From 2952733a11cdc269421e87847d14d0e05a063255 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 28 Jul 2021 17:04:12 +0200
Subject: [PATCH 01/55] add PKCS12 support for on-demand creation and storage
 of an EC keypair

---
 pom.xml                                       |   8 ++
 src/main/java/module-info.java                |   2 +
 .../ui/keyloading/hub/P12AccessHelper.java    | 108 ++++++++++++++++++
 .../ui/keyloading/hub/X509Helper.java         |  81 +++++++++++++
 src/main/resources/license/THIRD-PARTY.txt    |   6 +-
 .../keyloading/hub/P12AccessHelperTest.java   |  52 +++++++++
 .../ui/keyloading/hub/X509HelperTest.java     |  25 ++++
 7 files changed, 281 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java

diff --git a/pom.xml b/pom.xml
index 1369c5611..581a4c70c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -39,6 +39,7 @@
 		<!-- 3rd party dependencies -->
 		<javafx.version>16</javafx.version>
 		<commons-lang3.version>3.12.0</commons-lang3.version>
+		<bouncycastle.version>1.69</bouncycastle.version>
 		<jwt.version>3.18.1</jwt.version>
 		<easybind.version>2.2</easybind.version>
 		<guava.version>30.1.1-jre</guava.version>
@@ -128,6 +129,13 @@
 			<version>${commons-lang3.version}</version>
 		</dependency>
 
+		<!-- BouncyCastle -->
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk15on</artifactId>
+			<version>${bouncycastle.version}</version>
+		</dependency>
+
 		<!-- JWT -->
 		<dependency>
 			<groupId>com.auth0</groupId>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 6ba69a6ef..4caaf5592 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -23,6 +23,8 @@ module org.cryptomator.desktop {
 	requires org.apache.commons.lang3;
 	requires dagger;
 	requires com.auth0.jwt;
+	requires org.bouncycastle.provider;
+	requires org.bouncycastle.pkix;
 
 	/* TODO: filename-based modules: */
 	requires static javax.inject; /* ugly dagger/guava crap */
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
new file mode 100644
index 000000000..b25a7b188
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
@@ -0,0 +1,108 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.cryptolib.api.InvalidPassphraseException;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.StandardOpenOption;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.X509Certificate;
+import java.security.spec.ECGenParameterSpec;
+
+class P12AccessHelper {
+
+	private static final String EC_ALG = "EC";
+	private static final String EC_CURVE_NAME = "secp256r1";
+	private static final String SIGNATURE_ALG = "SHA256withECDSA";
+	private static final String KEYSTORE_ALIAS_KEY = "key";
+	private static final String KEYSTORE_ALIAS_CERT = "crt";
+
+	private P12AccessHelper() {}
+
+	/**
+	 * Creates a new key pair and stores it in PKCS#12 format at the given path.
+	 *
+	 * @param p12File The path of the .p12 file
+	 * @param pw The password to protect the key material
+	 * @throws IOException In case of I/O errors
+	 * @throws MasterkeyLoadingFailedException If any cryptographic operation fails
+	 */
+	public static KeyPair createNew(Path p12File, char[] pw) throws IOException, MasterkeyLoadingFailedException {
+		try {
+			var keyPair = getKeyPairGenerator().generateKeyPair();
+			var keyStore = getKeyStore();
+			keyStore.load(null, pw);
+			var cert = X509Helper.createSelfSignedCert(keyPair, SIGNATURE_ALG);
+			var chain = new X509Certificate[]{cert};
+			keyStore.setKeyEntry(KEYSTORE_ALIAS_KEY, keyPair.getPrivate(), pw, chain);
+			keyStore.setCertificateEntry(KEYSTORE_ALIAS_CERT, cert);
+			var tmpFile = p12File.resolveSibling(p12File.getFileName().toString() + ".tmp");
+			try (var out = Files.newOutputStream(tmpFile, StandardOpenOption.CREATE_NEW, StandardOpenOption.WRITE)) {
+				keyStore.store(out, pw);
+			}
+			Files.move(tmpFile, p12File, StandardCopyOption.REPLACE_EXISTING);
+			return keyPair;
+		} catch (GeneralSecurityException e) {
+			throw new MasterkeyLoadingFailedException("Failed to store PKCS12 file.", e);
+		}
+	}
+
+	/**
+	 * Loads a key pair from a PKCS#12 file located at the given path.
+	 *
+	 * @param p12File The path of the .p12 file
+	 * @param pw The password to protect the key material
+	 * @throws IOException In case of I/O errors
+	 * @throws InvalidPassphraseException If the supplied password is incorrect
+	 * @throws MasterkeyLoadingFailedException If any cryptographic operation fails
+	 */
+	public static KeyPair loadExisting(Path p12File, char[] pw) throws IOException, InvalidPassphraseException, MasterkeyLoadingFailedException {
+		try (var in = Files.newInputStream(p12File, StandardOpenOption.READ)) {
+			var keyStore = getKeyStore();
+			keyStore.load(in, pw);
+			var sk = (PrivateKey) keyStore.getKey(KEYSTORE_ALIAS_KEY, pw);
+			var pk = keyStore.getCertificate(KEYSTORE_ALIAS_CERT).getPublicKey();
+			return new KeyPair(pk, sk);
+		} catch (UnrecoverableKeyException e) {
+			throw new InvalidPassphraseException();
+		} catch (IOException e) {
+			if (e.getCause() instanceof UnrecoverableKeyException) {
+				throw new InvalidPassphraseException();
+			} else {
+				throw e;
+			}
+		} catch (GeneralSecurityException e) {
+			throw new MasterkeyLoadingFailedException("Failed to load PKCS12 file.", e);
+		}
+	}
+
+	private static KeyPairGenerator getKeyPairGenerator() {
+		try {
+			KeyPairGenerator keyGen = KeyPairGenerator.getInstance(EC_ALG);
+			keyGen.initialize(new ECGenParameterSpec(EC_CURVE_NAME));
+			return keyGen;
+		} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
+			throw new IllegalStateException("secp256r1 curve not supported");
+		}
+	}
+
+	private static KeyStore getKeyStore() {
+		try {
+			return KeyStore.getInstance("PKCS12");
+		} catch (KeyStoreException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support PKCS12.");
+		}
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
new file mode 100644
index 000000000..d9b7b953a
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
@@ -0,0 +1,81 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.sql.Date;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.UUID;
+
+class X509Helper {
+
+	private static final X500Name ISSUER = new X500Name("CN=Cryptomator");
+	private static final X500Name SUBJECT = new X500Name("CN=Self Signed Cert");
+	private static final ASN1ObjectIdentifier ASN1_SUBJECT_KEY_ID = new ASN1ObjectIdentifier("2.5.29.14");
+
+	private X509Helper() {}
+
+	/**
+	 * Creates a self-signed X509Certificate containing the public key and signed with the private key of a given key pair.
+	 *
+	 * @param keyPair A key pair
+	 * @param signatureAlg A signature algorithm suited for the given key pair (see <a href="https://docs.oracle.com/en/java/javase/16/docs/specs/security/standard-names.html#signature-algorithms">available algorithms</a>)
+	 * @return A self-signed X509Certificate
+	 * @throws CertificateException If certificate generation failed, e.g. because of unsupported algorithms
+	 */
+	public static X509Certificate createSelfSignedCert(KeyPair keyPair, String signatureAlg) throws CertificateException {
+		try {
+			X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( //
+					ISSUER, //
+					randomSerialNo(), //
+					Date.from(Instant.now()), //
+					Date.from(Instant.now().plus(3650, ChronoUnit.DAYS)), //
+					SUBJECT, //
+					keyPair.getPublic());
+			certificateBuilder.addExtension(ASN1_SUBJECT_KEY_ID, false, getX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
+			var signer = new JcaContentSignerBuilder(signatureAlg).build(keyPair.getPrivate());
+			var cert = certificateBuilder.build(signer);
+			try (InputStream in = new ByteArrayInputStream(cert.getEncoded())) {
+				return (X509Certificate) getCertFactory().generateCertificate(in);
+			}
+		} catch (IOException | OperatorCreationException e) {
+			throw new CertificateException(e);
+		}
+	}
+
+	private static BigInteger randomSerialNo() {
+		return BigInteger.valueOf(UUID.randomUUID().getMostSignificantBits());
+	}
+
+	private static JcaX509ExtensionUtils getX509ExtensionUtils() {
+		try {
+			return new JcaX509ExtensionUtils();
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-1.");
+		}
+	}
+
+	private static CertificateFactory getCertFactory() {
+		try {
+			return CertificateFactory.getInstance("X.509");
+		} catch (CertificateException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support X.509.");
+		}
+	}
+
+}
diff --git a/src/main/resources/license/THIRD-PARTY.txt b/src/main/resources/license/THIRD-PARTY.txt
index 2b18cc3f1..e109eb172 100644
--- a/src/main/resources/license/THIRD-PARTY.txt
+++ b/src/main/resources/license/THIRD-PARTY.txt
@@ -11,7 +11,7 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Cryptomator uses 40 third-party dependencies under the following licenses:
+Cryptomator uses 43 third-party dependencies under the following licenses:
         Apache License v2.0:
 			- jffi (com.github.jnr:jffi:1.2.23 - http://github.com/jnr/jffi)
 			- jnr-a64asm (com.github.jnr:jnr-a64asm:1.0.0 - http://nexus.sonatype.org/oss-repository-hosting.html/jnr-a64asm)
@@ -41,6 +41,10 @@ Cryptomator uses 40 third-party dependencies under the following licenses:
 			- asm-commons (org.ow2.asm:asm-commons:7.1 - http://asm.ow2.org/)
 			- asm-tree (org.ow2.asm:asm-tree:7.1 - http://asm.ow2.org/)
 			- asm-util (org.ow2.asm:asm-util:7.1 - http://asm.ow2.org/)
+        Bouncy Castle Licence:
+			- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (org.bouncycastle:bcpkix-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
+			- Bouncy Castle Provider (org.bouncycastle:bcprov-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
+			- Bouncy Castle ASN.1 Extension and Utility APIs (org.bouncycastle:bcutil-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
         Eclipse Public License - Version 1.0:
 			- Jetty :: Servlet API and Schemas for JPMS and OSGi (org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6 - https://eclipse.org/jetty/jetty-servlet-api)
         Eclipse Public License - Version 2.0:
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
new file mode 100644
index 000000000..a92eb40b3
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
@@ -0,0 +1,52 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.cryptolib.api.InvalidPassphraseException;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+public class P12AccessHelperTest {
+
+	@Test
+	public void testCreate(@TempDir Path tmpDir) throws IOException {
+		var p12File = tmpDir.resolve("test.p12");
+
+		var keyPair = P12AccessHelper.createNew(p12File, "asd".toCharArray());
+
+		Assertions.assertNotNull(keyPair);
+		Assertions.assertTrue(Files.exists(p12File));
+	}
+
+	@Nested
+	public class ExistingFile {
+
+		private Path p12File;
+
+		@BeforeEach
+		public void setup(@TempDir Path tmpDir) throws IOException {
+			p12File = tmpDir.resolve("test.p12");
+			P12AccessHelper.createNew(p12File, "foo".toCharArray());
+		}
+
+		@Test
+		public void testLoadWithWrongPassword() {
+			Assertions.assertThrows(InvalidPassphraseException.class, () -> {
+				P12AccessHelper.loadExisting(p12File, "bar".toCharArray());
+			});
+		}
+
+		@Test
+		public void testLoad() throws IOException {
+			var keyPair = P12AccessHelper.loadExisting(p12File, "foo".toCharArray());
+
+			Assertions.assertNotNull(keyPair);
+		}
+	}
+
+}
\ No newline at end of file
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java
new file mode 100644
index 000000000..79abc82f4
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java
@@ -0,0 +1,25 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPairGenerator;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.spec.ECGenParameterSpec;
+
+public class X509HelperTest {
+
+	@Test
+	public void testCreateCert() throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException, InvalidAlgorithmParameterException {
+		KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+		keyGen.initialize(new ECGenParameterSpec("secp256r1"));
+		var keyPair = keyGen.generateKeyPair();
+		var cert = X509Helper.createSelfSignedCert(keyPair, "SHA256withECDSA");
+		Assertions.assertNotNull(cert);
+	}
+
+}
\ No newline at end of file

From b21ea6134241801dfa72c27f61a6f15c98932026 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 28 Jul 2021 17:29:44 +0200
Subject: [PATCH 02/55] add first draft for `hub+http` / `hub+https` keyloading
 scheme

---
 .idea/runConfigurations/Cryptomator_Linux.xml |   2 +-
 .../Cryptomator_Linux_Dev.xml                 |   2 +-
 .../runConfigurations/Cryptomator_Windows.xml |   2 +-
 .../Cryptomator_Windows_Dev.xml               |   2 +-
 .idea/runConfigurations/Cryptomator_macOS.xml |   2 +-
 .../Cryptomator_macOS_Dev.xml                 |   2 +-
 src/main/java/module-info.java                |   1 +
 .../org/cryptomator/common/Environment.java   |   5 +
 .../org/cryptomator/ui/common/FxmlFile.java   |   1 +
 .../ui/controls/NiceSecurePasswordField.java  |   4 +
 .../ui/controls/SecurePasswordField.java      |   9 ++
 .../ui/keyloading/KeyLoadingModule.java       |   3 +-
 .../keyloading/hub/HubKeyLoadingModule.java   |  87 +++++++++++++
 .../keyloading/hub/HubKeyLoadingStrategy.java |  88 +++++++++++++
 .../ui/keyloading/hub/P12Controller.java      |  65 ++++++++++
 .../keyloading/hub/P12CreateController.java   | 118 ++++++++++++++++++
 .../ui/keyloading/hub/P12LoadController.java  | 106 ++++++++++++++++
 src/main/resources/fxml/hub_p12.fxml          |  19 +++
 src/main/resources/fxml/hub_p12_create.fxml   |  39 ++++++
 src/main/resources/fxml/hub_p12_load.fxml     |  48 +++++++
 20 files changed, 598 insertions(+), 7 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
 create mode 100644 src/main/resources/fxml/hub_p12.fxml
 create mode 100644 src/main/resources/fxml/hub_p12_create.fxml
 create mode 100644 src/main/resources/fxml/hub_p12_load.fxml

diff --git a/.idea/runConfigurations/Cryptomator_Linux.xml b/.idea/runConfigurations/Cryptomator_Linux.xml
index 735f60069..2d55618de 100644
--- a/.idea/runConfigurations/Cryptomator_Linux.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux.xml
@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Linux" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Djdk.gtk.version=2 -Duser.language=en -Dcryptomator.settingsPath=&quot;~/.config/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/.local/share/Cryptomator/logs&quot; -Dcryptomator.mountPointsDir=&quot;~/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Xss20m -Xmx512m" />
+    <option name="VM_PARAMETERS" value="-Djdk.gtk.version=2 -Duser.language=en -Dcryptomator.settingsPath=&quot;~/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;~/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/.local/share/Cryptomator/logs&quot; -Dcryptomator.mountPointsDir=&quot;~/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Xss20m -Xmx512m" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/.idea/runConfigurations/Cryptomator_Linux_Dev.xml b/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
index e90dcf41c..3cda80876 100644
--- a/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Linux Dev" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Djdk.gtk.version=2 -Duser.language=en -Dcryptomator.settingsPath=&quot;~/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.mountPointsDir=&quot;~/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m" />
+    <option name="VM_PARAMETERS" value="-Djdk.gtk.version=2 -Duser.language=en -Dcryptomator.settingsPath=&quot;~/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;~/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.mountPointsDir=&quot;~/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/.idea/runConfigurations/Cryptomator_Windows.xml b/.idea/runConfigurations/Cryptomator_Windows.xml
index 2f7f4997f..846013948 100644
--- a/.idea/runConfigurations/Cryptomator_Windows.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows.xml
@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Windows" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/AppData/Roaming/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/AppData/Roaming/Cryptomator&quot; -Dcryptomator.keychainPath=&quot;~/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.mountPointsDir=&quot;~/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m" />
+    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;~/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/AppData/Roaming/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/AppData/Roaming/Cryptomator&quot; -Dcryptomator.keychainPath=&quot;~/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.mountPointsDir=&quot;~/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/.idea/runConfigurations/Cryptomator_Windows_Dev.xml b/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
index 31207122a..2237ff5dd 100644
--- a/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
@@ -2,7 +2,7 @@
   <configuration default="false" name="Cryptomator Windows Dev" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/AppData/Roaming/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/AppData/Roaming/Cryptomator-Dev&quot; -Dcryptomator.keychainPath=&quot;~/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.mountPointsDir=&quot;~/Cryptomator-Dev&quot; -Dfuse.experimental=&quot;true&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m" />
+    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;~/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/AppData/Roaming/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/AppData/Roaming/Cryptomator-Dev&quot; -Dcryptomator.keychainPath=&quot;~/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.mountPointsDir=&quot;~/Cryptomator-Dev&quot; -Dfuse.experimental=&quot;true&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/.idea/runConfigurations/Cryptomator_macOS.xml b/.idea/runConfigurations/Cryptomator_macOS.xml
index fc3a989f5..02cb6af58 100644
--- a/.idea/runConfigurations/Cryptomator_macOS.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS.xml
@@ -5,7 +5,7 @@
     </envs>
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/Library/Logs/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m -ea" />
+    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;~/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/Library/Logs/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m -ea" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/.idea/runConfigurations/Cryptomator_macOS_Dev.xml b/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
index a515ab6ce..b7e3159ef 100644
--- a/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
@@ -5,7 +5,7 @@
     </envs>
     <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
     <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;~/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m -ea" />
+    <option name="VM_PARAMETERS" value="-Duser.language=en -Dcryptomator.settingsPath=&quot;~/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;~/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;~/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;~/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m -ea" />
     <method v="2">
       <option name="Make" enabled="true" />
     </method>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 4caaf5592..dfb03a6c4 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -47,6 +47,7 @@ module org.cryptomator.desktop {
 	opens org.cryptomator.ui.forgetPassword to javafx.fxml;
 	opens org.cryptomator.ui.fxapp to javafx.fxml;
 	opens org.cryptomator.ui.health to javafx.fxml;
+	opens org.cryptomator.ui.keyloading.hub to javafx.fxml;
 	opens org.cryptomator.ui.keyloading.masterkeyfile to javafx.fxml;
 	opens org.cryptomator.ui.mainwindow to javafx.fxml;
 	opens org.cryptomator.ui.migration to javafx.fxml;
diff --git a/src/main/java/org/cryptomator/common/Environment.java b/src/main/java/org/cryptomator/common/Environment.java
index 3cd691fae..a6bfddb00 100644
--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -33,6 +33,7 @@ public class Environment {
 		LOG.debug("user.region: {}", System.getProperty("user.region"));
 		LOG.debug("logback.configurationFile: {}", System.getProperty("logback.configurationFile"));
 		LOG.debug("cryptomator.settingsPath: {}", System.getProperty("cryptomator.settingsPath"));
+		LOG.debug("cryptomator.p12Path: {}", System.getProperty("cryptomator.p12Path"));
 		LOG.debug("cryptomator.ipcSocketPath: {}", System.getProperty("cryptomator.ipcSocketPath"));
 		LOG.debug("cryptomator.keychainPath: {}", System.getProperty("cryptomator.keychainPath"));
 		LOG.debug("cryptomator.logDir: {}", System.getProperty("cryptomator.logDir"));
@@ -51,6 +52,10 @@ public class Environment {
 		return getPaths("cryptomator.settingsPath");
 	}
 
+	public Stream<Path> getP12Path() {
+		return getPaths("cryptomator.p12Path");
+	}
+
 	public Stream<Path> ipcSocketPath() {
 		return getPaths("cryptomator.ipcSocketPath");
 	}
diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index ea0c1ed38..a6c3a72e6 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -14,6 +14,7 @@ public enum FxmlFile {
 	HEALTH_START("/fxml/health_start.fxml"), //
 	HEALTH_START_FAIL("/fxml/health_start_fail.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
+	HUB_P12("/fxml/hub_p12.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/controls/NiceSecurePasswordField.java b/src/main/java/org/cryptomator/ui/controls/NiceSecurePasswordField.java
index 4a4e43fff..553dda73b 100644
--- a/src/main/java/org/cryptomator/ui/controls/NiceSecurePasswordField.java
+++ b/src/main/java/org/cryptomator/ui/controls/NiceSecurePasswordField.java
@@ -82,6 +82,10 @@ public class NiceSecurePasswordField extends StackPane {
 		return passwordField.textProperty();
 	}
 
