RSA();
-}
-
-void ClientSideEncryption::initialize(const AccountPtr &account)
-{
-    Q_ASSERT(account);
-
-    qCInfo(lcCse()) << "Initializing";
-    if (!account->capabilities().clientSideEncryptionAvailable()) {
-        qCInfo(lcCse()) << "No Client side encryption available on server.";
-        emit initializationFinished();
-        return;
-    }
-
-    fetchCertificateFromKeyChain(account);
-}
-
 void ClientSideEncryption::fetchCertificateFromKeyChain(const AccountPtr &account)
 {
     const QString kck = AbstractCredentials::keychainKey(

diff --git a/src/libsync/clientsideencryption.h b/src/libsync/clientsideencryption.h
@@ -167,6 +167,7 @@ class OWNCLOUDSYNC_EXPORT ClientSideEncryption : public QObject {
 
 public slots:
     void initialize(const OCC::AccountPtr &account);
+    void initializeHardwareTokenEncryption(const AccountPtr &account);
     void forgetSensitiveData(const OCC::AccountPtr &account);
 
 private slots: