Add JWKCallback to decrypt keys.

Author: ylangisc

core/src/main/java/ch/cyberduck/core/features/Vault.java

@@ -47,7 +47,7 @@ public interface Vault {
      * @throws BackgroundException    Failure reading master key from server
      * @throws NotfoundException      No master key file in home
      */
-    Vault load(Session<?> session, PasswordCallback prompt) throws BackgroundException;
+    Vault load(Session<?> session, PasswordCallback prompt, VaultMetadataProvider provider) throws BackgroundException;
 
     /**
      * Close vault

core/src/main/java/ch/cyberduck/core/vault/DisabledVault.java

@@ -42,7 +42,7 @@ public Vault create(final Session<?> session, final String region, final VaultMe
     }
 
     @Override
-    public Vault load(final Session<?> session, final PasswordCallback prompt) {
+    public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) {
         return this;
     }
 

core/src/main/java/ch/cyberduck/core/vault/LoadingVaultLookupListener.java

@@ -43,7 +43,9 @@ public Vault load(final Session session, final VaultMetadata metadata) throws Va
             log.info("Loading vault for session {}", session);
             final Vault vault = VaultProviderFactory.get(session).provide(session, metadata);
             try {
-                registry.add(vault.load(session, prompt));
+                // TODO provide correct metadata provider
+                registry.add(vault.load(session, prompt, new VaultMetadataProvider() {
+                }));
                 return vault;
             }
             catch(BackgroundException e) {

cryptomator/pom.xml

@@ -26,6 +26,7 @@
 
     <properties>
         <cryptolib.version>2.3.0.uvfdraft-SNAPSHOT</cryptolib.version>
+        <nimbus-jose.version>10.5</nimbus-jose.version>
     </properties>
 
     <dependencies>
@@ -46,6 +47,11 @@
             <artifactId>cryptolib</artifactId>
             <version>${cryptolib.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>${nimbus-jose.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.auth0</groupId>
             <artifactId>java-jwt</artifactId>

cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/CryptoVault.java

@@ -15,7 +15,6 @@
  * GNU General Public License for more details.
  */
 
-import ch.cyberduck.core.LocaleFactory;
 import ch.cyberduck.core.LoginOptions;
 import ch.cyberduck.core.PasswordCallback;
 import ch.cyberduck.core.Path;
@@ -38,9 +37,11 @@
 import ch.cyberduck.core.features.Write;
 import ch.cyberduck.core.preferences.PreferencesFactory;
 import ch.cyberduck.core.transfer.TransferStatus;
+import ch.cyberduck.core.vault.VaultException;
 import ch.cyberduck.core.vault.VaultMetadata;
 import ch.cyberduck.core.vault.VaultMetadataProvider;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.cryptomator.cryptolib.api.Cryptor;
@@ -51,12 +52,16 @@
 import org.cryptomator.cryptolib.api.RevolvingMasterkey;
 import org.cryptomator.cryptolib.api.UVFMasterkey;
 
-import java.text.MessageFormat;
+import java.nio.charset.StandardCharsets;
+import java.text.ParseException;
 import java.util.EnumSet;
 import java.util.Objects;
 import java.util.regex.Pattern;
 
 import com.google.auto.service.AutoService;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEObjectJSON;
+import com.nimbusds.jose.crypto.MultiDecrypter;
 
 @AutoService(Vault.class)
 public class CryptoVault extends AbstractVault {
@@ -123,16 +128,18 @@ public AbstractVault create(final Session<?> session, final String region, final
 
     // load -> unlock -> open
     @Override
-    public CryptoVault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
-        masterKey = UVFMasterkey.fromDecryptedPayload(prompt.prompt(session.getHost(),
-                LocaleFactory.localizedString("Unlock Vault", "Cryptomator"),
-                MessageFormat.format(LocaleFactory.localizedString("Provide your passphrase to unlock the Cryptomator Vault {0}", "Cryptomator"), home.getName()),
-                new LoginOptions()
-                        .save(false)
-                        .user(false)
-                        .anonymous(false)
-                        .icon("cryptomator.tiff")
-                        .passwordPlaceholder(LocaleFactory.localizedString("Passphrase", "Cryptomator"))).getPassword());
+    public CryptoVault load(final Session<?> session, final PasswordCallback callback, final VaultMetadataProvider metadata) throws BackgroundException {
+        final JWKCallback jwk = JWKCallback.cast(callback);
+        final VaultMetadataUVFProvider metadataProvider = VaultMetadataUVFProvider.cast(metadata);
+        final JWEObjectJSON jweObject;
+        try {
+            jweObject = JWEObjectJSON.parse(new String(metadataProvider.getMetadata(), StandardCharsets.US_ASCII));
+            jweObject.decrypt(new MultiDecrypter(jwk.prompt(session.getHost(), StringUtils.EMPTY, StringUtils.EMPTY, new LoginOptions()).getKeyset()));
+        }
+        catch(ParseException | JOSEException e) {
+            throw new VaultException("Failure retrieving key material", e);
+        }
+        masterKey = UVFMasterkey.fromDecryptedPayload(jweObject.getPayload().toString());
         final CryptorProvider provider = CryptorProvider.forScheme(CryptorProvider.Scheme.UVF_DRAFT);
         log.debug("Initialized crypto provider {}", provider);
         this.cryptor = provider.provide(masterKey, FastSecureRandomProvider.get().provide());

cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/JWKCallback.java

@@ -0,0 +1,43 @@
+package ch.cyberduck.core.cryptomator.impl.uvf;
+
+/*
+ * Copyright (c) 2002-2025 iterate GmbH. All rights reserved.
+ * https://cyberduck.io/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+import ch.cyberduck.core.Host;
+import ch.cyberduck.core.LoginOptions;
+import ch.cyberduck.core.PasswordCallback;
+import ch.cyberduck.core.exception.LoginCanceledException;
+
+public class JWKCallback implements PasswordCallback {
+
+    @Override
+    public void close(final String input) {
+
+    }
+
+    @Override
+    public JWKCredentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) throws LoginCanceledException {
+        return null;
+    }
+
+    static JWKCallback cast(PasswordCallback callback) {
+        if(callback instanceof JWKCallback) {
+            return (JWKCallback) callback;
+        }
+        else {
+            throw new IllegalArgumentException("Unsupported metadata type " + callback.getClass());
+        }
+    }
+}

cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/JWKCredentials.java

@@ -0,0 +1,34 @@
+package ch.cyberduck.core.cryptomator.impl.uvf;
+
+/*
+ * Copyright (c) 2002-2025 iterate GmbH. All rights reserved.
+ * https://cyberduck.io/
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+import ch.cyberduck.core.vault.VaultCredentials;
+
+import com.nimbusds.jose.jwk.JWK;
+
+public class JWKCredentials extends VaultCredentials {
+
+    private final JWK keyset;
+
+    public JWKCredentials(final JWK keyset) {
+        super(null);
+        this.keyset = keyset;
+    }
+
+    public JWK getKeyset() {
+        return keyset;
+    }
+}

cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/v8/CryptoVault.java

@@ -279,7 +279,7 @@ private static VaultConfig parseVaultConfigFromMasterKey(final MasterkeyFile mas
     }
 
     @Override
-    public Vault load(final Session<?> session, final PasswordCallback prompt) throws BackgroundException {
+    public Vault load(final Session<?> session, final PasswordCallback prompt, final VaultMetadataProvider provider) throws BackgroundException {
         final Host bookmark = session.getHost();
         String passphrase = keychain.getPassword(String.format("Cryptomator Passphrase (%s)", bookmark.getCredentials().getUsername()),
                 new DefaultUrlProvider(bookmark).toUrl(masterkeyPath, EnumSet.of(DescriptiveUrl.Type.provider)).find(DescriptiveUrl.Type.provider).getUrl());

cryptomator/src/test/java/ch/cyberduck/core/cryptomator/features/CryptoReadFeatureTest.java

@@ -29,6 +29,7 @@
 import ch.cyberduck.core.features.Read;
 import ch.cyberduck.core.transfer.TransferStatus;
 import ch.cyberduck.core.vault.VaultCredentials;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.IOUtils;
 import org.cryptomator.cryptolib.api.CryptorProvider;
@@ -87,6 +88,7 @@ public Credentials prompt(final Host bookmark, final String title, final String
                                               final LoginOptions options) {
                         return new VaultCredentials("vault");
                     }
+                }, new VaultMetadataProvider() {
                 }).
 
                 getHome());
@@ -162,6 +164,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault");
             }
+        }, new VaultMetadataProvider() {
         }).getHome());
         CryptoReadFeature read = new CryptoReadFeature(null, null, vault);
         {

cryptomator/src/test/java/ch/cyberduck/core/cryptomator/impl/CryptoDirectoryV8ProviderTest.java

@@ -31,6 +31,7 @@
 import ch.cyberduck.core.features.Read;
 import ch.cyberduck.core.transfer.TransferStatus;
 import ch.cyberduck.core.vault.VaultCredentials;
+import ch.cyberduck.core.vault.VaultMetadataProvider;
 
 import org.apache.commons.io.IOUtils;
 import org.cryptomator.cryptolib.api.CryptorProvider;
@@ -111,6 +112,7 @@ public boolean offset(final Path file) {
             public Credentials prompt(final Host bookmark, final String title, final String reason, final LoginOptions options) {
                 return new VaultCredentials("vault123");
             }
+        }, new VaultMetadataProvider() {
         });
         final CryptoDirectory provider = new CryptoDirectoryV8Provider(vault, new CryptoFilenameV7Provider());
         assertNotNull(provider.toEncrypted(session, home));