+	public char[] copyChars() {
+		return passwordField.copyChars();
+	}
+
 	public CharSequence getCharacters() {
 		return passwordField.getCharacters();
 	}
diff --git a/src/main/java/org/cryptomator/ui/controls/SecurePasswordField.java b/src/main/java/org/cryptomator/ui/controls/SecurePasswordField.java
index 3689b7e6e..4e5e1cfe0 100644
--- a/src/main/java/org/cryptomator/ui/controls/SecurePasswordField.java
+++ b/src/main/java/org/cryptomator/ui/controls/SecurePasswordField.java
@@ -194,6 +194,15 @@ public class SecurePasswordField extends TextField {
 		}
 	}
 
+	/**
+	 * Retrieves a copy of the password characters. This copy needs to be wiped by the caller when done.
+	 *
+	 * @return A copy of the password
+	 */
+	public char[] copyChars() {
+		return Arrays.copyOf(content, length);
+	}
+
 	/**
 	 * Creates a CharSequence by wrapping the password characters.
 	 *
diff --git a/src/main/java/org/cryptomator/ui/keyloading/KeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/KeyLoadingModule.java
index f7eb8922f..3e0ed5572 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/KeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/KeyLoadingModule.java
@@ -7,6 +7,7 @@ import org.cryptomator.cryptofs.VaultConfig.UnverifiedVaultConfig;
 import org.cryptomator.ui.common.DefaultSceneFactory;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlLoaderFactory;
+import org.cryptomator.ui.keyloading.hub.HubKeyLoadingModule;
 import org.cryptomator.ui.keyloading.masterkeyfile.MasterkeyFileLoadingModule;
 
 import javax.inject.Provider;
@@ -16,7 +17,7 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.ResourceBundle;
 
-@Module(includes = {MasterkeyFileLoadingModule.class})
+@Module(includes = {MasterkeyFileLoadingModule.class, HubKeyLoadingModule.class})
 abstract class KeyLoadingModule {
 
 	@Provides
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
new file mode 100644
index 000000000..132ef36d0
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -0,0 +1,87 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import dagger.Binds;
+import dagger.Module;
+import dagger.Provides;
+import dagger.multibindings.IntoMap;
+import dagger.multibindings.StringKey;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxControllerKey;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlLoaderFactory;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.common.NewPasswordController;
+import org.cryptomator.ui.common.PasswordStrengthUtil;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
+
+import javafx.scene.Scene;
+import java.security.KeyPair;
+import java.util.ResourceBundle;
+import java.util.concurrent.atomic.AtomicReference;
+
+@Module
+public abstract class HubKeyLoadingModule {
+
+	public enum P12KeyLoading {
+		LOADED,
+		CREATED,
+		CANCELED
+	}
+
+	@Provides
+	@KeyLoadingScoped
+	static AtomicReference<KeyPair> provideKeyPair() {
+		return new AtomicReference<>();
+	}
+
+	@Provides
+	@KeyLoadingScoped
+	static UserInteractionLock<P12KeyLoading> provideP12KeyLoadingLock() {
+		return new UserInteractionLock<>(null);
+	}
+
+	@Binds
+	@IntoMap
+	@KeyLoadingScoped
+	@StringKey(HubKeyLoadingStrategy.SCHEME_HUB_HTTP)
+	abstract KeyLoadingStrategy bindHubKeyLoadingStrategyToHubHttp(HubKeyLoadingStrategy strategy);
+
+	@Binds
+	@IntoMap
+	@KeyLoadingScoped
+	@StringKey(HubKeyLoadingStrategy.SCHEME_HUB_HTTPS)
+	abstract KeyLoadingStrategy bindHubKeyLoadingStrategyToHubHttps(HubKeyLoadingStrategy strategy);
+
+	@Provides
+	@FxmlScene(FxmlFile.HUB_P12)
+	@KeyLoadingScoped
+	static Scene provideHubP12LoadingScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_P12);
+	}
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(P12Controller.class)
+	abstract FxController bindP12Controller(P12Controller controller);
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(P12LoadController.class)
+	abstract FxController bindP12LoadController(P12LoadController controller);
+
+	@Binds
+	@IntoMap
+	@FxControllerKey(P12CreateController.class)
+	abstract FxController bindP12CreateController(P12CreateController controller);
+
+	@Provides
+	@IntoMap
+	@FxControllerKey(NewPasswordController.class)
+	static FxController provideNewPasswordController(ResourceBundle resourceBundle, PasswordStrengthUtil strengthRater) {
+		return new NewPasswordController(resourceBundle, strengthRater);
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
new file mode 100644
index 000000000..367db4d6e
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -0,0 +1,88 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import dagger.Lazy;
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
+import org.cryptomator.ui.unlock.UnlockCancelledException;
+
+import javax.inject.Inject;
+import javafx.application.Platform;
+import javafx.scene.Scene;
+import javafx.stage.Stage;
+import javafx.stage.Window;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyPair;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoading
+public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
+
+	static final String SCHEME_HUB_HTTP = "hub+http";
+	static final String SCHEME_HUB_HTTPS = "hub+https";
+	private static final String SCHEME_HTTP = "http";
+	private static final String SCHEME_HTTPS = "https";
+
+	private final Vault vault;
+	private final Stage window;
+	private final Lazy<Scene> p12LoadingScene;
+	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final AtomicReference<KeyPair> keyPairRef;
+
+	@Inject
+	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock, AtomicReference<KeyPair> keyPairRef) {
+		this.vault = vault;
+		this.window = window;
+		this.p12LoadingScene = p12LoadingScene;
+		this.p12LoadingLock = p12LoadingLock;
+		this.keyPairRef = keyPairRef;
+	}
+
+	@Override
+	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
+		return switch (keyId.getScheme().toLowerCase()) {
+			case SCHEME_HUB_HTTP -> loadKey(keyId, SCHEME_HTTP);
+			case SCHEME_HUB_HTTPS -> loadKey(keyId, SCHEME_HTTPS);
+			default -> throw new IllegalArgumentException("Only supports keys with schemes " + SCHEME_HUB_HTTP + " or " + SCHEME_HUB_HTTPS);
+		};
+	}
+
+	private Masterkey loadKey(URI keyId, String adjustedScheme) {
+		try {
+			var foo = new URI(adjustedScheme, keyId.getSchemeSpecificPart(), keyId.getFragment());
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI known to be valid, if old URI was valid", e);
+		}
+
+		try {
+			loadP12();
+			LOG.info("keypair loaded {}", keyPairRef.get().getPublic());
+			throw new UnlockCancelledException("not yet implemented"); // TODO
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			throw new UnlockCancelledException("Loading interrupted", e);
+		}
+	}
+
+	private HubKeyLoadingModule.P12KeyLoading loadP12() throws InterruptedException {
+		Platform.runLater(() -> {
+			window.setScene(p12LoadingScene.get());
+			window.show();
+			Window owner = window.getOwner();
+			if (owner != null) {
+				window.setX(owner.getX() + (owner.getWidth() - window.getWidth()) / 2);
+				window.setY(owner.getY() + (owner.getHeight() - window.getHeight()) / 2);
+			} else {
+				window.centerOnScreen();
+			}
+		});
+		return p12LoadingLock.awaitInteraction();
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
new file mode 100644
index 000000000..0505bde28
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
@@ -0,0 +1,65 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import org.cryptomator.common.Environment;
+import org.cryptomator.cryptolib.api.InvalidPassphraseException;
+import org.cryptomator.cryptolib.common.Destroyables;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.NewPasswordController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.controls.NiceSecurePasswordField;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.beans.binding.Bindings;
+import javafx.beans.binding.BooleanExpression;
+import javafx.beans.binding.ObjectExpression;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.control.ContentDisplay;
+import javafx.scene.layout.VBox;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class P12Controller implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(P12Controller.class);
+
+	private final Stage window;
+	private final Environment env;
+	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+
+	@Inject
+	public P12Controller(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+		this.window = window;
+		this.env = env;
+		this.p12LoadingLock = p12LoadingLock;
+		this.window.setOnHiding(this::windowClosed);
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		// if not already interacted, mark this workflow as cancelled:
+		if (p12LoadingLock.awaitingInteraction().get()) {
+			LOG.debug("P12 loading canceled by user.");
+			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.CANCELED);
+		}
+	}
+
+	/* Getter/Setter */
+
+	public boolean isP12Present() {
+		return env.getP12Path().anyMatch(Files::isRegularFile);
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
new file mode 100644
index 000000000..d892d086f
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
@@ -0,0 +1,118 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import org.cryptomator.common.Environment;
+import org.cryptomator.cryptolib.common.Destroyables;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.NewPasswordController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.beans.binding.Bindings;
+import javafx.beans.binding.BooleanExpression;
+import javafx.beans.binding.ObjectBinding;
+import javafx.beans.binding.ObjectExpression;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.control.ContentDisplay;
+import javafx.stage.Stage;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class P12CreateController implements FxController  {
+
+	private static final Logger LOG = LoggerFactory.getLogger(P12LoadController.class);
+
+	private final Stage window;
+	private final Environment env;
+	private final AtomicReference<KeyPair> keyPairRef;
+	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
+	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
+	private final BooleanProperty readyToCreate = new SimpleBooleanProperty();
+
+	public NewPasswordController newPasswordController;
+
+
+	@Inject
+	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+		this.window = window;
+		this.env = env;
+		this.keyPairRef = keyPairRef;
+		this.p12LoadingLock = p12LoadingLock;
+	}
+
+	@FXML
+	public void initialize() {
+		readyToCreate.bind(newPasswordController.goodPasswordProperty());
+	}
+
+	@FXML
+	public void cancel() {
+		window.close();
+	}
+
+	@FXML
+	public void create() {
+		Preconditions.checkState(newPasswordController.goodPasswordProperty().get());
+		char[] pw = newPasswordController.passwordField.copyChars();
+		try {
+			Path p12File = env.getP12Path().findFirst().orElseThrow(IllegalStateException::new);
+			var keyPair = P12AccessHelper.createNew(p12File, pw);
+			setKeyPair(keyPair);
+			LOG.debug("Created .p12 file {}", p12File);
+			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.CREATED);
+			window.close();
+		} catch (IOException e) {
+			LOG.error("Failed to load .p12 file.", e);
+			// TODO
+		} finally {
+			Arrays.fill(pw, '\0');
+			newPasswordController.passwordField.wipe();
+			newPasswordController.reenterField.wipe();
+		}
+	}
+
+	private void setKeyPair(KeyPair keyPair) {
+		var oldKeyPair = keyPairRef.getAndSet(keyPair);
+		if (oldKeyPair != null) {
+			Destroyables.destroySilently(oldKeyPair.getPrivate());
+		}
+	}
+	/* Getter/Setter */
+
+
+	public BooleanExpression userInteractionDisabledProperty() {
+		return userInteractionDisabled;
+	}
+
+	public boolean isUserInteractionDisabled() {
+		return userInteractionDisabled.get();
+	}
+
+	public ObjectExpression<ContentDisplay> unlockButtonContentDisplayProperty() {
+		return unlockButtonContentDisplay;
+	}
+
+	public ContentDisplay getUnlockButtonContentDisplay() {
+		return userInteractionDisabled.get() ? ContentDisplay.LEFT : ContentDisplay.TEXT_ONLY;
+	}
+
+	public BooleanProperty readyToCreateProperty() {
+		return readyToCreate;
+	}
+
+	public boolean isReadyToCreate() {
+		return readyToCreate.get();
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
new file mode 100644
index 000000000..bab2992bb
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
@@ -0,0 +1,106 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.common.Environment;
+import org.cryptomator.cryptolib.api.InvalidPassphraseException;
+import org.cryptomator.cryptolib.common.Destroyables;
+import org.cryptomator.ui.common.Animations;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.controls.NiceSecurePasswordField;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.beans.binding.Bindings;
+import javafx.beans.binding.BooleanExpression;
+import javafx.beans.binding.ObjectBinding;
+import javafx.beans.binding.ObjectExpression;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
+import javafx.fxml.FXML;
+import javafx.scene.control.ContentDisplay;
+import javafx.stage.Stage;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class P12LoadController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(P12LoadController.class);
+
+	private final Stage window;
+	private final Environment env;
+	private final AtomicReference<KeyPair> keyPairRef;
+	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
+	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
+
+	public NiceSecurePasswordField passwordField;
+
+	@Inject
+	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+		this.window = window;
+		this.env = env;
+		this.keyPairRef = keyPairRef;
+		this.p12LoadingLock = p12LoadingLock;
+	}
+
+	@FXML
+	public void cancel() {
+		window.close();
+	}
+
+	@FXML
+	public void load() {
+		char[] pw = passwordField.copyChars();
+		try {
+			Path p12File = env.getP12Path().filter(Files::isRegularFile).findFirst().orElseThrow(IllegalStateException::new);
+			var keyPair = P12AccessHelper.loadExisting(p12File, pw);
+			setKeyPair(keyPair);
+			LOG.debug("Loaded .p12 file {}", p12File);
+			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.LOADED);
+			window.close();
+		} catch (InvalidPassphraseException e) {
+			LOG.warn("Invalid passphrase entered for .p12 file");
+			Animations.createShakeWindowAnimation(window).playFromStart();
+			// TODO
+		} catch (IOException e) {
+			LOG.error("Failed to load .p12 file.", e);
+			// TODO
+		} finally {
+			Arrays.fill(pw, '\0');
+			passwordField.wipe();
+		}
+	}
+
+	private void setKeyPair(KeyPair keyPair) {
+		var oldKeyPair = keyPairRef.getAndSet(keyPair);
+		if (oldKeyPair != null) {
+			Destroyables.destroySilently(oldKeyPair.getPrivate());
+		}
+	}
+
+	/* Getter/Setter */
+
+	public BooleanExpression userInteractionDisabledProperty() {
+		return userInteractionDisabled;
+	}
+
+	public boolean isUserInteractionDisabled() {
+		return userInteractionDisabled.get();
+	}
+
+	public ObjectExpression<ContentDisplay> unlockButtonContentDisplayProperty() {
+		return unlockButtonContentDisplay;
+	}
+
+	public ContentDisplay getUnlockButtonContentDisplay() {
+		return userInteractionDisabled.get() ? ContentDisplay.LEFT : ContentDisplay.TEXT_ONLY;
+	}
+}
diff --git a/src/main/resources/fxml/hub_p12.fxml b/src/main/resources/fxml/hub_p12.fxml
new file mode 100644
index 000000000..505e2b8a6
--- /dev/null
+++ b/src/main/resources/fxml/hub_p12.fxml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.layout.VBox?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.P12Controller"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<fx:include source="hub_p12_load.fxml" visible="${controller.p12Present}" managed="${controller.p12Present}"/>
+		<fx:include source="hub_p12_create.fxml" visible="${!controller.p12Present}" managed="${!controller.p12Present}"/>
+	</children>
+</VBox>
diff --git a/src/main/resources/fxml/hub_p12_create.fxml b/src/main/resources/fxml/hub_p12_create.fxml
new file mode 100644
index 000000000..4a2014149
--- /dev/null
+++ b/src/main/resources/fxml/hub_p12_create.fxml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.P12CreateController"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" smooth="true" cache="true" visible="false">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+			<fx:include fx:id="newPassword" source="new_password.fxml" disable="${controller.userInteractionDisabled}"/>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CO">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel" disable="${controller.userInteractionDisabled}"/>
+					<Button text="%generic.button.next" ButtonBar.buttonData="OK_DONE" defaultButton="true" onAction="#create" contentDisplay="${controller.unlockButtonContentDisplay}" disable="${!controller.readyToCreate || controller.userInteractionDisabled}">
+						<graphic>
+							<FontAwesome5Spinner glyphSize="12"/>
+						</graphic>
+					</Button>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>
diff --git a/src/main/resources/fxml/hub_p12_load.fxml b/src/main/resources/fxml/hub_p12_load.fxml
new file mode 100644
index 000000000..d76d1b16a
--- /dev/null
+++ b/src/main/resources/fxml/hub_p12_load.fxml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<?import org.cryptomator.ui.controls.NiceSecurePasswordField?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.CheckBox?>
+<?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.P12LoadController"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" smooth="true" cache="true" visible="false">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+			<VBox spacing="6" HBox.hgrow="ALWAYS">
+				<Label text="TODO: Please enter your device secret to start communicating with Cryptomator Hub"/>
+				<NiceSecurePasswordField fx:id="passwordField" disable="${controller.userInteractionDisabled}"/>
+				<CheckBox fx:id="savePasswordCheckbox" text="TODO save password" disable="${controller.userInteractionDisabled}"/>
+				<Hyperlink text="TODO: Click to reset your device secret (you need to re-apply for vault access)"/>
+			</VBox>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CO">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel" disable="${controller.userInteractionDisabled}"/>
+					<Button text="%generic.button.next" ButtonBar.buttonData="OK_DONE" defaultButton="true" onAction="#load" contentDisplay="${controller.unlockButtonContentDisplay}" disable="${controller.userInteractionDisabled}">
+						<graphic>
+							<FontAwesome5Spinner glyphSize="12"/>
+						</graphic>
+					</Button>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>

From 7fabc6f52d04412d55504b3e1492ec0c784cd57c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 29 Jul 2021 16:57:28 +0200
Subject: [PATCH 03/55] spawn server listening on localhost, used for oauth
 redirect_uri

---
 pom.xml                                       |   7 ++
 src/main/java/module-info.java                |   1 +
 .../ui/keyloading/hub/AuthReceiver.java       | 118 ++++++++++++++++++
 .../keyloading/hub/HubKeyLoadingStrategy.java |  50 +++++---
 .../hub/ReceiveEncryptedMasterkeyTask.java    |  31 +++++
 .../ui/keyloading/hub/AuthReceiverTest.java   |  23 ++++
 src/test/resources/logback-test.xml           |  11 ++
 7 files changed, 222 insertions(+), 19 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java
 create mode 100644 src/test/resources/logback-test.xml

diff --git a/pom.xml b/pom.xml
index 581a4c70c..8fd91628f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,6 +48,7 @@
 		<zxcvbn.version>1.5.2</zxcvbn.version>
 		<slf4j.version>1.7.31</slf4j.version>
 		<logback.version>1.2.3</logback.version>
+		<jetty.version>10.0.6</jetty.version>
 
