GSoC17 : Client Side File Crypto : Week 7

Submitted by tameeshb on Wed, 07/19/2017 - 19:42

This blog post summarises the seventh week of writing code for Drupal for the Google Summer of Code.

Securely generating new symmetric keys

I was initially using Javascript’s inbuilt Math.random() function to generate the random symmetric keys for the group-access-keys but in last week’s meeting when I asked if it was okay to do that, Talha suggested that the inbuilt random numbers method was cryptographically not secure, he recommended to look for libraries that generate random keys and to check if the libraries in use provide such functions. I looked around and found that the cryptojs library that I was using for the AES encryption already had such a method for generating random strings that were cryptographically secure.

CryptoJS.enc.Hex.stringify(CryptoJS.lib.WordArray.random(16));

The above line of code will generate a 32 character random string that can be used as the symmetric key for the AES encryption for the files.

The ciphertext upload method

After I had moved the crypto operations from the sandbox to the new node page, I had overridden the default actions that are performed after a file is selected, my code would take the contents of the file and encrypt the contents and store the ciphertext in a variable in the script. The next part was to take this ciphertext and send it to the server to upload. This is the part that I was stuck on for most of the week, I was initially thinking of overriding and leveraging the inbuilt file upload JS scripts that come built-in with Drupal core. After a lot of searching, I found core/modules/file/file.js and core/misc/ajax.js but after after reading all the code and thinking on leveraging them, I went with a JS AJAX script for the POST XHR that I found on StackOverflow.

Code snippet

The JS that I’m using is my custom JS but the file upload handler that is in PHP is Drupal’s built-in file upload method.

Merging the JS key manager

While working on this week’s objectives, I also opened a merge request from the previous feature branch “js_key_manager” into the default 8.x-1.x branch and made the corrections after the code reviews by Colan. After pushing the commits to the “js_key_manager” branch and Colan approving the merge request, the JavaScript part of all the key generation and management parts of module were merged to the main branch of the module.

Use-case based tests

In this week’s meeting with Colan and Talha, another thing about writing use-case based test cases was brought up by Colan after Talha mentioned about writing different use cases for the module. In the meeting we decided on writing the use-case based tests and not write use cases as a documentation as the tests would cover that purpose.

Now that I’m done with the the key management and the encryption of the files, the only major part left is the decryption of files when they will be displayed to the users of the same role for whom the files are intended to be, that is one thing that I'll be working on this week. I also will be starting to write tests now that some parts of the module are completed.

Recent content