 		<!-- test dependencies -->
 		<junit.jupiter.version>5.7.2</junit.jupiter.version>
@@ -136,6 +137,12 @@
 			<version>${bouncycastle.version}</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-server</artifactId>
+			<version>${jetty.version}</version>
+		</dependency>
+
 		<!-- JWT -->
 		<dependency>
 			<groupId>com.auth0</groupId>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index dfb03a6c4..33d384785 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -21,6 +21,7 @@ module org.cryptomator.desktop {
 	requires com.nulabinc.zxcvbn;
 	requires org.slf4j;
 	requires org.apache.commons.lang3;
+	requires org.eclipse.jetty.server;
 	requires dagger;
 	requires com.auth0.jwt;
 	requires org.bouncycastle.provider;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
new file mode 100644
index 000000000..dfb37a2ab
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
@@ -0,0 +1,118 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.io.BaseEncoding;
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+import java.util.Queue;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.LinkedBlockingQueue;
+import java.util.concurrent.LinkedTransferQueue;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import java.util.concurrent.TransferQueue;
+import java.util.function.Consumer;
+
+/**
+ * A basic implementation for RFC 8252, Section 7.3:
+ * <p>
+ * We're spawning a local http server on a system-assigned high port and
+ * use <code>http://127.0.0.1:{PORT}/success</code> as a redirect URI.
+ * <p>
+ * Furthermore, we can deliver a html response to inform the user that the
+ * auth workflow finished and she can close the browser tab.
+ */
+class AuthReceiver implements AutoCloseable {
+
+	private static final String REDIRECT_SCHEME = "http";
+	private static final String LOOPBACK_ADDR = "127.0.0.1";
+	private static final String JSON_200 = """
+					{"status": "success"}
+					""";
+	private static final String JSON_400 = """
+					{"status": "missing param key"}
+					""";
+
+	private final Server server;
+	private final ServerConnector connector;
+	private final Handler handler;
+
+	private AuthReceiver(Server server, ServerConnector connector, Handler handler) {
+		assert server.isRunning();
+		this.server = server;
+		this.connector = connector;
+		this.handler = handler;
+	}
+
+	public URI getRedirectURL() {
+		try {
+			return new URI(REDIRECT_SCHEME, null, LOOPBACK_ADDR, connector.getLocalPort(), null, null, null);
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI constructed from well-formed components.", e);
+		}
+	}
+
+	public static AuthReceiver start() throws Exception {
+		Server server = new Server();
+		var handler = new Handler();
+		var connector = new ServerConnector(server);
+		connector.setPort(0);
+		connector.setHost(LOOPBACK_ADDR);
+		server.setConnectors(new Connector[]{connector});
+		server.setHandler(handler);
+		server.start();
+		return new AuthReceiver(server, connector, handler);
+	}
+
+	public String receive() throws InterruptedException {
+		return handler.receivedKeys.take();
+	}
+
+	@Override
+	public void close() throws Exception {
+		server.stop();
+	}
+
+	private static class Handler extends AbstractHandler {
+
+		private final BlockingQueue<String> receivedKeys = new LinkedBlockingQueue<>();
+
+		@Override
+		public void handle(String target, Request baseRequest, HttpServletRequest req, HttpServletResponse res) throws IOException {
+			baseRequest.setHandled(true);
+			var key = req.getParameter("key");
+			byte[] response;
+			if (key != null) {
+				res.setStatus(HttpServletResponse.SC_OK);
+				response = JSON_200.getBytes(StandardCharsets.UTF_8);
+			} else {
+				res.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+				response = JSON_400.getBytes(StandardCharsets.UTF_8);
+			}
+			res.setContentType("application/json;charset=utf-8");
+			res.setContentLength(response.length);
+			res.getOutputStream().write(response);
+			res.getOutputStream().flush();
+
+			// the following line might trigger a server shutdown,
+			// so let's make sure the response is flushed first
+			if (key != null) {
+				receivedKeys.add(key);
+			}
+		}
+	}
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 367db4d6e..38a6643b0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -1,5 +1,7 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
 import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptolib.api.Masterkey;
@@ -12,23 +14,28 @@ import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 import org.cryptomator.ui.unlock.UnlockCancelledException;
 
 import javax.inject.Inject;
+import javafx.application.Application;
 import javafx.application.Platform;
 import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
+import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoading
 public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 
-	static final String SCHEME_HUB_HTTP = "hub+http";
-	static final String SCHEME_HUB_HTTPS = "hub+https";
-	private static final String SCHEME_HTTP = "http";
-	private static final String SCHEME_HTTPS = "https";
+	private static final String SCHEME_PREFIX = "hub+";
+	static final String SCHEME_HUB_HTTP = SCHEME_PREFIX + "http";
+	static final String SCHEME_HUB_HTTPS = SCHEME_PREFIX + "https";
 
+	private final Application application;
+	private final ExecutorService executor;
 	private final Vault vault;
 	private final Stage window;
 	private final Lazy<Scene> p12LoadingScene;
@@ -36,7 +43,9 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final AtomicReference<KeyPair> keyPairRef;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock, AtomicReference<KeyPair> keyPairRef) {
+	public HubKeyLoadingStrategy(Application application, ExecutorService executor, @KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock, AtomicReference<KeyPair> keyPairRef) {
+		this.application = application;
+		this.executor = executor;
 		this.vault = vault;
 		this.window = window;
 		this.p12LoadingScene = p12LoadingScene;
@@ -46,23 +55,14 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
-		return switch (keyId.getScheme().toLowerCase()) {
-			case SCHEME_HUB_HTTP -> loadKey(keyId, SCHEME_HTTP);
-			case SCHEME_HUB_HTTPS -> loadKey(keyId, SCHEME_HTTPS);
-			default -> throw new IllegalArgumentException("Only supports keys with schemes " + SCHEME_HUB_HTTP + " or " + SCHEME_HUB_HTTPS);
-		};
-	}
-
-	private Masterkey loadKey(URI keyId, String adjustedScheme) {
-		try {
-			var foo = new URI(adjustedScheme, keyId.getSchemeSpecificPart(), keyId.getFragment());
-		} catch (URISyntaxException e) {
-			throw new IllegalStateException("URI known to be valid, if old URI was valid", e);
-		}
-
+		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		try {
 			loadP12();
 			LOG.info("keypair loaded {}", keyPairRef.get().getPublic());
+			var task = new ReceiveEncryptedMasterkeyTask(redirectUri -> {
+				openBrowser(keyId, redirectUri);
+			});
+			executor.submit(task);
 			throw new UnlockCancelledException("not yet implemented"); // TODO
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
@@ -70,6 +70,18 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 		}
 	}
 
+	private void openBrowser(URI keyId, URI redirectUri) {
+		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
+		var httpScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());
+		var redirectParam = "redirect_uri="+ URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII);
+		try {
+			var uri = new URI(httpScheme, keyId.getAuthority(), keyId.getPath(), redirectParam, null);
+			application.getHostServices().showDocument(uri.toString());
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI constructed from params known to be valid", e);
+		}
+	}
+
 	private HubKeyLoadingModule.P12KeyLoading loadP12() throws InterruptedException {
 		Platform.runLater(() -> {
 			window.setScene(p12LoadingScene.get());
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
new file mode 100644
index 000000000..70a08cca6
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
@@ -0,0 +1,31 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.io.BaseEncoding;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javafx.concurrent.Task;
+import java.net.URI;
+import java.util.function.Consumer;
+
+class ReceiveEncryptedMasterkeyTask extends Task<byte[]> {
+
+	private static final Logger LOG = LoggerFactory.getLogger(ReceiveEncryptedMasterkeyTask.class);
+
+	private final Consumer<URI> redirectUriConsumer;
+
+	public ReceiveEncryptedMasterkeyTask(Consumer<URI> redirectUriConsumer) {
+		this.redirectUriConsumer = redirectUriConsumer;
+	}
+
+	@Override
+	protected byte[] call() throws Exception {
+		try (var receiver = AuthReceiver.start()) {
+			var redirectUri = receiver.getRedirectURL();
+			LOG.debug("Waiting for key on {}", redirectUri);
+			redirectUriConsumer.accept(redirectUri);
+			var token = receiver.receive();
+			return BaseEncoding.base64Url().decode(token);
+		}
+	}
+}
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java
new file mode 100644
index 000000000..531f63415
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java
@@ -0,0 +1,23 @@
+package org.cryptomator.ui.keyloading.hub;
+
+public class AuthReceiverTest {
+
+	static {
+		System.setProperty("LOGLEVEL", "INFO");
+	}
+
+	public static void main(String[] args) {
+		try (var receiver = AuthReceiver.start()) {
+			System.out.println("Waiting on " + receiver.getRedirectURL());
+			var token = receiver.receive();
+			System.out.println("SUCCESS: " + token);
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			System.out.println("CANCELLED");
+		} catch (Exception e) {
+			System.out.println("ERROR");
+			e.printStackTrace();
+		}
+	}
+
+}
\ No newline at end of file
diff --git a/src/test/resources/logback-test.xml b/src/test/resources/logback-test.xml
new file mode 100644
index 000000000..51bfcac67
--- /dev/null
+++ b/src/test/resources/logback-test.xml
@@ -0,0 +1,11 @@
+<configuration>
+	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+		<encoder>
+			<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+		</encoder>
+	</appender>
+
+	<root level="${LOGLEVEL:-debug}">
+		<appender-ref ref="STDOUT" />
+	</root>
+</configuration>
\ No newline at end of file

From d938b1c3f72ac1b73bc7095972908572a109634c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 30 Jul 2021 16:55:05 +0200
Subject: [PATCH 04/55] keep window open while waiting for http callback

---
 src/main/java/module-info.java                |  13 +-
 .../org/cryptomator/ui/common/FxmlFile.java   |   1 +
 .../ui/keyloading/hub/AuthController.java     | 151 ++++++++++++++++++
 .../ui/keyloading/hub/AuthParams.java         |  12 ++
 .../ui/keyloading/hub/AuthReceiveTask.java    |  35 ++++
 .../ui/keyloading/hub/AuthReceiver.java       |  33 ++--
 .../keyloading/hub/HubKeyLoadingModule.java   |  29 +++-
 .../keyloading/hub/HubKeyLoadingStrategy.java |  46 ++----
 .../ui/keyloading/hub/P12AccessHelper.java    |   2 +-
 .../ui/keyloading/hub/P12Controller.java      |  32 +---
 .../keyloading/hub/P12CreateController.java   |  25 ++-
 .../ui/keyloading/hub/P12LoadController.java  |  25 ++-
 .../hub/ReceiveEncryptedMasterkeyTask.java    |  31 ----
 .../MasterkeyFileLoadingModule.java           |   4 +-
 .../MasterkeyFileLoadingStrategy.java         |   4 +-
 .../PassphraseEntryController.java            |   4 +-
 .../SelectMasterkeyFileController.java        |   4 +-
 src/main/resources/fxml/hub_auth.fxml         |  44 +++++
 src/main/resources/fxml/hub_p12_create.fxml   |   2 +-
 src/main/resources/fxml/hub_p12_load.fxml     |   2 +-
 20 files changed, 357 insertions(+), 142 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
 create mode 100644 src/main/resources/fxml/hub_auth.fxml

diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 33d384785..a2da43316 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -9,23 +9,26 @@ module org.cryptomator.desktop {
 	requires org.cryptomator.frontend.fuse;
 	requires org.cryptomator.frontend.webdav;
 	requires org.cryptomator.integrations.api;
+	// jdk:
 	requires java.desktop;
 	requires java.net.http;
 	requires javafx.base;
 	requires javafx.graphics;
 	requires javafx.controls;
 	requires javafx.fxml;
-	requires com.tobiasdiez.easybind;
+	requires jdk.crypto.ec;
+	// 3rd party:
+	requires com.auth0.jwt;
 	requires com.google.common;
 	requires com.google.gson;
 	requires com.nulabinc.zxcvbn;
-	requires org.slf4j;
-	requires org.apache.commons.lang3;
-	requires org.eclipse.jetty.server;
+	requires com.tobiasdiez.easybind;
 	requires dagger;
-	requires com.auth0.jwt;
+	requires org.slf4j;
 	requires org.bouncycastle.provider;
 	requires org.bouncycastle.pkix;
+	requires org.apache.commons.lang3;
+	requires org.eclipse.jetty.server;
 
 	/* TODO: filename-based modules: */
 	requires static javax.inject; /* ugly dagger/guava crap */
diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index a6c3a72e6..6fc36d48c 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -15,6 +15,7 @@ public enum FxmlFile {
 	HEALTH_START_FAIL("/fxml/health_start_fail.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_P12("/fxml/hub_p12.fxml"), //
+	HUB_AUTH("/fxml/hub_auth.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
new file mode 100644
index 000000000..cd4f8331c
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
@@ -0,0 +1,151 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import org.cryptomator.ui.common.ErrorComponent;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.beans.binding.Bindings;
+import javafx.beans.binding.BooleanBinding;
+import javafx.beans.binding.ObjectBinding;
+import javafx.beans.binding.StringBinding;
+import javafx.beans.property.ObjectProperty;
+import javafx.beans.property.SimpleObjectProperty;
+import javafx.concurrent.WorkerStateEvent;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.util.Objects;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class AuthController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthController.class);
+
+	private final Application application;
+	private final ExecutorService executor;
+	private final Stage window;
+	private final KeyPair keyPair;
+	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock;
+	private final AtomicReference<URI> hubUriRef;
+	private final ErrorComponent.Builder errorComponent;
+	private final ObjectProperty<URI> redirectUriRef;
+	private final ObjectBinding<URI> authUri;
+	private final StringBinding authUriHost;
+	private final BooleanBinding ready;
+	private final AuthReceiveTask receiveTask;
+
+	@Inject
+	public AuthController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
+		this.application = application;
+		this.executor = executor;
+		this.window = window;
+		this.keyPair = Objects.requireNonNull(keyPairRef.get());
+		this.authFlowLock = authFlowLock;
+		this.hubUriRef = hubUriRef;
+		this.errorComponent = errorComponent;
+		this.redirectUriRef = new SimpleObjectProperty<>();
+		this.authUri = Bindings.createObjectBinding(this::getAuthUri, redirectUriRef);
+		this.authUriHost = Bindings.createStringBinding(this::getAuthUriHost, authUri);
+		this.ready = authUri.isNotNull();
+		this.receiveTask = new AuthReceiveTask(redirectUriRef::set);
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void initialize() {
+		Preconditions.checkState(hubUriRef.get() != null);
+		receiveTask.setOnSucceeded(this::receivedKey);
+		receiveTask.setOnFailed(this::keyRetrievalFailed);
+		executor.submit(receiveTask);
+	}
+
+	private void keyRetrievalFailed(WorkerStateEvent workerStateEvent) {
+		LOG.error("Cryptomator Hub login failed with error", receiveTask.getException());
+		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.FAILED);
+		errorComponent.cause(receiveTask.getException()).window(window).build().showErrorScene();
+	}
+
+	private void receivedKey(WorkerStateEvent workerStateEvent) {
+		var authParams = receiveTask.getValue();
+		LOG.info("Cryptomator Hub login succeeded: {} encrypted with {}", authParams, keyPair.getPublic());
+		// TODO decrypt and return masterkey
+		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.SUCCESS);
+		window.close();
+	}
+
+	@FXML
+	public void cancel() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		// stop server, if it is still running
+		receiveTask.cancel();
+		// if not already interacted, mark this workflow as cancelled:
+		if (authFlowLock.awaitingInteraction().get()) {
+			LOG.debug("Authorization cancelled by user.");
+			authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.CANCELLED);
+		}
+	}
+
+	@FXML
+	public void openBrowser() {
+		assert getAuthUri() != null;
+		application.getHostServices().showDocument(getAuthUri().toString());
+	}
+
+	/* Getter/Setter */
+
+	public ObjectBinding<URI> authUriProperty() {
+		return authUri;
+	}
+
+	public URI getAuthUri() {
+		var hubUri = hubUriRef.get();
+		var redirectUri = redirectUriRef.get();
+		if (hubUri == null || redirectUri == null) {
+			return null;
+		}
+		var redirectParam = "redirect_uri=" + URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII);
+		try {
+			return new URI(hubUri.getScheme(), hubUri.getAuthority(), hubUri.getPath(), redirectParam, null);
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI constructed from params known to be valid", e);
+		}
+	}
+
+	public StringBinding authUriHostProperty() {
+		return authUriHost;
+	}
+
+	public String getAuthUriHost() {
+		var authUri = getAuthUri();
+		if (authUri == null) {
+			return null;
+		} else {
+			return authUri.getHost();
+		}
+	}
+
+	public BooleanBinding readyProperty() {
+		return ready;
+	}
+
+	public boolean isReady() {
+		return ready.get();
+	}
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
new file mode 100644
index 000000000..d08aa28a1
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
@@ -0,0 +1,12 @@
+package org.cryptomator.ui.keyloading.hub;
+
+/**
+ * Parameters required to decrypt the masterkey:
+ * <ul>
+ *     <li><code>m</code> Encrypted Masterkey (Base64-encoded)</li>
+ *     <li><code>epk</code> Ephemeral Public Key (TODO: PEM-encoded?)</li>
+ * </ul>
+ */
+record AuthParams(String m, String epk) {
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
new file mode 100644
index 000000000..8ae71f81f
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
@@ -0,0 +1,35 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javafx.application.Platform;
+import javafx.concurrent.Task;
+import java.net.URI;
+import java.util.function.Consumer;
+
+class AuthReceiveTask extends Task<AuthParams> {
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthReceiveTask.class);
+
+	private final Consumer<URI> redirectUriConsumer;
+
+	/**
+	 * Spawns a server and waits for the redirectUri to be called.
+	 *
+	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
+	 */
+	public AuthReceiveTask(Consumer<URI> redirectUriConsumer) {
+		this.redirectUriConsumer = redirectUriConsumer;
+	}
+
+	@Override
+	protected AuthParams call() throws Exception {
+		try (var receiver = AuthReceiver.start()) {
+			var redirectUri = receiver.getRedirectURL();
+			Platform.runLater(() -> redirectUriConsumer.accept(redirectUri));
+			LOG.debug("Waiting for key on {}", redirectUri);
+			return receiver.receive();
+		}
+	}
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
index dfb37a2ab..6e5ca5b56 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
@@ -1,6 +1,5 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.google.common.io.BaseEncoding;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
@@ -13,19 +12,8 @@ import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
-import java.util.Queue;
 import java.util.concurrent.BlockingQueue;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
 import java.util.concurrent.LinkedBlockingQueue;
-import java.util.concurrent.LinkedTransferQueue;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.TimeoutException;
-import java.util.concurrent.TransferQueue;
-import java.util.function.Consumer;
 
 /**
  * A basic implementation for RFC 8252, Section 7.3:
@@ -41,11 +29,11 @@ class AuthReceiver implements AutoCloseable {
 	private static final String REDIRECT_SCHEME = "http";
 	private static final String LOOPBACK_ADDR = "127.0.0.1";
 	private static final String JSON_200 = """
-					{"status": "success"}
-					""";
+			{"status": "success"}
+			""";
 	private static final String JSON_400 = """
-					{"status": "missing param key"}
-					""";
+			{"status": "missing param"}
+			""";
 
 	private final Server server;
 	private final ServerConnector connector;
@@ -78,7 +66,7 @@ class AuthReceiver implements AutoCloseable {
 		return new AuthReceiver(server, connector, handler);
 	}
 
-	public String receive() throws InterruptedException {
+	public AuthParams receive() throws InterruptedException {
 		return handler.receivedKeys.take();
 	}
 
@@ -89,14 +77,15 @@ class AuthReceiver implements AutoCloseable {
 
 	private static class Handler extends AbstractHandler {
 
-		private final BlockingQueue<String> receivedKeys = new LinkedBlockingQueue<>();
+		private final BlockingQueue<AuthParams> receivedKeys = new LinkedBlockingQueue<>();
 
 		@Override
 		public void handle(String target, Request baseRequest, HttpServletRequest req, HttpServletResponse res) throws IOException {
 			baseRequest.setHandled(true);
-			var key = req.getParameter("key");
+			var m = req.getParameter("m"); // encrypted masterkey
+			var epk = req.getParameter("epk"); // ephemeral public key
 			byte[] response;
-			if (key != null) {
+			if (m != null && epk != null) {
 				res.setStatus(HttpServletResponse.SC_OK);
 				response = JSON_200.getBytes(StandardCharsets.UTF_8);
 			} else {
@@ -110,8 +99,8 @@ class AuthReceiver implements AutoCloseable {
 
 			// the following line might trigger a server shutdown,
 			// so let's make sure the response is flushed first
-			if (key != null) {
-				receivedKeys.add(key);
+			if (m != null && epk != null) {
+				receivedKeys.add(new AuthParams(m, epk));
 			}
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 132ef36d0..67f4e2fc4 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -18,6 +18,7 @@ import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 
 import javafx.scene.Scene;
+import java.net.URI;
 import java.security.KeyPair;
 import java.util.ResourceBundle;
 import java.util.concurrent.atomic.AtomicReference;
@@ -25,10 +26,10 @@ import java.util.concurrent.atomic.AtomicReference;
 @Module
 public abstract class HubKeyLoadingModule {
 
-	public enum P12KeyLoading {
-		LOADED,
-		CREATED,
-		CANCELED
+	public enum AuthFlow {
+		SUCCESS,
+		FAILED,
+		CANCELLED
 	}
 
 	@Provides
@@ -39,10 +40,16 @@ public abstract class HubKeyLoadingModule {
 
 	@Provides
 	@KeyLoadingScoped
-	static UserInteractionLock<P12KeyLoading> provideP12KeyLoadingLock() {
+	static UserInteractionLock<AuthFlow> provideAuthFlowLock() {
 		return new UserInteractionLock<>(null);
 	}
 
+	@Provides
+	@KeyLoadingScoped
+	static AtomicReference<URI> provideHubUri() {
+		return new AtomicReference<>();
+	}
+
 	@Binds
 	@IntoMap
 	@KeyLoadingScoped
@@ -62,6 +69,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_P12);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_AUTH)
+	@KeyLoadingScoped
+	static Scene provideHubAuthScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_AUTH);
+	}
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(P12Controller.class)
@@ -84,4 +98,9 @@ public abstract class HubKeyLoadingModule {
 		return new NewPasswordController(resourceBundle, strengthRater);
 	}
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(AuthController.class)
+	abstract FxController bindAuthController(AuthController controller);
+
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 38a6643b0..b3830d22d 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
-import com.google.common.base.Splitter;
 import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptolib.api.Masterkey;
@@ -14,17 +13,13 @@ import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 import org.cryptomator.ui.unlock.UnlockCancelledException;
 
 import javax.inject.Inject;
-import javafx.application.Application;
 import javafx.application.Platform;
 import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
-import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoading
@@ -34,55 +29,48 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	static final String SCHEME_HUB_HTTP = SCHEME_PREFIX + "http";
 	static final String SCHEME_HUB_HTTPS = SCHEME_PREFIX + "https";
 
-	private final Application application;
-	private final ExecutorService executor;
 	private final Vault vault;
 	private final Stage window;
 	private final Lazy<Scene> p12LoadingScene;
-	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
-	private final AtomicReference<KeyPair> keyPairRef;
+	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction;
+	private final AtomicReference<URI> hubUriRef;
 
 	@Inject
-	public HubKeyLoadingStrategy(Application application, ExecutorService executor, @KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock, AtomicReference<KeyPair> keyPairRef) {
-		this.application = application;
-		this.executor = executor;
+	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction, AtomicReference<URI> hubUriRef) {
 		this.vault = vault;
 		this.window = window;
 		this.p12LoadingScene = p12LoadingScene;
-		this.p12LoadingLock = p12LoadingLock;
-		this.keyPairRef = keyPairRef;
+		this.userInteraction = userInteraction;
+		this.hubUriRef = hubUriRef;
 	}
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
-		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
+		hubUriRef.set(getHubUri(keyId));
 		try {
-			loadP12();
-			LOG.info("keypair loaded {}", keyPairRef.get().getPublic());
-			var task = new ReceiveEncryptedMasterkeyTask(redirectUri -> {
-				openBrowser(keyId, redirectUri);
-			});
-			executor.submit(task);
-			throw new UnlockCancelledException("not yet implemented"); // TODO
+			switch (auth()) {
+				case SUCCESS -> LOG.debug("TODO success"); // TODO return key
+				//case FAILED -> LOG.error("failed to load keypair");
+				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
+			}
+			throw new UnlockCancelledException("not yet implemented"); // TODO remove
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
 			throw new UnlockCancelledException("Loading interrupted", e);
 		}
 	}
 
-	private void openBrowser(URI keyId, URI redirectUri) {
+	private URI getHubUri(URI keyId) {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
-		var httpScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());
-		var redirectParam = "redirect_uri="+ URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII);
+		var hubUriScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());
 		try {
-			var uri = new URI(httpScheme, keyId.getAuthority(), keyId.getPath(), redirectParam, null);
-			application.getHostServices().showDocument(uri.toString());
+			return new URI(hubUriScheme, keyId.getSchemeSpecificPart(), null);
 		} catch (URISyntaxException e) {
 			throw new IllegalStateException("URI constructed from params known to be valid", e);
 		}
 	}
 
-	private HubKeyLoadingModule.P12KeyLoading loadP12() throws InterruptedException {
+	private HubKeyLoadingModule.AuthFlow auth() throws InterruptedException {
 		Platform.runLater(() -> {
 			window.setScene(p12LoadingScene.get());
 			window.show();
@@ -94,7 +82,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 				window.centerOnScreen();
 			}
 		});
-		return p12LoadingLock.awaitInteraction();
+		return userInteraction.awaitInteraction();
 	}
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
index b25a7b188..7e62c8a0c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
@@ -93,7 +93,7 @@ class P12AccessHelper {
 			keyGen.initialize(new ECGenParameterSpec(EC_CURVE_NAME));
 			return keyGen;
 		} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
-			throw new IllegalStateException("secp256r1 curve not supported");
+			throw new IllegalStateException(EC_CURVE_NAME + " curve not supported");
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
index 0505bde28..84df68749 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
@@ -1,35 +1,17 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.google.common.base.Preconditions;
 import org.cryptomator.common.Environment;
-import org.cryptomator.cryptolib.api.InvalidPassphraseException;
-import org.cryptomator.cryptolib.common.Destroyables;
 import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.NewPasswordController;
 import org.cryptomator.ui.common.UserInteractionLock;
-import org.cryptomator.ui.controls.NiceSecurePasswordField;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
-import javafx.beans.binding.Bindings;
-import javafx.beans.binding.BooleanExpression;
-import javafx.beans.binding.ObjectExpression;
-import javafx.beans.property.BooleanProperty;
-import javafx.beans.property.SimpleBooleanProperty;
-import javafx.fxml.FXML;
-import javafx.scene.control.ContentDisplay;
-import javafx.scene.layout.VBox;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
-import java.io.IOException;
 import java.nio.file.Files;
-import java.nio.file.Path;
-import java.security.KeyPair;
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
 public class P12Controller implements FxController {
@@ -38,21 +20,21 @@ public class P12Controller implements FxController {
 
 	private final Stage window;
 	private final Environment env;
-	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction;
 
 	@Inject
-	public P12Controller(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+	public P12Controller(@KeyLoading Stage window, Environment env, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction) {
 		this.window = window;
 		this.env = env;
-		this.p12LoadingLock = p12LoadingLock;
-		this.window.setOnHiding(this::windowClosed);
+		this.userInteraction = userInteraction;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
 		// if not already interacted, mark this workflow as cancelled:
-		if (p12LoadingLock.awaitingInteraction().get()) {
-			LOG.debug("P12 loading canceled by user.");
-			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.CANCELED);
+		if (userInteraction.awaitingInteraction().get()) {
+			LOG.debug("P12 loading cancelled by user.");
+			userInteraction.interacted(HubKeyLoadingModule.AuthFlow.CANCELLED);
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
index d892d086f..735950d9e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
@@ -1,9 +1,12 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
+import dagger.Lazy;
 import org.cryptomator.common.Environment;
 import org.cryptomator.cryptolib.common.Destroyables;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.NewPasswordController;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
@@ -19,8 +22,10 @@ import javafx.beans.binding.ObjectExpression;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
+import javafx.scene.Scene;
 import javafx.scene.control.ContentDisplay;
 import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
 import java.io.IOException;
 import java.nio.file.Path;
 import java.security.KeyPair;
@@ -35,25 +40,27 @@ public class P12CreateController implements FxController  {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final Lazy<Scene> authScene;
+
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
 	private final BooleanProperty readyToCreate = new SimpleBooleanProperty();
 
 	public NewPasswordController newPasswordController;
 
-
 	@Inject
-	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH) Lazy<Scene> authScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.p12LoadingLock = p12LoadingLock;
+		this.authScene = authScene;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
 	@FXML
 	public void initialize() {
 		readyToCreate.bind(newPasswordController.goodPasswordProperty());
+		newPasswordController.passwordField.requestFocus();
 	}
 
 	@FXML
@@ -61,6 +68,11 @@ public class P12CreateController implements FxController  {
 		window.close();
 	}
 
+	private void windowClosed(WindowEvent windowEvent) {
+		newPasswordController.passwordField.wipe();
+		newPasswordController.reenterField.wipe();
+	}
+
 	@FXML
 	public void create() {
 		Preconditions.checkState(newPasswordController.goodPasswordProperty().get());
@@ -70,15 +82,12 @@ public class P12CreateController implements FxController  {
 			var keyPair = P12AccessHelper.createNew(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Created .p12 file {}", p12File);
-			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.CREATED);
-			window.close();
+			window.setScene(authScene.get());
 		} catch (IOException e) {
 			LOG.error("Failed to load .p12 file.", e);
 			// TODO
 		} finally {
 			Arrays.fill(pw, '\0');
-			newPasswordController.passwordField.wipe();
-			newPasswordController.reenterField.wipe();
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
index bab2992bb..d774aa4c7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
@@ -1,10 +1,13 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import dagger.Lazy;
 import org.cryptomator.common.Environment;
 import org.cryptomator.cryptolib.api.InvalidPassphraseException;
 import org.cryptomator.cryptolib.common.Destroyables;
 import org.cryptomator.ui.common.Animations;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.controls.NiceSecurePasswordField;
 import org.cryptomator.ui.keyloading.KeyLoading;
@@ -20,8 +23,10 @@ import javafx.beans.binding.ObjectExpression;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
+import javafx.scene.Scene;
 import javafx.scene.control.ContentDisplay;
 import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -37,18 +42,24 @@ public class P12LoadController implements FxController {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock;
+	private final Lazy<Scene> authScene;
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
 
 	public NiceSecurePasswordField passwordField;
 
 	@Inject
-	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.P12KeyLoading> p12LoadingLock) {
+	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH) Lazy<Scene> authScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.p12LoadingLock = p12LoadingLock;
+		this.authScene = authScene;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void initialize() {
+		passwordField.requestFocus();
 	}
 
 	@FXML
@@ -56,6 +67,10 @@ public class P12LoadController implements FxController {
 		window.close();
 	}
 
+	private void windowClosed(WindowEvent windowEvent) {
+		passwordField.wipe();
+	}
+
 	@FXML
 	public void load() {
 		char[] pw = passwordField.copyChars();
@@ -64,8 +79,7 @@ public class P12LoadController implements FxController {
 			var keyPair = P12AccessHelper.loadExisting(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Loaded .p12 file {}", p12File);
-			p12LoadingLock.interacted(HubKeyLoadingModule.P12KeyLoading.LOADED);
-			window.close();
+			window.setScene(authScene.get());
 		} catch (InvalidPassphraseException e) {
 			LOG.warn("Invalid passphrase entered for .p12 file");
 			Animations.createShakeWindowAnimation(window).playFromStart();
@@ -75,7 +89,6 @@ public class P12LoadController implements FxController {
 			// TODO
 		} finally {
 			Arrays.fill(pw, '\0');
-			passwordField.wipe();
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
deleted file mode 100644
index 70a08cca6..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveEncryptedMasterkeyTask.java
+++ /dev/null
@@ -1,31 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.io.BaseEncoding;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javafx.concurrent.Task;
-import java.net.URI;
-import java.util.function.Consumer;
-
-class ReceiveEncryptedMasterkeyTask extends Task<byte[]> {
-
-	private static final Logger LOG = LoggerFactory.getLogger(ReceiveEncryptedMasterkeyTask.class);
-
-	private final Consumer<URI> redirectUriConsumer;
-
-	public ReceiveEncryptedMasterkeyTask(Consumer<URI> redirectUriConsumer) {
-		this.redirectUriConsumer = redirectUriConsumer;
-	}
-
-	@Override
-	protected byte[] call() throws Exception {
-		try (var receiver = AuthReceiver.start()) {
-			var redirectUri = receiver.getRedirectURL();
-			LOG.debug("Waiting for key on {}", redirectUri);
-			redirectUriConsumer.accept(redirectUri);
-			var token = receiver.receive();
-			return BaseEncoding.base64Url().decode(token);
-		}
-	}
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingModule.java
index 901eacfb9..d71cff54d 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingModule.java
@@ -35,12 +35,12 @@ public abstract class MasterkeyFileLoadingModule {
 
 	public enum PasswordEntry {
 		PASSWORD_ENTERED,
-		CANCELED
+		CANCELLED
 	}
 
 	public enum MasterkeyFileProvision {
 		MASTERKEYFILE_PROVIDED,
-		CANCELED
+		CANCELLED
 	}
 
 	@Provides
diff --git a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java
index 39db1cc04..b2725ef7e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java
@@ -95,7 +95,7 @@ public class MasterkeyFileLoadingStrategy implements KeyLoadingStrategy {
 		if (filePath.get() == null) {
 			return switch (askUserForMasterkeyFilePath()) {
 				case MASTERKEYFILE_PROVIDED -> filePath.get();
-				case CANCELED -> throw new UnlockCancelledException("Choosing masterkey file cancelled.");
+				case CANCELLED -> throw new UnlockCancelledException("Choosing masterkey file cancelled.");
 			};
 		} else {
 			return filePath.get();
@@ -121,7 +121,7 @@ public class MasterkeyFileLoadingStrategy implements KeyLoadingStrategy {
 		if (password.get() == null) {
 			return switch (askForPassphrase()) {
 				case PASSWORD_ENTERED -> CharBuffer.wrap(password.get());
-				case CANCELED -> throw new UnlockCancelledException("Password entry cancelled.");
+				case CANCELLED -> throw new UnlockCancelledException("Password entry cancelled.");
 			};
 		} else {
 			// e.g. pre-filled from keychain or previous unlock attempt
diff --git a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/PassphraseEntryController.java b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/PassphraseEntryController.java
index f6ce79e51..312118ad4 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/PassphraseEntryController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/PassphraseEntryController.java
@@ -143,8 +143,8 @@ public class PassphraseEntryController implements FxController {
 	private void windowClosed(WindowEvent windowEvent) {
 		// if not already interacted, mark this workflow as cancelled:
 		if (passwordEntryLock.awaitingInteraction().get()) {
-			LOG.debug("Unlock canceled by user.");
-			passwordEntryLock.interacted(PasswordEntry.CANCELED);
+			LOG.debug("Unlock cancelled by user.");
+			passwordEntryLock.interacted(PasswordEntry.CANCELLED);
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/SelectMasterkeyFileController.java b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/SelectMasterkeyFileController.java
index 39be2b36e..cc103784b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/SelectMasterkeyFileController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/SelectMasterkeyFileController.java
@@ -45,8 +45,8 @@ public class SelectMasterkeyFileController implements FxController {
 	private void windowClosed(WindowEvent windowEvent) {
 		// if not already interacted, mark this workflow as cancelled:
 		if (masterkeyFileProvisionLock.awaitingInteraction().get()) {
-			LOG.debug("Unlock canceled by user.");
-			masterkeyFileProvisionLock.interacted(MasterkeyFileProvision.CANCELED);
+			LOG.debug("Unlock cancelled by user.");
+			masterkeyFileProvisionLock.interacted(MasterkeyFileProvision.CANCELLED);
 		}
 	}
 
diff --git a/src/main/resources/fxml/hub_auth.fxml b/src/main/resources/fxml/hub_auth.fxml
new file mode 100644
index 000000000..f45203d01
--- /dev/null
+++ b/src/main/resources/fxml/hub_auth.fxml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.text.Text?>
+<?import javafx.scene.text.TextFlow?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.AuthController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+			<TextFlow visible="${controller.ready}" managed="${controller.ready}">
+				<Text text="TODO: please login via " />
+				<Hyperlink styleClass="hyperlink-underline" text="${controller.authUriHost}" onAction="#openBrowser"/>
+			</TextFlow>
+			<FontAwesome5Spinner glyphSize="12" visible="${!controller.ready}" managed="${!controller.ready}"/>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>
diff --git a/src/main/resources/fxml/hub_p12_create.fxml b/src/main/resources/fxml/hub_p12_create.fxml
index 4a2014149..a4897cbc9 100644
--- a/src/main/resources/fxml/hub_p12_create.fxml
+++ b/src/main/resources/fxml/hub_p12_create.fxml
@@ -17,7 +17,7 @@
 	</padding>
 	<children>
 		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" smooth="true" cache="true" visible="false">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
 				<Image url="@../img/bot/bot.png"/>
 			</ImageView>
 			<fx:include fx:id="newPassword" source="new_password.fxml" disable="${controller.userInteractionDisabled}"/>
diff --git a/src/main/resources/fxml/hub_p12_load.fxml b/src/main/resources/fxml/hub_p12_load.fxml
index d76d1b16a..98fde1dd0 100644
--- a/src/main/resources/fxml/hub_p12_load.fxml
+++ b/src/main/resources/fxml/hub_p12_load.fxml
@@ -21,7 +21,7 @@
 	</padding>
 	<children>
 		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" smooth="true" cache="true" visible="false">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
 				<Image url="@../img/bot/bot.png"/>
 			</ImageView>
 			<VBox spacing="6" HBox.hgrow="ALWAYS">

From 43dbdb3e8f89ef3a34b3cf57d0ad41ad55390620 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 9 Aug 2021 18:11:44 +0200
Subject: [PATCH 05/55] prepare local webserver for cross-origin requests

---
 pom.xml                                       | 10 ++++
 src/main/java/module-info.java                |  2 +
 .../ui/keyloading/hub/AuthController.java     | 48 ++++++-------------
 .../ui/keyloading/hub/AuthParams.java         | 38 +++++++++++++--
 .../ui/keyloading/hub/AuthReceiver.java       | 42 +++++++++++-----
 .../keyloading/hub/HubKeyLoadingStrategy.java |  2 +-
 .../ui/keyloading/hub/P12AccessHelper.java    |  2 +-
 src/main/resources/fxml/hub_auth.fxml         |  2 +-
 8 files changed, 96 insertions(+), 50 deletions(-)

diff --git a/pom.xml b/pom.xml
index 8fd91628f..2fdd357f7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -142,6 +142,16 @@
 			<artifactId>jetty-server</artifactId>
 			<version>${jetty.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-webapp</artifactId>
+			<version>${jetty.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.eclipse.jetty</groupId>
+			<artifactId>jetty-servlets</artifactId>
+			<version>${jetty.version}</version>
+		</dependency>
 
 		<!-- JWT -->
 		<dependency>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index a2da43316..fae730bd1 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -29,6 +29,8 @@ module org.cryptomator.desktop {
 	requires org.bouncycastle.pkix;
 	requires org.apache.commons.lang3;
 	requires org.eclipse.jetty.server;
+	requires org.eclipse.jetty.webapp;
+	requires org.eclipse.jetty.servlets;
 
 	/* TODO: filename-based modules: */
 	requires static javax.inject; /* ugly dagger/guava crap */
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
index cd4f8331c..0937bfa73 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
@@ -1,6 +1,7 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
+import com.google.common.io.BaseEncoding;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -43,8 +44,6 @@ public class AuthController implements FxController {
 	private final AtomicReference<URI> hubUriRef;
 	private final ErrorComponent.Builder errorComponent;
 	private final ObjectProperty<URI> redirectUriRef;
-	private final ObjectBinding<URI> authUri;
-	private final StringBinding authUriHost;
 	private final BooleanBinding ready;
 	private final AuthReceiveTask receiveTask;
 
@@ -58,9 +57,7 @@ public class AuthController implements FxController {
 		this.hubUriRef = hubUriRef;
 		this.errorComponent = errorComponent;
 		this.redirectUriRef = new SimpleObjectProperty<>();
-		this.authUri = Bindings.createObjectBinding(this::getAuthUri, redirectUriRef);
-		this.authUriHost = Bindings.createStringBinding(this::getAuthUriHost, authUri);
-		this.ready = authUri.isNotNull();
+		this.ready = redirectUriRef.isNotNull();
 		this.receiveTask = new AuthReceiveTask(redirectUriRef::set);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
@@ -81,7 +78,7 @@ public class AuthController implements FxController {
 
 	private void receivedKey(WorkerStateEvent workerStateEvent) {
 		var authParams = receiveTask.getValue();
-		LOG.info("Cryptomator Hub login succeeded: {} encrypted with {}", authParams, keyPair.getPublic());
+		LOG.info("Cryptomator Hub login succeeded: {} encrypted with {}", authParams.getEphemeralPublicKey(), keyPair.getPublic());
 		// TODO decrypt and return masterkey
 		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.SUCCESS);
 		window.close();
@@ -104,40 +101,25 @@ public class AuthController implements FxController {
 
 	@FXML
 	public void openBrowser() {
-		assert getAuthUri() != null;
-		application.getHostServices().showDocument(getAuthUri().toString());
+		assert ready.get();
+		var hubUri = Objects.requireNonNull(hubUriRef.get());
+		var redirectUri = Objects.requireNonNull(redirectUriRef.get());
+		var sb = new StringBuilder(hubUri.toString());
+		sb.append("?redirect_uri=").append(URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII));
+		sb.append("&device_id=").append("desktop-app-3000");
+		sb.append("&device_key=").append(BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded()));
+		var url = sb.toString();
+		application.getHostServices().showDocument(url);
 	}
 
 	/* Getter/Setter */
 
-	public ObjectBinding<URI> authUriProperty() {
-		return authUri;
-	}
-
-	public URI getAuthUri() {
+	public String getHubUriHost() {
 		var hubUri = hubUriRef.get();
-		var redirectUri = redirectUriRef.get();
-		if (hubUri == null || redirectUri == null) {
-			return null;
-		}
-		var redirectParam = "redirect_uri=" + URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII);
-		try {
-			return new URI(hubUri.getScheme(), hubUri.getAuthority(), hubUri.getPath(), redirectParam, null);
-		} catch (URISyntaxException e) {
-			throw new IllegalStateException("URI constructed from params known to be valid", e);
-		}
-	}
-
-	public StringBinding authUriHostProperty() {
-		return authUriHost;
-	}
-
-	public String getAuthUriHost() {
-		var authUri = getAuthUri();
-		if (authUri == null) {
+		if (hubUri == null) {
 			return null;
 		} else {
-			return authUri.getHost();
+			return hubUri.getHost();
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
index d08aa28a1..08e8557d4 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
@@ -1,12 +1,44 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.google.common.io.BaseEncoding;
+
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+
 /**
- * Parameters required to decrypt the masterkey:
+ * ECIES parameters required to decrypt the masterkey:
  * <ul>
- *     <li><code>m</code> Encrypted Masterkey (Base64-encoded)</li>
- *     <li><code>epk</code> Ephemeral Public Key (TODO: PEM-encoded?)</li>
+ *     <li><code>m</code> Encrypted Masterkey (base64url-encoded ciphertext)</li>
+ *     <li><code>epk</code> Ephemeral Public Key (base64url-encoded PKCS8)</li>
  * </ul>
+ *
+ * No separate tag required, since we use GCM for encryption.
  */
 record AuthParams(String m, String epk) {
 
+	public byte[] getCiphertext() {
+		return BaseEncoding.base64Url().decode(m());
+	}
+
+	public ECPublicKey getEphemeralPublicKey() {
+		try {
+			byte[] keyBytes = BaseEncoding.base64Url().decode(epk());
+			PublicKey key = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(keyBytes));
+			if (key instanceof ECPublicKey k) {
+				return k;
+			} else {
+				throw new IllegalArgumentException("Key not an EC public key.");
+			}
+		} catch (InvalidKeySpecException e) {
+			throw new IllegalArgumentException("Invalid license public key", e);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException(e);
+		}
+	}
+
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
index 6e5ca5b56..254709c46 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
@@ -5,13 +5,25 @@ import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.AbstractHandler;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.servlets.CrossOriginFilter;
 
+import javax.servlet.DispatcherType;
+import javax.servlet.FilterConfig;
+import javax.servlet.Servlet;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.charset.StandardCharsets;
+import java.util.EnumSet;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
 
@@ -37,13 +49,13 @@ class AuthReceiver implements AutoCloseable {
 
 	private final Server server;
 	private final ServerConnector connector;
-	private final Handler handler;
+	private final CallbackServlet servlet;
 
-	private AuthReceiver(Server server, ServerConnector connector, Handler handler) {
+	private AuthReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
 		assert server.isRunning();
 		this.server = server;
 		this.connector = connector;
-		this.handler = handler;
+		this.servlet = servlet;
 	}
 
 	public URI getRedirectURL() {
@@ -55,19 +67,27 @@ class AuthReceiver implements AutoCloseable {
 	}
 
 	public static AuthReceiver start() throws Exception {
-		Server server = new Server();
-		var handler = new Handler();
+		var server = new Server();
+		var context = new ServletContextHandler();
+
+		var corsFilter = new FilterHolder(new CrossOriginFilter());
+		corsFilter.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*"); // TODO restrict to hub host
+		context.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
+
+		var servlet = new CallbackServlet();
+		context.addServlet(new ServletHolder(servlet), "/*");
+
 		var connector = new ServerConnector(server);
 		connector.setPort(0);
 		connector.setHost(LOOPBACK_ADDR);
 		server.setConnectors(new Connector[]{connector});
-		server.setHandler(handler);
+		server.setHandler(context);
 		server.start();
-		return new AuthReceiver(server, connector, handler);
+		return new AuthReceiver(server, connector, servlet);
 	}
 
 	public AuthParams receive() throws InterruptedException {
-		return handler.receivedKeys.take();
+		return servlet.receivedKeys.take();
 	}
 
 	@Override
@@ -75,13 +95,13 @@ class AuthReceiver implements AutoCloseable {
 		server.stop();
 	}
 
-	private static class Handler extends AbstractHandler {
+	private static class CallbackServlet extends HttpServlet {
 
 		private final BlockingQueue<AuthParams> receivedKeys = new LinkedBlockingQueue<>();
 
+		// TODO change to POST?
 		@Override
-		public void handle(String target, Request baseRequest, HttpServletRequest req, HttpServletResponse res) throws IOException {
-			baseRequest.setHandled(true);
+		protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
 			var m = req.getParameter("m"); // encrypted masterkey
 			var epk = req.getParameter("epk"); // ephemeral public key
 			byte[] response;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index b3830d22d..c84f887b2 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -64,7 +64,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		var hubUriScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());
 		try {
-			return new URI(hubUriScheme, keyId.getSchemeSpecificPart(), null);
+			return new URI(hubUriScheme, keyId.getSchemeSpecificPart(), keyId.getFragment());
 		} catch (URISyntaxException e) {
 			throw new IllegalStateException("URI constructed from params known to be valid", e);
 		}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
index 7e62c8a0c..631bf14fc 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
@@ -23,7 +23,7 @@ import java.security.spec.ECGenParameterSpec;
 class P12AccessHelper {
 
 	private static final String EC_ALG = "EC";
-	private static final String EC_CURVE_NAME = "secp256r1";
+	private static final String EC_CURVE_NAME = "secp256r1"; // TODO switch to secp384r1
 	private static final String SIGNATURE_ALG = "SHA256withECDSA";
 	private static final String KEYSTORE_ALIAS_KEY = "key";
 	private static final String KEYSTORE_ALIAS_CERT = "crt";
diff --git a/src/main/resources/fxml/hub_auth.fxml b/src/main/resources/fxml/hub_auth.fxml
index f45203d01..f854e9014 100644
--- a/src/main/resources/fxml/hub_auth.fxml
+++ b/src/main/resources/fxml/hub_auth.fxml
@@ -28,7 +28,7 @@
 			</ImageView>
 			<TextFlow visible="${controller.ready}" managed="${controller.ready}">
 				<Text text="TODO: please login via " />
-				<Hyperlink styleClass="hyperlink-underline" text="${controller.authUriHost}" onAction="#openBrowser"/>
+				<Hyperlink styleClass="hyperlink-underline" text="${controller.hubUriHost}" onAction="#openBrowser"/>
 			</TextFlow>
 			<FontAwesome5Spinner glyphSize="12" visible="${!controller.ready}" managed="${!controller.ready}"/>
 		</HBox>

From d087a5fdde80c6ae5986580eb35c8bc016cefae9 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 9 Aug 2021 23:03:36 +0200
Subject: [PATCH 06/55] derive masterkey from received ECIES params

---
 .../ui/keyloading/hub/AuthController.java     | 12 ++--
 .../ui/keyloading/hub/AuthReceiveTask.java    |  4 +-
 .../ui/keyloading/hub/AuthReceiver.java       | 13 +----
 .../ui/keyloading/hub/EciesHelper.java        | 58 +++++++++++++++++++
 .../hub/{AuthParams.java => EciesParams.java} |  3 +-
 .../keyloading/hub/HubKeyLoadingModule.java   |  6 ++
 .../keyloading/hub/HubKeyLoadingStrategy.java | 24 ++++++--
 7 files changed, 92 insertions(+), 28 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
 rename src/main/java/org/cryptomator/ui/keyloading/hub/{AuthParams.java => EciesParams.java} (93%)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
index 0937bfa73..fdc574225 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
@@ -12,10 +12,7 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javafx.application.Application;
-import javafx.beans.binding.Bindings;
 import javafx.beans.binding.BooleanBinding;
-import javafx.beans.binding.ObjectBinding;
-import javafx.beans.binding.StringBinding;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.SimpleObjectProperty;
 import javafx.concurrent.WorkerStateEvent;
@@ -23,7 +20,6 @@ import javafx.fxml.FXML;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
@@ -40,6 +36,7 @@ public class AuthController implements FxController {
 	private final ExecutorService executor;
 	private final Stage window;
 	private final KeyPair keyPair;
+	private final AtomicReference<EciesParams> authParamsRef;
 	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock;
 	private final AtomicReference<URI> hubUriRef;
 	private final ErrorComponent.Builder errorComponent;
@@ -48,11 +45,12 @@ public class AuthController implements FxController {
 	private final AuthReceiveTask receiveTask;
 
 	@Inject
-	public AuthController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
+	public AuthController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
 		this.application = application;
 		this.executor = executor;
 		this.window = window;
 		this.keyPair = Objects.requireNonNull(keyPairRef.get());
+		this.authParamsRef = authParamsRef;
 		this.authFlowLock = authFlowLock;
 		this.hubUriRef = hubUriRef;
 		this.errorComponent = errorComponent;
@@ -77,9 +75,7 @@ public class AuthController implements FxController {
 	}
 
 	private void receivedKey(WorkerStateEvent workerStateEvent) {
-		var authParams = receiveTask.getValue();
-		LOG.info("Cryptomator Hub login succeeded: {} encrypted with {}", authParams.getEphemeralPublicKey(), keyPair.getPublic());
-		// TODO decrypt and return masterkey
+		authParamsRef.set(Objects.requireNonNull(receiveTask.getValue()));
 		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.SUCCESS);
 		window.close();
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
index 8ae71f81f..bab4d6cf9 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
@@ -8,7 +8,7 @@ import javafx.concurrent.Task;
 import java.net.URI;
 import java.util.function.Consumer;
 
-class AuthReceiveTask extends Task<AuthParams> {
+class AuthReceiveTask extends Task<EciesParams> {
 
 	private static final Logger LOG = LoggerFactory.getLogger(AuthReceiveTask.class);
 
@@ -24,7 +24,7 @@ class AuthReceiveTask extends Task<AuthParams> {
 	}
 
 	@Override
-	protected AuthParams call() throws Exception {
+	protected EciesParams call() throws Exception {
 		try (var receiver = AuthReceiver.start()) {
 			var redirectUri = receiver.getRedirectURL();
 			Platform.runLater(() -> redirectUriConsumer.accept(redirectUri));
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
index 254709c46..bb2c5b76a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
@@ -1,21 +1,14 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
 
 import javax.servlet.DispatcherType;
-import javax.servlet.FilterConfig;
-import javax.servlet.Servlet;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -86,7 +79,7 @@ class AuthReceiver implements AutoCloseable {
 		return new AuthReceiver(server, connector, servlet);
 	}
 
-	public AuthParams receive() throws InterruptedException {
+	public EciesParams receive() throws InterruptedException {
 		return servlet.receivedKeys.take();
 	}
 
@@ -97,7 +90,7 @@ class AuthReceiver implements AutoCloseable {
 
 	private static class CallbackServlet extends HttpServlet {
 
-		private final BlockingQueue<AuthParams> receivedKeys = new LinkedBlockingQueue<>();
+		private final BlockingQueue<EciesParams> receivedKeys = new LinkedBlockingQueue<>();
 
 		// TODO change to POST?
 		@Override
@@ -120,7 +113,7 @@ class AuthReceiver implements AutoCloseable {
 			// the following line might trigger a server shutdown,
 			// so let's make sure the response is flushed first
 			if (m != null && epk != null) {
-				receivedKeys.add(new AuthParams(m, epk));
+				receivedKeys.add(new EciesParams(m, epk));
 			}
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
new file mode 100644
index 000000000..8823a22ff
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
@@ -0,0 +1,58 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.cryptomator.cryptolib.common.AesKeyWrap;
+import org.cryptomator.cryptolib.common.DestroyableSecretKey;
+
+import javax.crypto.KeyAgreement;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.util.Arrays;
+
+class EciesHelper {
+
+	private EciesHelper() {}
+
+	public static Masterkey decryptMasterkey(KeyPair deviceKey, EciesParams eciesParams) throws MasterkeyLoadingFailedException {
+		// TODO: include a KDF between key agreement and KEK to conform to ECIES?
+		try (var kek = ecdh(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey()); //
+			 var rawMasterkey = AesKeyWrap.unwrap(kek, eciesParams.getCiphertext(), "HMAC")) {
+			return new Masterkey(rawMasterkey.getEncoded());
+		} catch (InvalidKeyException e) {
+			throw new MasterkeyLoadingFailedException("Unsuitable KEK to decrypt encrypted masterkey", e);
+		}
+	}
+
+	private static DestroyableSecretKey ecdh(PrivateKey privateKey, PublicKey publicKey) {
+		Preconditions.checkArgument(privateKey instanceof ECPrivateKey, "expected ECPrivateKey");
+		Preconditions.checkArgument(publicKey instanceof ECPublicKey, "expected ECPublicKey");
+		byte[] keyBytes = new byte[0];
+		try {
+			var keyAgreement = createKeyAgreement();
+			keyAgreement.init(privateKey);
+			keyAgreement.doPhase(publicKey, true);
+			keyBytes = keyAgreement.generateSecret();
+			return new DestroyableSecretKey(keyBytes, "AES");
+		} catch (InvalidKeyException e) {
+			throw new IllegalArgumentException("Invalid keys", e);
+		} finally {
+			Arrays.fill(keyBytes, (byte) 0x00);
+		}
+	}
+
+	private static KeyAgreement createKeyAgreement() {
+		try {
+			return KeyAgreement.getInstance("ECDH");
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("ECDH not supported");
+		}
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
similarity index 93%
rename from src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
rename to src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
index 08e8557d4..a196c7530 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthParams.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
@@ -7,7 +7,6 @@ import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
-import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 
 /**
@@ -19,7 +18,7 @@ import java.security.spec.X509EncodedKeySpec;
  *
  * No separate tag required, since we use GCM for encryption.
  */
-record AuthParams(String m, String epk) {
+record EciesParams(String m, String epk) {
 
 	public byte[] getCiphertext() {
 		return BaseEncoding.base64Url().decode(m());
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 67f4e2fc4..e774c486a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -38,6 +38,12 @@ public abstract class HubKeyLoadingModule {
 		return new AtomicReference<>();
 	}
 
+	@Provides
+	@KeyLoadingScoped
+	static AtomicReference<EciesParams> provideAuthParamsRef() {
+		return new AtomicReference<>();
+	}
+
 	@Provides
 	@KeyLoadingScoped
 	static UserInteractionLock<AuthFlow> provideAuthFlowLock() {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index c84f887b2..a7f8f41e0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -5,6 +5,7 @@ import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.cryptomator.cryptolib.common.Destroyables;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -34,32 +35,43 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final Lazy<Scene> p12LoadingScene;
 	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction;
 	private final AtomicReference<URI> hubUriRef;
+	private final AtomicReference<KeyPair> keyPairRef;
+	private final AtomicReference<EciesParams> authParamsRef;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction, AtomicReference<URI> hubUriRef) {
+	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction, AtomicReference<URI> hubUriRef, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef) {
 		this.vault = vault;
 		this.window = window;
 		this.p12LoadingScene = p12LoadingScene;
 		this.userInteraction = userInteraction;
 		this.hubUriRef = hubUriRef;
+		this.keyPairRef = keyPairRef;
+		this.authParamsRef = authParamsRef;
 	}
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
 		hubUriRef.set(getHubUri(keyId));
 		try {
-			switch (auth()) {
-				case SUCCESS -> LOG.debug("TODO success"); // TODO return key
-				//case FAILED -> LOG.error("failed to load keypair");
+			return switch (auth()) {
+				case SUCCESS -> EciesHelper.decryptMasterkey(keyPairRef.get(), authParamsRef.get());
+				case FAILED -> throw new MasterkeyLoadingFailedException("failed to load keypair");
 				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
-			}
-			throw new UnlockCancelledException("not yet implemented"); // TODO remove
+			};
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
 			throw new UnlockCancelledException("Loading interrupted", e);
 		}
 	}
 
+	@Override
+	public void cleanup(boolean unlockedSuccessfully) {
+		var keyPair = keyPairRef.getAndSet(null);
+		if (keyPair != null) {
+			Destroyables.destroySilently(keyPair.getPrivate());
+		}
+	}
+
 	private URI getHubUri(URI keyId) {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		var hubUriScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());

From 01b2b47823bfb304dbf199a3acd932dfe9c6b13b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 10 Aug 2021 12:36:22 +0200
Subject: [PATCH 07/55] Switching to P-384 + X9.63 KDF SHA-256 + AES-GCM

---
 .../ui/keyloading/hub/EciesHelper.java        | 94 ++++++++++++++++---
 .../ui/keyloading/hub/P12AccessHelper.java    |  2 +-
 .../ui/keyloading/hub/package-info.java       | 24 +++++
 .../ui/keyloading/hub/EciesHelperTest.java    | 60 ++++++++++++
 4 files changed, 168 insertions(+), 12 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/package-info.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
index 8823a22ff..a1636ea3a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
@@ -3,12 +3,20 @@ package org.cryptomator.ui.keyloading.hub;
 import com.google.common.base.Preconditions;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-import org.cryptomator.cryptolib.common.AesKeyWrap;
+import org.cryptomator.cryptolib.common.CipherSupplier;
 import org.cryptomator.cryptolib.common.DestroyableSecretKey;
 
+import javax.crypto.AEADBadTagException;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.KeyAgreement;
+import javax.crypto.spec.GCMParameterSpec;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.DigestException;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
@@ -18,32 +26,96 @@ import java.util.Arrays;
 
 class EciesHelper {
 
+	private static final int GCM_TAG_SIZE = 16;
+	private static final int GCM_NONCE_SIZE = 12; // 96 bit IVs strongly recommended for GCM
+
 	private EciesHelper() {}
 
 	public static Masterkey decryptMasterkey(KeyPair deviceKey, EciesParams eciesParams) throws MasterkeyLoadingFailedException {
-		// TODO: include a KDF between key agreement and KEK to conform to ECIES?
-		try (var kek = ecdh(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey()); //
-			 var rawMasterkey = AesKeyWrap.unwrap(kek, eciesParams.getCiphertext(), "HMAC")) {
-			return new Masterkey(rawMasterkey.getEncoded());
-		} catch (InvalidKeyException e) {
+		var sharedSecret = ecdhAndKdf(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey(), 44);
+		var cleartext = new byte[0];
+		try (var kek = new DestroyableSecretKey(sharedSecret, 0, 32, "AES")) {
+			var nonce = Arrays.copyOfRange(sharedSecret, 32, GCM_NONCE_SIZE);
+			var cipher = CipherSupplier.AES_GCM.forDecryption(kek, new GCMParameterSpec(GCM_TAG_SIZE * Byte.SIZE, nonce));
+			cleartext = cipher.doFinal(eciesParams.getCiphertext());
+			return new Masterkey(cleartext);
+		} catch (AEADBadTagException e) {
 			throw new MasterkeyLoadingFailedException("Unsuitable KEK to decrypt encrypted masterkey", e);
+		} catch (IllegalBlockSizeException | BadPaddingException e) {
+			throw new IllegalStateException("Unexpected exception during GCM decryption.", e);
+		} finally {
+			Arrays.fill(sharedSecret, (byte) 0x00);
+			Arrays.fill(cleartext, (byte) 0x00);
 		}
 	}
 
-	private static DestroyableSecretKey ecdh(PrivateKey privateKey, PublicKey publicKey) {
+	/**
+	 * Computes a shared secret using ECDH key agreement and derives a key.
+	 *
+	 * @param privateKey Recipient's EC private key
+	 * @param publicKey Sender's EC public key
+	 * @param numBytes Number of bytes requested form KDF
+	 * @return A derived secret key
+	 */
+	// visible for testing
+	static byte[] ecdhAndKdf(PrivateKey privateKey, PublicKey publicKey, int numBytes) {
 		Preconditions.checkArgument(privateKey instanceof ECPrivateKey, "expected ECPrivateKey");
 		Preconditions.checkArgument(publicKey instanceof ECPublicKey, "expected ECPublicKey");
-		byte[] keyBytes = new byte[0];
+		byte[] sharedSecret = new byte[0];
 		try {
 			var keyAgreement = createKeyAgreement();
 			keyAgreement.init(privateKey);
 			keyAgreement.doPhase(publicKey, true);
-			keyBytes = keyAgreement.generateSecret();
-			return new DestroyableSecretKey(keyBytes, "AES");
+			sharedSecret = keyAgreement.generateSecret();
+			return kdf(sharedSecret, new byte[0], numBytes);
 		} catch (InvalidKeyException e) {
 			throw new IllegalArgumentException("Invalid keys", e);
 		} finally {
-			Arrays.fill(keyBytes, (byte) 0x00);
+			Arrays.fill(sharedSecret, (byte) 0x00);
+		}
+	}
+
+	/**
+	 * Performs <a href="https://www.secg.org/sec1-v2.pdf">ANSI-X9.63-KDF</a> with SHA-256
+	 * @param sharedSecret A shared secret
+	 * @param keyDataLen Desired key length (in bytes)
+	 * @return key data
+	 */
+	// visible for testing
+	static byte[] kdf(byte[] sharedSecret, byte[] sharedInfo, int keyDataLen) {
+		MessageDigest digest = sha256(); // max input length is 2^64 - 1, see https://doi.org/10.6028/NIST.SP.800-56Cr2, Table 1
+		int hashLen = digest.getDigestLength();
+
+		// These two checks must be performed according to spec. However with 32 bit integers, we can't exceed any limits anyway:
+		assert BigInteger.valueOf(sharedSecret.length + sharedInfo.length + 4).compareTo(BigInteger.ONE.shiftLeft(64).subtract(BigInteger.ONE)) < 0: "input larger than hashmaxlen";
+		assert keyDataLen < (2L << 32 - 1) * hashLen : "keyDataLen larger than hashLen × (2^32 − 1)";
+
+		ByteBuffer counter = ByteBuffer.allocate(Integer.BYTES);
+		int n = (keyDataLen + hashLen - 1) / hashLen;
+		byte[] buffer = new byte[n * hashLen];
+		try {
+			for (int i = 0; i < n; i++) {
+				digest.update(sharedSecret);
+				counter.clear();
+				counter.putInt(i + 1);
+				counter.flip();
+				digest.update(counter);
+				digest.update(sharedInfo);
+				digest.digest(buffer, i * hashLen, hashLen);
+			}
+			return Arrays.copyOf(buffer, keyDataLen);
+		} catch (DigestException e) {
+			throw new IllegalStateException("Invalid digest output buffer offset", e);
+		} finally {
+			Arrays.fill(buffer, (byte) 0x00);
+		}
+	}
+
+	private static MessageDigest sha256() {
+		try {
+			return MessageDigest.getInstance("SHA-256");
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
index 631bf14fc..99bd7d3fe 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
@@ -23,7 +23,7 @@ import java.security.spec.ECGenParameterSpec;
 class P12AccessHelper {
 
 	private static final String EC_ALG = "EC";
-	private static final String EC_CURVE_NAME = "secp256r1"; // TODO switch to secp384r1
+	private static final String EC_CURVE_NAME = "secp384r1";
 	private static final String SIGNATURE_ALG = "SHA256withECDSA";
 	private static final String KEYSTORE_ALIAS_KEY = "key";
 	private static final String KEYSTORE_ALIAS_CERT = "crt";
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/package-info.java b/src/main/java/org/cryptomator/ui/keyloading/hub/package-info.java
new file mode 100644
index 000000000..54bd6ae0e
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/package-info.java
@@ -0,0 +1,24 @@
+/**
+ * This {@link org.cryptomator.ui.keyloading.KeyLoadingStrategy strategy} retrieves the vault key from a web application, similar to
+ * <a href="https://datatracker.ietf.org/doc/html/rfc8252#section-7.3">RFC 8252</a> but with an encrypted masterkey instead of an authorization code.
+ * <p>
+ * If the <code>kid</code> of the vault config starts with either {@value org.cryptomator.ui.keyloading.hub.HubKeyLoadingStrategy#SCHEME_HUB_HTTP}
+ * or {@value org.cryptomator.ui.keyloading.hub.HubKeyLoadingStrategy#SCHEME_HUB_HTTPS}, the included http address is amended by three parameters and opened
+ * in a browser. These parameters are:
+ * <ul>
+ *     <li>A device-specific public key (generated by this application and stored among its settings</li>
+ *     <li>A unique device ID (stored in settings)</li>
+ *     <li>A loopback callback address</li>
+ * </ul>
+ * <p>
+ * The callback address points to a embedded web server waiting to receive the masterkey encrypted specifically for this device, using the device-specific public key.
+ * <p>
+ * The vault key can be decrypted using this ECIES:
+ * <ol>
+ *     <li>Generate shared secret using ECDH without cofactor</li>
+ *     <li>Derive 44 bytes using ANSI X9.63 KDF with SHA256</li>
+ *     <li>Decrypt payload via AES-GCM, using first 32 bytes as key, last 12 bytes as IV</li>
+ *     <li>No MAC check required, as AES-GCM includes a tag already</li>
+ * </ol>
+ */
+package org.cryptomator.ui.keyloading.hub;
\ No newline at end of file
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java
new file mode 100644
index 000000000..0bb432608
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java
@@ -0,0 +1,60 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.io.BaseEncoding;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.extension.ParameterContext;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.converter.ArgumentConversionException;
+import org.junit.jupiter.params.converter.ArgumentConverter;
+import org.junit.jupiter.params.converter.ConvertWith;
+import org.junit.jupiter.params.provider.CsvSource;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+public class EciesHelperTest {
+
+	@DisplayName("ECDH + KDF")
+	@ParameterizedTest
+	@ValueSource(ints = {16, 32, 44, 128})
+	public void testEcdhAndKdf(int len) throws NoSuchAlgorithmException {
+		var alice = KeyPairGenerator.getInstance("EC").generateKeyPair();
+		var bob = KeyPairGenerator.getInstance("EC").generateKeyPair();
+
+		byte[] result1 = EciesHelper.ecdhAndKdf(alice.getPrivate(), bob.getPublic(), len);
+		byte[] result2 = EciesHelper.ecdhAndKdf(bob.getPrivate(), alice.getPublic(), len);
+
+		Assertions.assertArrayEquals(result1, result2);
+	}
+
+	@DisplayName("ANSI-X9.63-KDF")
+	@ParameterizedTest
+	@CsvSource(value = {
+			"96c05619d56c328ab95fe84b18264b08725b85e33fd34f08, , 16, 443024c3dae66b95e6f5670601558f71",
+			"96f600b73ad6ac5629577eced51743dd2c24c21b1ac83ee4, , 16, b6295162a7804f5667ba9070f82fa522",
+			"22518b10e70f2a3f243810ae3254139efbee04aa57c7af7d, 75eef81aa3041e33b80971203d2c0c52, 128, c498af77161cc59f2962b9a713e2b215152d139766ce34a776df11866a69bf2e52a13d9c7c6fc878c50c5ea0bc7b00e0da2447cfd874f6cf92f30d0097111485500c90c3af8b487872d04685d14c8d1dc8d7fa08beb0ce0ababc11f0bd496269142d43525a78e5bc79a17f59676a5706dc54d54d4d1f0bd7e386128ec26afc21",
+			"7e335afa4b31d772c0635c7b0e06f26fcd781df947d2990a, d65a4812733f8cdbcdfb4b2f4c191d87, 128, c0bd9e38a8f9de14c2acd35b2f3410c6988cf02400543631e0d6a4c1d030365acbf398115e51aaddebdc9590664210f9aa9fed770d4c57edeafa0b8c14f93300865251218c262d63dadc47dfa0e0284826793985137e0a544ec80abf2fdf5ab90bdaea66204012efe34971dc431d625cd9a329b8217cc8fd0d9f02b13f2f6b0b",
+	})
+	// test vectors from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/800-135testvectors/ansx963_2001.zip
+	public void testKdf(@ConvertWith(HexConverter.class) byte[] sharedSecret, @ConvertWith(HexConverter.class) byte[] sharedInfo, int outLen, @ConvertWith(HexConverter.class) byte[] expectedResult) {
+		byte[] result = EciesHelper.kdf(sharedSecret, sharedInfo, outLen);
+		Assertions.assertArrayEquals(expectedResult, result);
+	}
+
+	public static class HexConverter implements ArgumentConverter {
+
+		@Override
+		public byte[] convert(Object source, ParameterContext context) throws ArgumentConversionException {
+			if (source == null) {
+				return new byte[0];
+			} else if (source instanceof String s) {
+				return BaseEncoding.base16().lowerCase().decode(s);
+			} else {
+				return null;
+			}
+		}
+	}
+
+}
\ No newline at end of file

From d7dcc46988764230152774c1da2dd3895c8db7f2 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 10 Aug 2021 13:23:29 +0200
Subject: [PATCH 08/55] spec correction

[ci skip]
---
 .../java/org/cryptomator/ui/keyloading/hub/EciesParams.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
index a196c7530..5e25b37f7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
@@ -13,7 +13,7 @@ import java.security.spec.X509EncodedKeySpec;
  * ECIES parameters required to decrypt the masterkey:
  * <ul>
  *     <li><code>m</code> Encrypted Masterkey (base64url-encoded ciphertext)</li>
- *     <li><code>epk</code> Ephemeral Public Key (base64url-encoded PKCS8)</li>
+ *     <li><code>epk</code> Ephemeral Public Key (base64url-encoded SPKI format)</li>
  * </ul>
  *
  * No separate tag required, since we use GCM for encryption.

From 8075d33d395370d379dd05853e313c3cf81f873a Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 11 Aug 2021 16:13:14 +0200
Subject: [PATCH 09/55] fix key/iv extraction from sharedSecret

---
 .../cryptomator/ui/keyloading/hub/EciesHelper.java    | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
index a1636ea3a..b7dac36ba 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
@@ -1,6 +1,7 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
+import com.google.common.io.BaseEncoding;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.cryptomator.cryptolib.common.CipherSupplier;
@@ -13,6 +14,7 @@ import javax.crypto.KeyAgreement;
 import javax.crypto.spec.GCMParameterSpec;
 import java.math.BigInteger;
 import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
 import java.security.DigestException;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
@@ -26,16 +28,17 @@ import java.util.Arrays;
 
 class EciesHelper {
 
+	private static final int GCM_KEY_SIZE = 32;
 	private static final int GCM_TAG_SIZE = 16;
 	private static final int GCM_NONCE_SIZE = 12; // 96 bit IVs strongly recommended for GCM
 
 	private EciesHelper() {}
 
 	public static Masterkey decryptMasterkey(KeyPair deviceKey, EciesParams eciesParams) throws MasterkeyLoadingFailedException {
-		var sharedSecret = ecdhAndKdf(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey(), 44);
+		var sharedSecret = ecdhAndKdf(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey(), GCM_KEY_SIZE + GCM_NONCE_SIZE);
 		var cleartext = new byte[0];
-		try (var kek = new DestroyableSecretKey(sharedSecret, 0, 32, "AES")) {
-			var nonce = Arrays.copyOfRange(sharedSecret, 32, GCM_NONCE_SIZE);
+		try (var kek = new DestroyableSecretKey(sharedSecret, 0, GCM_KEY_SIZE, "AES")) {
+			var nonce = Arrays.copyOfRange(sharedSecret, GCM_KEY_SIZE, GCM_KEY_SIZE + GCM_NONCE_SIZE);
 			var cipher = CipherSupplier.AES_GCM.forDecryption(kek, new GCMParameterSpec(GCM_TAG_SIZE * Byte.SIZE, nonce));
 			cleartext = cipher.doFinal(eciesParams.getCiphertext());
 			return new Masterkey(cleartext);
@@ -78,6 +81,7 @@ class EciesHelper {
 	/**
 	 * Performs <a href="https://www.secg.org/sec1-v2.pdf">ANSI-X9.63-KDF</a> with SHA-256
 	 * @param sharedSecret A shared secret
+	 * @param sharedInfo Additional authenticated data
 	 * @param keyDataLen Desired key length (in bytes)
 	 * @return key data
 	 */
@@ -91,6 +95,7 @@ class EciesHelper {
 		assert keyDataLen < (2L << 32 - 1) * hashLen : "keyDataLen larger than hashLen × (2^32 − 1)";
 
 		ByteBuffer counter = ByteBuffer.allocate(Integer.BYTES);
+		assert ByteOrder.BIG_ENDIAN.equals(counter.order());
 		int n = (keyDataLen + hashLen - 1) / hashLen;
 		byte[] buffer = new byte[n * hashLen];
 		try {

From f9c2807ce1c79dc06a6bb779700b4164f58f5e43 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 10:54:58 +0200
Subject: [PATCH 10/55] added basic OAuth 2.0 Authorization Code Flow + PKCE
 impl

---
 .../ui/keyloading/hub/AuthFlow.java           | 209 ++++++++++++++++++
 .../ui/keyloading/hub/AuthFlowReceiver.java   | 105 +++++++++
 .../hub/AuthFlowIntegrationTest.java          |  34 +++
 3 files changed, 348 insertions(+)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
new file mode 100644
index 000000000..343c12348
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -0,0 +1,209 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.Streams;
+import com.google.common.escape.Escaper;
+import com.google.common.io.BaseEncoding;
+import com.google.common.io.CharStreams;
+import com.google.common.net.PercentEscaper;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonParser;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Map;
+import java.util.function.Consumer;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+/**
+ * Simple OAuth 2.0 Authentication Code Flow with {@link PKCE}.
+ * <p>
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc8252">RFC 8252</a>
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc6749">RFC 6749</a>
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc7636">RFC 7636</a>
+ */
+class AuthFlow implements AutoCloseable {
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthFlow.class);
+	private static final SecureRandom CSPRNG = new SecureRandom();
+	private static final BaseEncoding BASE64URL = BaseEncoding.base64Url().omitPadding();
+	public static final Escaper QUERY_STRING_ESCAPER = new PercentEscaper("-_.!~*'()@:$,;/?", false);
+
+	private final AuthFlowReceiver receiver;
+	private final URI authEndpoint;
+	private final URI tokenEndpoint;
+	private final String clientId;
+
+	private AuthFlow(AuthFlowReceiver receiver, URI authEndpoint, URI tokenEndpoint, String clientId) {
+		this.receiver = receiver;
+		this.authEndpoint = authEndpoint;
+		this.tokenEndpoint = tokenEndpoint;
+		this.clientId = clientId;
+	}
+
+	/**
+	 * Prepares an Authorization Code Flow with PKCE.
+	 * <p>
+	 * This will start a loopback server, so make sure to {@link #close()} this resource.
+	 *
+	 * @param authEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.1">Authorization Endpoint</a>
+	 * @param tokenEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.2">Token Endpoint</a>
+	 * @param clientId The <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1"><code>client_id</code></a>
+	 * @return An authorization
+	 * @throws Exception
+	 */
+	public static AuthFlow init(URI authEndpoint, URI tokenEndpoint, String clientId) throws Exception {
+		var receiver = AuthFlowReceiver.start();
+		return new AuthFlow(receiver, authEndpoint, tokenEndpoint, clientId);
+	}
+
+	/**
+	 * Runs this Authorization Code Flow. This will take a long time and should be done in a background thread.
+	 *
+	 * @param browser A callback that will open the auth URI in a browser
+	 * @return The access token
+	 * @throws IOException In case of any errors, including failed authentication.
+	 * @throws InterruptedException If this method is interrupted while waiting for responses from the authorization server
+	 */
+	public String run(Consumer<URI> browser) throws IOException, InterruptedException {
+		var pkce = new PKCE();
+		var authCode = auth(pkce, browser);
+		return token(pkce, authCode);
+	}
+
+	private String auth(PKCE pkce, Consumer<URI> browser) throws IOException, InterruptedException {
+		var state = BASE64URL.encode(randomBytes(16));
+		var params = Map.of("response_type", "code", //
+				"client_id", clientId, //
+				"redirect_uri", receiver.getRedirectUri(), //
+				"state", state, //
+				"code_challenge", pkce.challenge, //
+				"code_challenge_method", PKCE.METHOD //
+		);
+		var uri = appendQueryParams(this.authEndpoint, params);
+
+		// open browser and wait for response
+		LOG.debug("waiting for user to log into {}", uri);
+		browser.accept(uri);
+		var callback = receiver.receive();
+
+		if (!state.equals(callback.state())) {
+			throw new IOException("Invalid CSRF Token");
+		} else if (callback.error() != null) {
+			throw new IOException("Authentication failed " + callback.error());
+		} else if (callback.code() == null) {
+			throw new IOException("Received neither authentication code nor error");
+		}
+		return callback.code();
+	}
+
+	private String token(PKCE pkce, String authCode) throws IOException, InterruptedException {
+		var params = Map.of("grant_type", "authorization_code", //
+				"client_id", "cryptomator-hub", // TODO
+				"redirect_uri", receiver.getRedirectUri(), //
+				"code", authCode, //
+				"code_verifier", pkce.verifier //
+		);
+		var paramStr = paramString(params).collect(Collectors.joining("&"));
+		var request = HttpRequest.newBuilder(this.tokenEndpoint) //
+				.header("Content-Type", "application/x-www-form-urlencoded") //
+				.POST(HttpRequest.BodyPublishers.ofString(paramStr)) //
+				.build();
+		HttpResponse<InputStream> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofInputStream());
+		if (response.statusCode() == 200) {
+			var json = parseBody(response);
+			return json.getAsJsonObject().get("access_token").getAsString();
+		} else {
+			LOG.error("Unexpected HTTP response {}: {}", response.statusCode(), readBody(response));
+			throw new IOException("Unexpected HTTP response code " + response.statusCode());
+		}
+	}
+
+	private String readBody(HttpResponse<InputStream> response) throws IOException {
+		try (var in = response.body(); var reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
+			return CharStreams.toString(reader);
+		}
+	}
+
+	private JsonElement parseBody(HttpResponse<InputStream> response) throws IOException {
+		try (InputStream in = response.body(); Reader reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
+			return JsonParser.parseReader(reader);
+		} catch (JsonParseException e) {
+			throw new IOException("Failed to parse JSON", e);
+		}
+	}
+
+	private URI appendQueryParams(URI uri, Map<String, String> params) {
+		var oldParams = Splitter.on("&").omitEmptyStrings().splitToStream(Strings.nullToEmpty(uri.getQuery()));
+		var newParams = paramString(params);
+		var query = Streams.concat(oldParams, newParams).collect(Collectors.joining("&"));
+		try {
+			return new URI(uri.getScheme(), uri.getAuthority(), uri.getPath(), query, uri.getFragment());
+		} catch (URISyntaxException e) {
+			throw new IllegalArgumentException("Unable to create URI from given", e);
+		}
+	}
+
+	private Stream<String> paramString(Map<String, String> params) {
+		return params.entrySet().stream().map(param -> {
+			var key = QUERY_STRING_ESCAPER.escape(param.getKey());
+			var value = QUERY_STRING_ESCAPER.escape(param.getValue());
+			return key + "=" + value;
+		});
+	}
+
+	@Override
+	public void close() throws Exception {
+		receiver.close();
+	}
+
+	/**
+	 * @see <a href="https://datatracker.ietf.org/doc/html/rfc7636">RFC 7636</a>
+	 */
+	private static record PKCE(String challenge, String verifier) {
+
+		public static final String METHOD = "S256";
+
+
+		public PKCE(String verifier) {
+			this(BASE64URL.encode(sha256(verifier.getBytes(StandardCharsets.US_ASCII))), verifier);
+		}
+
+		public PKCE() {
+			this(BASE64URL.encode(randomBytes(32)));
+		}
+
+	}
+
+	private static byte[] randomBytes(int len) {
+		byte[] bytes = new byte[len];
+		CSPRNG.nextBytes(bytes);
+		return bytes;
+	}
+
+	private static byte[] sha256(byte[] input) {
+		try {
+			var digest = MessageDigest.getInstance("SHA-256");
+			return digest.digest(input);
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
+		}
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
new file mode 100644
index 000000000..1ba895ae4
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -0,0 +1,105 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.eclipse.jetty.server.Connector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.LinkedBlockingQueue;
+
+/**
+ * A basic implementation for RFC 8252, Section 7.3:
+ * <p>
+ * We're spawning a local http server on a system-assigned high port and
+ * use <code>http://127.0.0.1:{PORT}/success</code> as a redirect URI.
+ * <p>
+ * Furthermore, we can deliver a html response to inform the user that the
+ * auth workflow finished and she can close the browser tab.
+ */
+class AuthFlowReceiver implements AutoCloseable {
+
+	private static final String LOOPBACK_ADDR = "127.0.0.1";
+	private static final String CALLBACK_PATH = "/callback";
+	private static final String HTML_SUCCESS = """
+			<html>
+			<head>
+				<title>OAuth 2.0 Authentication Token Received</title>
+			</head>
+			<body>
+				<p>Received verification code. You may now close this window.</p>
+			</body>
+			</html>
+			""";
+
+	private final Server server;
+	private final ServerConnector connector;
+	private final CallbackServlet servlet;
+
+	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
+		this.server = server;
+		this.connector = connector;
+		this.servlet = servlet;
+	}
+
+	public static AuthFlowReceiver start() throws Exception {
+		var server = new Server();
+		var context = new ServletContextHandler();
+
+//		var corsFilter = new FilterHolder(new CrossOriginFilter());
+//		corsFilter.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*"); // TODO restrict to hub host
+//		context.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
+
+		var servlet = new CallbackServlet();
+		context.addServlet(new ServletHolder(servlet), CALLBACK_PATH);
+
+		var connector = new ServerConnector(server);
+		connector.setPort(0);
+		connector.setHost(LOOPBACK_ADDR);
+		server.setConnectors(new Connector[]{connector});
+		server.setHandler(context);
+		server.start();
+		return new AuthFlowReceiver(server, connector, servlet);
+	}
+
+	public String getRedirectUri() {
+		return "http://" + LOOPBACK_ADDR + ":" + connector.getLocalPort() + CALLBACK_PATH;
+	}
+
+	public Callback receive() throws InterruptedException {
+		return servlet.callback.take();
+	}
+
+	@Override
+	public void close() throws Exception {
+		server.stop();
+	}
+
+	public static record Callback(String error, String code, String state){}
+
+	private static class CallbackServlet extends HttpServlet {
+
+		private final BlockingQueue<Callback> callback = new LinkedBlockingQueue<>();
+
+		@Override
+		protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
+			var error = req.getParameter("error");
+			var code = req.getParameter("code");
+			var state = req.getParameter("state");
+
+			// TODO 302 use redirect to configurable site
+			res.setContentType("text/html;charset=utf-8");
+			res.getWriter().write(HTML_SUCCESS);
+			res.getWriter().flush();
+
+			callback.add(new Callback(error, code, state));
+		}
+
+	}
+
+}
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
new file mode 100644
index 000000000..af34d0c0a
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
@@ -0,0 +1,34 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.URI;
+
+public class AuthFlowIntegrationTest {
+
+	static {
+		System.setProperty("LOGLEVEL", "INFO");
+	}
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowIntegrationTest.class);
+	private static final URI AUTH_URI = URI.create("http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth");
+	private static final URI TOKEN_URI = URI.create("http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token");
+	private static final String CLIENT_ID = "cryptomator-hub";
+
+	@Test
+	@Disabled // only to be run manually
+	public void testRetrieveToken() throws Exception {
+		try (var authFlow = AuthFlow.init(AUTH_URI, TOKEN_URI, CLIENT_ID)) {
+			var token = authFlow.run(uri -> {
+				LOG.info("Visit {} to authenticate", uri);
+			});
+			LOG.info("Received token {}", token);
+			Assertions.assertNotNull(token);
+		}
+	}
+
+}
\ No newline at end of file

From ec09413575ea3e9770e3b4b84778f5ae37ed4361 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 12:18:36 +0200
Subject: [PATCH 11/55] renamed controller

---
 src/main/java/org/cryptomator/ui/common/FxmlFile.java    | 2 +-
 .../ui/keyloading/hub/HubKeyLoadingModule.java           | 8 ++++----
 .../ui/keyloading/hub/P12CreateController.java           | 9 ++++-----
 .../cryptomator/ui/keyloading/hub/P12LoadController.java | 9 ++++-----
 .../{AuthController.java => ReceiveKeyController.java}   | 6 +++---
 .../fxml/{hub_auth.fxml => hub_receive_key.fxml}         | 2 +-
 6 files changed, 17 insertions(+), 19 deletions(-)
 rename src/main/java/org/cryptomator/ui/keyloading/hub/{AuthController.java => ReceiveKeyController.java} (89%)
 rename src/main/resources/fxml/{hub_auth.fxml => hub_receive_key.fxml} (95%)

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index 6fc36d48c..c9f687ea4 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -15,7 +15,7 @@ public enum FxmlFile {
 	HEALTH_START_FAIL("/fxml/health_start_fail.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_P12("/fxml/hub_p12.fxml"), //
-	HUB_AUTH("/fxml/hub_auth.fxml"), //
+	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index e774c486a..9c5d7dd94 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -76,10 +76,10 @@ public abstract class HubKeyLoadingModule {
 	}
 
 	@Provides
-	@FxmlScene(FxmlFile.HUB_AUTH)
+	@FxmlScene(FxmlFile.HUB_RECEIVE_KEY)
 	@KeyLoadingScoped
 	static Scene provideHubAuthScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
-		return fxmlLoaders.createScene(FxmlFile.HUB_AUTH);
+		return fxmlLoaders.createScene(FxmlFile.HUB_RECEIVE_KEY);
 	}
 
 	@Binds
@@ -106,7 +106,7 @@ public abstract class HubKeyLoadingModule {
 
 	@Binds
 	@IntoMap
-	@FxControllerKey(AuthController.class)
-	abstract FxController bindAuthController(AuthController controller);
+	@FxControllerKey(ReceiveKeyController.class)
+	abstract FxController bindReceiveKeyController(ReceiveKeyController controller);
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
index 735950d9e..0700d496b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
@@ -8,7 +8,6 @@ import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.NewPasswordController;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.slf4j.Logger;
@@ -40,7 +39,7 @@ public class P12CreateController implements FxController  {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> authScene;
+	private final Lazy<Scene> receiveKeyScene;
 
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
@@ -49,11 +48,11 @@ public class P12CreateController implements FxController  {
 	public NewPasswordController newPasswordController;
 
 	@Inject
-	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH) Lazy<Scene> authScene) {
+	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.authScene = authScene;
+		this.receiveKeyScene = receiveKeyScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
@@ -82,7 +81,7 @@ public class P12CreateController implements FxController  {
 			var keyPair = P12AccessHelper.createNew(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Created .p12 file {}", p12File);
-			window.setScene(authScene.get());
+			window.setScene(receiveKeyScene.get());
 		} catch (IOException e) {
 			LOG.error("Failed to load .p12 file.", e);
 			// TODO
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
index d774aa4c7..9759e92e9 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
@@ -8,7 +8,6 @@ import org.cryptomator.ui.common.Animations;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.controls.NiceSecurePasswordField;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
@@ -42,18 +41,18 @@ public class P12LoadController implements FxController {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> authScene;
+	private final Lazy<Scene> receiveKeyScene;
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
 
 	public NiceSecurePasswordField passwordField;
 
 	@Inject
-	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH) Lazy<Scene> authScene) {
+	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.authScene = authScene;
+		this.receiveKeyScene = receiveKeyScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
@@ -79,7 +78,7 @@ public class P12LoadController implements FxController {
 			var keyPair = P12AccessHelper.loadExisting(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Loaded .p12 file {}", p12File);
-			window.setScene(authScene.get());
+			window.setScene(receiveKeyScene.get());
 		} catch (InvalidPassphraseException e) {
 			LOG.warn("Invalid passphrase entered for .p12 file");
 			Animations.createShakeWindowAnimation(window).playFromStart();
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
similarity index 89%
rename from src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
rename to src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index fdc574225..77f33ee5e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -28,9 +28,9 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
-public class AuthController implements FxController {
+public class ReceiveKeyController implements FxController {
 
-	private static final Logger LOG = LoggerFactory.getLogger(AuthController.class);
+	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 
 	private final Application application;
 	private final ExecutorService executor;
@@ -45,7 +45,7 @@ public class AuthController implements FxController {
 	private final AuthReceiveTask receiveTask;
 
 	@Inject
-	public AuthController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
 		this.application = application;
 		this.executor = executor;
 		this.window = window;
diff --git a/src/main/resources/fxml/hub_auth.fxml b/src/main/resources/fxml/hub_receive_key.fxml
similarity index 95%
rename from src/main/resources/fxml/hub_auth.fxml
rename to src/main/resources/fxml/hub_receive_key.fxml
index f854e9014..e36731dc5 100644
--- a/src/main/resources/fxml/hub_auth.fxml
+++ b/src/main/resources/fxml/hub_receive_key.fxml
@@ -13,7 +13,7 @@
 <?import javafx.scene.text.TextFlow?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.AuthController"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.ReceiveKeyController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"

From 75644a35ec1a73c34bdf8584d64b867e7208427d Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 12:19:09 +0200
Subject: [PATCH 12/55] cleanup

[ci skip]
---
 .../java/org/cryptomator/ui/keyloading/hub/AuthFlow.java    | 4 ++--
 .../org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java | 6 +-----
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index 343c12348..9f02de59a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -65,8 +65,8 @@ class AuthFlow implements AutoCloseable {
 	 * @param authEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.1">Authorization Endpoint</a>
 	 * @param tokenEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.2">Token Endpoint</a>
 	 * @param clientId The <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1"><code>client_id</code></a>
-	 * @return An authorization
-	 * @throws Exception
+	 * @return An authorization flow
+	 * @throws Exception In case of any problems starting the server
 	 */
 	public static AuthFlow init(URI authEndpoint, URI tokenEndpoint, String clientId) throws Exception {
 		var receiver = AuthFlowReceiver.start();
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
index 1ba895ae4..6b8383884 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -17,7 +17,7 @@ import java.util.concurrent.LinkedBlockingQueue;
  * A basic implementation for RFC 8252, Section 7.3:
  * <p>
  * We're spawning a local http server on a system-assigned high port and
- * use <code>http://127.0.0.1:{PORT}/success</code> as a redirect URI.
+ * use <code>http://127.0.0.1:{PORT}/callback</code> as a redirect URI.
  * <p>
  * Furthermore, we can deliver a html response to inform the user that the
  * auth workflow finished and she can close the browser tab.
@@ -51,10 +51,6 @@ class AuthFlowReceiver implements AutoCloseable {
 		var server = new Server();
 		var context = new ServletContextHandler();
 
-//		var corsFilter = new FilterHolder(new CrossOriginFilter());
-//		corsFilter.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*"); // TODO restrict to hub host
-//		context.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
-
 		var servlet = new CallbackServlet();
 		context.addServlet(new ServletHolder(servlet), CALLBACK_PATH);
 

From a3a96496b6998618d792dfee3bc3ce8331771749 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 16:18:22 +0200
Subject: [PATCH 13/55] use new auth flow talking directly to Authorization
 Server and Resource Server instead of web frontend

---
 pom.xml                                       |   2 +-
 .../org/cryptomator/ui/common/FxmlFile.java   |   1 +
 .../ui/keyloading/hub/AuthFlow.java           |  18 +-
 .../ui/keyloading/hub/AuthFlowController.java | 141 +++++++++++++++
 .../ui/keyloading/hub/AuthFlowTask.java       |  33 ++++
 .../ui/keyloading/hub/AuthReceiveTask.java    |  35 ----
 .../ui/keyloading/hub/AuthReceiver.java       | 120 -------------
 .../ui/keyloading/hub/HttpHelper.java         |  31 ++++
 .../keyloading/hub/HubKeyLoadingModule.java   |  35 ++--
 .../keyloading/hub/HubKeyLoadingStrategy.java |  27 +--
 .../ui/keyloading/hub/P12Controller.java      |   6 +-
 .../keyloading/hub/P12CreateController.java   |   8 +-
 .../ui/keyloading/hub/P12LoadController.java  |   8 +-
 .../keyloading/hub/ReceiveKeyController.java  | 168 +++++++++++-------
 .../ui/keyloading/hub/ReceiveKeyState.java    |   6 +
 src/main/resources/fxml/hub_auth_flow.fxml    |  42 +++++
 src/main/resources/fxml/hub_receive_key.fxml  |  25 ++-
 src/main/resources/license/THIRD-PARTY.txt    |   8 +-
 .../ui/keyloading/hub/AuthReceiverTest.java   |  23 ---
 19 files changed, 428 insertions(+), 309 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
 create mode 100644 src/main/resources/fxml/hub_auth_flow.fxml
 delete mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java

diff --git a/pom.xml b/pom.xml
index 2fdd357f7..45fc9ac1b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.1.0-beta9</cryptomator.cryptofs.version>
+		<cryptomator.cryptofs.version>2.1.0</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0-rc1</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0-beta2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.0.0-beta2</cryptomator.integrations.mac.version>
diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index c9f687ea4..aec859702 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -14,6 +14,7 @@ public enum FxmlFile {
 	HEALTH_START("/fxml/health_start.fxml"), //
 	HEALTH_START_FAIL("/fxml/health_start_fail.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
+	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_P12("/fxml/hub_p12.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index 9f02de59a..c587889f6 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -127,28 +127,14 @@ class AuthFlow implements AutoCloseable {
 				.build();
 		HttpResponse<InputStream> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofInputStream());
 		if (response.statusCode() == 200) {
-			var json = parseBody(response);
+			var json = HttpHelper.parseBody(response);
 			return json.getAsJsonObject().get("access_token").getAsString();
 		} else {
-			LOG.error("Unexpected HTTP response {}: {}", response.statusCode(), readBody(response));
+			LOG.error("Unexpected HTTP response {}: {}", response.statusCode(), HttpHelper.readBody(response));
 			throw new IOException("Unexpected HTTP response code " + response.statusCode());
 		}
 	}
 
-	private String readBody(HttpResponse<InputStream> response) throws IOException {
-		try (var in = response.body(); var reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
-			return CharStreams.toString(reader);
-		}
-	}
-
-	private JsonElement parseBody(HttpResponse<InputStream> response) throws IOException {
-		try (InputStream in = response.body(); Reader reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
-			return JsonParser.parseReader(reader);
-		} catch (JsonParseException e) {
-			throw new IOException("Failed to parse JSON", e);
-		}
-	}
-
 	private URI appendQueryParams(URI uri, Map<String, String> params) {
 		var oldParams = Splitter.on("&").omitEmptyStrings().splitToStream(Strings.nullToEmpty(uri.getQuery()));
 		var newParams = paramString(params);
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
new file mode 100644
index 000000000..42114f29f
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -0,0 +1,141 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import dagger.Lazy;
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.ui.common.ErrorComponent;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javafx.application.Application;
+import javafx.beans.binding.Bindings;
+import javafx.beans.binding.StringBinding;
+import javafx.beans.property.ObjectProperty;
+import javafx.beans.property.SimpleObjectProperty;
+import javafx.concurrent.WorkerStateEvent;
+import javafx.fxml.FXML;
+import javafx.scene.Scene;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.net.URI;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class AuthFlowController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowController.class);
+	private static final String JWT_KEY_AUTH_ENDPOINT = "authEndpoint";
+	private static final String JWT_KEY_TOKEN_ENDPOINT = "tokenEndpoint";
+	private static final String JWT_KEY_CLIENT_ID = "clientId";
+
+	private final Application application;
+	private final Stage window;
+	private final ExecutorService executor;
+	private final Vault vault;
+	private final AtomicReference<String> tokenRef;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final Lazy<Scene> receiveKeyScene;
+	private final ErrorComponent.Builder errorComponent;
+	private final ObjectProperty<URI> authUri;
+	private final StringBinding authHost;
+	private AuthFlowTask task;
+
+	@Inject
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @KeyLoading Vault vault, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
+		this.application = application;
+		this.window = window;
+		this.executor = executor;
+		this.vault = vault;
+		this.tokenRef = tokenRef;
+		this.result = result;
+		this.receiveKeyScene = receiveKeyScene;
+		this.errorComponent = errorComponent;
+		this.authUri = new SimpleObjectProperty<>();
+		this.authHost = Bindings.createStringBinding(this::getAuthHost, authUri);
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void initialize() {
+		assert task == null;
+		try {
+			task = setupTask();
+			task.setOnFailed(this::authFailed);
+			task.setOnSucceeded(this::authSucceeded);
+			executor.submit(task);
+		} catch (IOException e) {
+			LOG.error("Unreadable vault config", e);
+			errorComponent.cause(e).window(window).build().showErrorScene();
+		}
+	}
+
+	@FXML
+	public void browse() {
+		application.getHostServices().showDocument(authUri.get().toString());
+	}
+
+	@FXML
+	public void cancel() {
+		window.close();
+	}
+
+	private AuthFlowTask setupTask() throws IOException {
+		var authUri = URI.create(vault.getUnverifiedVaultConfig().get(JWT_KEY_AUTH_ENDPOINT).asString());
+		var tokenUri = URI.create(vault.getUnverifiedVaultConfig().get(JWT_KEY_TOKEN_ENDPOINT).asString());
+		var clientId = vault.getUnverifiedVaultConfig().get(JWT_KEY_CLIENT_ID).asString();
+		return new AuthFlowTask(authUri, tokenUri, clientId, this::setAuthUri);
+	}
+
+	private void setAuthUri(URI uri) {
+		authUri.set(uri);
+		browse();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		// stop server, if it is still running
+		task.cancel();
+		// if not already interacted, mark this workflow as cancelled:
+		if (result.awaitingInteraction().get()) {
+			LOG.debug("Authorization cancelled by user.");
+			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
+		}
+	}
+
+	private void authSucceeded(WorkerStateEvent workerStateEvent) {
+		tokenRef.set(task.getValue());
+		window.requestFocus();
+		window.setScene(receiveKeyScene.get());
+	}
+
+	private void authFailed(WorkerStateEvent workerStateEvent) {
+		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
+		window.requestFocus();
+		var exception = workerStateEvent.getSource().getException();
+		LOG.error("Authentication failed", exception);
+		errorComponent.cause(exception).window(window).build().showErrorScene();
+	}
+
+	/* Getter/Setter */
+
+	public StringBinding authHostProperty() {
+		return authHost;
+	}
+
+	public String getAuthHost() {
+		var uri = authUri.get();
+		if (uri == null) {
+			return "";
+		} else {
+			return uri.getAuthority().toString();
+		}
+	}
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
new file mode 100644
index 000000000..4f303b712
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -0,0 +1,33 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import javafx.application.Platform;
+import javafx.concurrent.Task;
+import java.net.URI;
+import java.util.function.Consumer;
+
+class AuthFlowTask extends Task<String> {
+
+	private final URI authUri;
+	private final URI tokenUri;
+	private final String clientId;
+	private final Consumer<URI> redirectUriConsumer;
+
+	/**
+	 * Spawns a server and waits for the redirectUri to be called.
+	 *
+	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
+	 */
+	public AuthFlowTask(URI authUri, URI tokenUri, String clientId, Consumer<URI> redirectUriConsumer) {
+		this.authUri = authUri;
+		this.tokenUri = tokenUri;
+		this.clientId = clientId;
+		this.redirectUriConsumer = redirectUriConsumer;
+	}
+
+	@Override
+	protected String call() throws Exception {
+		try (var authFlow = AuthFlow.init(authUri, tokenUri, clientId)) {
+			return authFlow.run(uri -> Platform.runLater(() -> redirectUriConsumer.accept(uri)));
+		}
+	}
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
deleted file mode 100644
index bab4d6cf9..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiveTask.java
+++ /dev/null
@@ -1,35 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javafx.application.Platform;
-import javafx.concurrent.Task;
-import java.net.URI;
-import java.util.function.Consumer;
-
-class AuthReceiveTask extends Task<EciesParams> {
-
-	private static final Logger LOG = LoggerFactory.getLogger(AuthReceiveTask.class);
-
-	private final Consumer<URI> redirectUriConsumer;
-
-	/**
-	 * Spawns a server and waits for the redirectUri to be called.
-	 *
-	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
-	 */
-	public AuthReceiveTask(Consumer<URI> redirectUriConsumer) {
-		this.redirectUriConsumer = redirectUriConsumer;
-	}
-
-	@Override
-	protected EciesParams call() throws Exception {
-		try (var receiver = AuthReceiver.start()) {
-			var redirectUri = receiver.getRedirectURL();
-			Platform.runLater(() -> redirectUriConsumer.accept(redirectUri));
-			LOG.debug("Waiting for key on {}", redirectUri);
-			return receiver.receive();
-		}
-	}
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
deleted file mode 100644
index bb2c5b76a..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthReceiver.java
+++ /dev/null
@@ -1,120 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.servlet.FilterHolder;
-import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.servlet.ServletHolder;
-import org.eclipse.jetty.servlets.CrossOriginFilter;
-
-import javax.servlet.DispatcherType;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.nio.charset.StandardCharsets;
-import java.util.EnumSet;
-import java.util.concurrent.BlockingQueue;
-import java.util.concurrent.LinkedBlockingQueue;
-
-/**
- * A basic implementation for RFC 8252, Section 7.3:
- * <p>
- * We're spawning a local http server on a system-assigned high port and
- * use <code>http://127.0.0.1:{PORT}/success</code> as a redirect URI.
- * <p>
- * Furthermore, we can deliver a html response to inform the user that the
- * auth workflow finished and she can close the browser tab.
- */
-class AuthReceiver implements AutoCloseable {
-
-	private static final String REDIRECT_SCHEME = "http";
-	private static final String LOOPBACK_ADDR = "127.0.0.1";
-	private static final String JSON_200 = """
-			{"status": "success"}
-			""";
-	private static final String JSON_400 = """
-			{"status": "missing param"}
-			""";
-
-	private final Server server;
-	private final ServerConnector connector;
-	private final CallbackServlet servlet;
-
-	private AuthReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
-		assert server.isRunning();
-		this.server = server;
-		this.connector = connector;
-		this.servlet = servlet;
-	}
-
-	public URI getRedirectURL() {
-		try {
-			return new URI(REDIRECT_SCHEME, null, LOOPBACK_ADDR, connector.getLocalPort(), null, null, null);
-		} catch (URISyntaxException e) {
-			throw new IllegalStateException("URI constructed from well-formed components.", e);
-		}
-	}
-
-	public static AuthReceiver start() throws Exception {
-		var server = new Server();
-		var context = new ServletContextHandler();
-
-		var corsFilter = new FilterHolder(new CrossOriginFilter());
-		corsFilter.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*"); // TODO restrict to hub host
-		context.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
-
-		var servlet = new CallbackServlet();
-		context.addServlet(new ServletHolder(servlet), "/*");
-
-		var connector = new ServerConnector(server);
-		connector.setPort(0);
-		connector.setHost(LOOPBACK_ADDR);
-		server.setConnectors(new Connector[]{connector});
-		server.setHandler(context);
-		server.start();
-		return new AuthReceiver(server, connector, servlet);
-	}
-
-	public EciesParams receive() throws InterruptedException {
-		return servlet.receivedKeys.take();
-	}
-
-	@Override
-	public void close() throws Exception {
-		server.stop();
-	}
-
-	private static class CallbackServlet extends HttpServlet {
-
-		private final BlockingQueue<EciesParams> receivedKeys = new LinkedBlockingQueue<>();
-
-		// TODO change to POST?
-		@Override
-		protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
-			var m = req.getParameter("m"); // encrypted masterkey
-			var epk = req.getParameter("epk"); // ephemeral public key
-			byte[] response;
-			if (m != null && epk != null) {
-				res.setStatus(HttpServletResponse.SC_OK);
-				response = JSON_200.getBytes(StandardCharsets.UTF_8);
-			} else {
-				res.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-				response = JSON_400.getBytes(StandardCharsets.UTF_8);
-			}
-			res.setContentType("application/json;charset=utf-8");
-			res.setContentLength(response.length);
-			res.getOutputStream().write(response);
-			res.getOutputStream().flush();
-
-			// the following line might trigger a server shutdown,
-			// so let's make sure the response is flushed first
-			if (m != null && epk != null) {
-				receivedKeys.add(new EciesParams(m, epk));
-			}
-		}
-	}
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
new file mode 100644
index 000000000..7de2902be
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
@@ -0,0 +1,31 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.io.CharStreams;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonParser;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+
+class HttpHelper {
+
+	public static String readBody(HttpResponse<InputStream> response) throws IOException {
+		try (var in = response.body(); var reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
+			return CharStreams.toString(reader);
+		}
+	}
+
+	public static JsonElement parseBody(HttpResponse<InputStream> response) throws IOException {
+		try (InputStream in = response.body(); Reader reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
+			return JsonParser.parseReader(reader);
+		} catch (JsonParseException e) {
+			throw new IOException("Failed to parse JSON", e);
+		}
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 9c5d7dd94..5de793857 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -17,6 +17,7 @@ import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 
+import javax.inject.Named;
 import javafx.scene.Scene;
 import java.net.URI;
 import java.security.KeyPair;
@@ -26,7 +27,7 @@ import java.util.concurrent.atomic.AtomicReference;
 @Module
 public abstract class HubKeyLoadingModule {
 
-	public enum AuthFlow {
+	public enum HubLoadingResult {
 		SUCCESS,
 		FAILED,
 		CANCELLED
@@ -39,23 +40,24 @@ public abstract class HubKeyLoadingModule {
 	}
 
 	@Provides
+	@Named("bearerToken")
 	@KeyLoadingScoped
-	static AtomicReference<EciesParams> provideAuthParamsRef() {
+	static AtomicReference<String> provideBearerTokenRef() {
 		return new AtomicReference<>();
 	}
 
 	@Provides
 	@KeyLoadingScoped
-	static UserInteractionLock<AuthFlow> provideAuthFlowLock() {
+	static AtomicReference<EciesParams> provideEciesParamsRef() {
+		return new AtomicReference<>();
+	}
+
+	@Provides
+	@KeyLoadingScoped
+	static UserInteractionLock<HubLoadingResult> provideResultLock() {
 		return new UserInteractionLock<>(null);
 	}
 
-	@Provides
-	@KeyLoadingScoped
-	static AtomicReference<URI> provideHubUri() {
-		return new AtomicReference<>();
-	}
-
 	@Binds
 	@IntoMap
 	@KeyLoadingScoped
@@ -75,10 +77,18 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_P12);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_AUTH_FLOW)
+	@KeyLoadingScoped
+	static Scene provideHubAuthFlowScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_AUTH_FLOW);
+	}
+
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_RECEIVE_KEY)
 	@KeyLoadingScoped
-	static Scene provideHubAuthScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+	static Scene provideHubReceiveKeyScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
 		return fxmlLoaders.createScene(FxmlFile.HUB_RECEIVE_KEY);
 	}
 
@@ -97,6 +107,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(P12CreateController.class)
 	abstract FxController bindP12CreateController(P12CreateController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(AuthFlowController.class)
+	abstract FxController bindAuthFlowController(AuthFlowController controller);
+
 	@Provides
 	@IntoMap
 	@FxControllerKey(NewPasswordController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index a7f8f41e0..1343f8cc9 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -19,7 +19,6 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.security.KeyPair;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -33,28 +32,26 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final Vault vault;
 	private final Stage window;
 	private final Lazy<Scene> p12LoadingScene;
-	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction;
-	private final AtomicReference<URI> hubUriRef;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final AtomicReference<EciesParams> authParamsRef;
+	private final AtomicReference<EciesParams> eciesParams;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction, AtomicReference<URI> hubUriRef, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef) {
+	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> eciesParams) {
 		this.vault = vault;
 		this.window = window;
 		this.p12LoadingScene = p12LoadingScene;
 		this.userInteraction = userInteraction;
-		this.hubUriRef = hubUriRef;
 		this.keyPairRef = keyPairRef;
-		this.authParamsRef = authParamsRef;
+		this.eciesParams = eciesParams;
 	}
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
-		hubUriRef.set(getHubUri(keyId));
+		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		try {
 			return switch (auth()) {
-				case SUCCESS -> EciesHelper.decryptMasterkey(keyPairRef.get(), authParamsRef.get());
+				case SUCCESS -> EciesHelper.decryptMasterkey(keyPairRef.get(), eciesParams.get());
 				case FAILED -> throw new MasterkeyLoadingFailedException("failed to load keypair");
 				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
 			};
@@ -72,17 +69,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 		}
 	}
 
-	private URI getHubUri(URI keyId) {
-		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
-		var hubUriScheme = keyId.getScheme().substring(SCHEME_PREFIX.length());
-		try {
-			return new URI(hubUriScheme, keyId.getSchemeSpecificPart(), keyId.getFragment());
-		} catch (URISyntaxException e) {
-			throw new IllegalStateException("URI constructed from params known to be valid", e);
-		}
-	}
-
-	private HubKeyLoadingModule.AuthFlow auth() throws InterruptedException {
+	private HubKeyLoadingModule.HubLoadingResult auth() throws InterruptedException {
 		Platform.runLater(() -> {
 			window.setScene(p12LoadingScene.get());
 			window.show();
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
index 84df68749..e9a70dc8d 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
@@ -20,10 +20,10 @@ public class P12Controller implements FxController {
 
 	private final Stage window;
 	private final Environment env;
-	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
 
 	@Inject
-	public P12Controller(@KeyLoading Stage window, Environment env, UserInteractionLock<HubKeyLoadingModule.AuthFlow> userInteraction) {
+	public P12Controller(@KeyLoading Stage window, Environment env, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction) {
 		this.window = window;
 		this.env = env;
 		this.userInteraction = userInteraction;
@@ -34,7 +34,7 @@ public class P12Controller implements FxController {
 		// if not already interacted, mark this workflow as cancelled:
 		if (userInteraction.awaitingInteraction().get()) {
 			LOG.debug("P12 loading cancelled by user.");
-			userInteraction.interacted(HubKeyLoadingModule.AuthFlow.CANCELLED);
+			userInteraction.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
 		}
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
index 0700d496b..3f98e62ca 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
@@ -39,7 +39,7 @@ public class P12CreateController implements FxController  {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> receiveKeyScene;
+	private final Lazy<Scene> authFlowScene;
 
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
@@ -48,11 +48,11 @@ public class P12CreateController implements FxController  {
 	public NewPasswordController newPasswordController;
 
 	@Inject
-	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
+	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.receiveKeyScene = receiveKeyScene;
+		this.authFlowScene = authFlowScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
@@ -81,7 +81,7 @@ public class P12CreateController implements FxController  {
 			var keyPair = P12AccessHelper.createNew(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Created .p12 file {}", p12File);
-			window.setScene(receiveKeyScene.get());
+			window.setScene(authFlowScene.get());
 		} catch (IOException e) {
 			LOG.error("Failed to load .p12 file.", e);
 			// TODO
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
index 9759e92e9..24af08384 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
@@ -41,18 +41,18 @@ public class P12LoadController implements FxController {
 	private final Stage window;
 	private final Environment env;
 	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> receiveKeyScene;
+	private final Lazy<Scene> authFlowScene;
 	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
 	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
 
 	public NiceSecurePasswordField passwordField;
 
 	@Inject
-	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
+	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene) {
 		this.window = window;
 		this.env = env;
 		this.keyPairRef = keyPairRef;
-		this.receiveKeyScene = receiveKeyScene;
+		this.authFlowScene = authFlowScene;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
@@ -78,7 +78,7 @@ public class P12LoadController implements FxController {
 			var keyPair = P12AccessHelper.loadExisting(p12File, pw);
 			setKeyPair(keyPair);
 			LOG.debug("Loaded .p12 file {}", p12File);
-			window.setScene(receiveKeyScene.get());
+			window.setScene(authFlowScene.get());
 		} catch (InvalidPassphraseException e) {
 			LOG.warn("Invalid passphrase entered for .p12 file");
 			Animations.createShakeWindowAnimation(window).playFromStart();
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 77f33ee5e..7597f2b6e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -2,6 +2,8 @@ package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
 import com.google.common.io.BaseEncoding;
+import com.google.gson.JsonElement;
+import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -11,17 +13,25 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
+import javax.inject.Named;
 import javafx.application.Application;
-import javafx.beans.binding.BooleanBinding;
+import javafx.application.Platform;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.SimpleObjectProperty;
-import javafx.concurrent.WorkerStateEvent;
+import javafx.beans.property.SimpleStringProperty;
+import javafx.beans.property.StringProperty;
 import javafx.fxml.FXML;
+import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.net.URI;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
+import java.net.URISyntaxException;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
 import java.security.KeyPair;
 import java.util.Objects;
 import java.util.concurrent.ExecutorService;
@@ -31,53 +41,88 @@ import java.util.concurrent.atomic.AtomicReference;
 public class ReceiveKeyController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
+	private static final String SCHEME_PREFIX = "hub+";
 
-	private final Application application;
-	private final ExecutorService executor;
 	private final Stage window;
-	private final KeyPair keyPair;
-	private final AtomicReference<EciesParams> authParamsRef;
-	private final UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock;
-	private final AtomicReference<URI> hubUriRef;
+	private final String bearerToken;
+	private final AtomicReference<EciesParams> eciesParamsRef;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final ErrorComponent.Builder errorComponent;
-	private final ObjectProperty<URI> redirectUriRef;
-	private final BooleanBinding ready;
-	private final AuthReceiveTask receiveTask;
+	private final URI vaultBaseUri;
+	private final ObjectProperty<ReceiveKeyState> state = new SimpleObjectProperty<>(ReceiveKeyState.LOADING);
+	private final HttpClient httpClient;
+
+	public TextField deviceName;
 
 	@Inject
-	public ReceiveKeyController(Application application, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> authParamsRef, UserInteractionLock<HubKeyLoadingModule.AuthFlow> authFlowLock, AtomicReference<URI> hubUriRef, ErrorComponent.Builder errorComponent) {
-		this.application = application;
-		this.executor = executor;
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, ErrorComponent.Builder errorComponent) {
 		this.window = window;
-		this.keyPair = Objects.requireNonNull(keyPairRef.get());
-		this.authParamsRef = authParamsRef;
-		this.authFlowLock = authFlowLock;
-		this.hubUriRef = hubUriRef;
+		this.bearerToken = Objects.requireNonNull(tokenRef.get());
+		this.eciesParamsRef = eciesParamsRef;
+		this.result = result;
 		this.errorComponent = errorComponent;
-		this.redirectUriRef = new SimpleObjectProperty<>();
-		this.ready = redirectUriRef.isNotNull();
-		this.receiveTask = new AuthReceiveTask(redirectUriRef::set);
+		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+		this.httpClient = HttpClient.newBuilder().executor(executor).build();
+//		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPairRef.get().getPublic().getEncoded());
+//		LOG.info("deviceKey {}", deviceKey);
 	}
 
 	@FXML
 	public void initialize() {
-		Preconditions.checkState(hubUriRef.get() != null);
-		receiveTask.setOnSucceeded(this::receivedKey);
-		receiveTask.setOnFailed(this::keyRetrievalFailed);
-		executor.submit(receiveTask);
+		var keyUri = appendPath(vaultBaseUri, "/keys/desktop-app-3000"); // TODO use actual device id
+		var request = HttpRequest.newBuilder(keyUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.GET() //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
+				.whenCompleteAsync(this::loadedExistingKey, Platform::runLater);
 	}
 
-	private void keyRetrievalFailed(WorkerStateEvent workerStateEvent) {
-		LOG.error("Cryptomator Hub login failed with error", receiveTask.getException());
-		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.FAILED);
-		errorComponent.cause(receiveTask.getException()).window(window).build().showErrorScene();
+	private void loadedExistingKey(HttpResponse<InputStream> response, Throwable error) {
+		if (error != null) {
+			retrievalFailed(error);
+		} else {
+			switch (response.statusCode()) {
+				case 200 -> retrievalSucceeded(response);
+				case 404 -> state.set(ReceiveKeyState.NEEDS_REGISTRATION);
+				default -> retrievalFailed(new IOException("Unexpected response " + response.statusCode()));
+			}
+		}
 	}
 
-	private void receivedKey(WorkerStateEvent workerStateEvent) {
-		authParamsRef.set(Objects.requireNonNull(receiveTask.getValue()));
-		authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.SUCCESS);
-		window.close();
+	@FXML
+	public void register() {
+		Preconditions.checkArgument(deviceName.textProperty().isNotEmpty().get(), "device name must not be empty");
+//		var keyUri = appendPath(vaultBaseUri, "../../devices/desktop-app-3000");
+//		var request = HttpRequest.newBuilder(keyUri) //
+//				.header("Authorization", "Bearer " + bearerToken) //
+//				.GET() //
+//				.build();
+//		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
+//				.whenCompleteAsync(this::loadedExistingKey, Platform::runLater);
+	}
+
+	private void retrievalSucceeded(HttpResponse<InputStream> response) {
+		try {
+			var json = HttpHelper.parseBody(response);
+			Preconditions.checkArgument(json.isJsonObject());
+			Preconditions.checkArgument(json.getAsJsonObject().has("device_specific_masterkey"));
+			Preconditions.checkArgument(json.getAsJsonObject().has("ephemeral_public_key"));
+			var m = json.getAsJsonObject().get("device_specific_masterkey").getAsString();
+			var epk = json.getAsJsonObject().get("ephemeral_public_key").getAsString();
+			eciesParamsRef.set(new EciesParams(m, epk));
+			result.interacted(HubKeyLoadingModule.HubLoadingResult.SUCCESS);
+			window.close();
+		} catch (IOException | IllegalArgumentException e) {
+			retrievalFailed(e);
+		}
+	}
+
+	private void retrievalFailed(Throwable cause) {
+		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
+		LOG.error("Key retrieval failed", cause);
+		errorComponent.cause(cause).window(window).build().showErrorScene();
 	}
 
 	@FXML
@@ -86,44 +131,41 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
-		// stop server, if it is still running
-		receiveTask.cancel();
 		// if not already interacted, mark this workflow as cancelled:
-		if (authFlowLock.awaitingInteraction().get()) {
+		if (result.awaitingInteraction().get()) {
 			LOG.debug("Authorization cancelled by user.");
-			authFlowLock.interacted(HubKeyLoadingModule.AuthFlow.CANCELLED);
+			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
 		}
 	}
 
-	@FXML
-	public void openBrowser() {
-		assert ready.get();
-		var hubUri = Objects.requireNonNull(hubUriRef.get());
-		var redirectUri = Objects.requireNonNull(redirectUriRef.get());
-		var sb = new StringBuilder(hubUri.toString());
-		sb.append("?redirect_uri=").append(URLEncoder.encode(redirectUri.toString(), StandardCharsets.US_ASCII));
-		sb.append("&device_id=").append("desktop-app-3000");
-		sb.append("&device_key=").append(BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded()));
-		var url = sb.toString();
-		application.getHostServices().showDocument(url);
+	private static URI appendPath(URI base, String path) {
+		try {
+			var newPath = base.getPath() + path;
+			return new URI(base.getScheme(), base.getAuthority(), newPath, base.getQuery(), base.getFragment());
+		} catch (URISyntaxException e) {
+			throw new IllegalArgumentException("Can't append '" + path + "' to URI: " + base, e);
+		}
 	}
 
+	private static URI getVaultBaseUri(Vault vault) {
+		try {
+			var kid = vault.getUnverifiedVaultConfig().getKeyId();
+			assert kid.getScheme().startsWith(SCHEME_PREFIX);
+			var hubUriScheme = kid.getScheme().substring(SCHEME_PREFIX.length());
+			return new URI(hubUriScheme, kid.getSchemeSpecificPart(), kid.getFragment());
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("URI constructed from params known to be valid", e);
+		}
+	}
 	/* Getter/Setter */
 
-	public String getHubUriHost() {
-		var hubUri = hubUriRef.get();
-		if (hubUri == null) {
-			return null;
-		} else {
-			return hubUri.getHost();
-		}
+	public ObjectProperty<ReceiveKeyState> stateProperty() {
+		return state;
 	}
 
-	public BooleanBinding readyProperty() {
-		return ready;
-	}
-
-	public boolean isReady() {
-		return ready.get();
+	public ReceiveKeyState getState() {
+		return state.get();
 	}
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
new file mode 100644
index 000000000..ae1562ded
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
@@ -0,0 +1,6 @@
+package org.cryptomator.ui.keyloading.hub;
+
+public enum ReceiveKeyState {
+	LOADING,
+	NEEDS_REGISTRATION
+}
diff --git a/src/main/resources/fxml/hub_auth_flow.fxml b/src/main/resources/fxml/hub_auth_flow.fxml
new file mode 100644
index 000000000..a6d086ea3
--- /dev/null
+++ b/src/main/resources/fxml/hub_auth_flow.fxml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.text.Text?>
+<?import javafx.scene.text.TextFlow?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.AuthFlowController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+			<TextFlow visible="${!controller.authHost.empty}" managed="${!controller.authHost.empty}">
+				<Text text="TODO: please login via " />
+				<Hyperlink styleClass="hyperlink-underline" text="${controller.authHost}" onAction="#browse"/>
+			</TextFlow>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>
diff --git a/src/main/resources/fxml/hub_receive_key.fxml b/src/main/resources/fxml/hub_receive_key.fxml
index e36731dc5..ef10291e7 100644
--- a/src/main/resources/fxml/hub_receive_key.fxml
+++ b/src/main/resources/fxml/hub_receive_key.fxml
@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
+<?import org.cryptomator.ui.keyloading.hub.ReceiveKeyState?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
-<?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextField?>
 <?import javafx.scene.image.Image?>
 <?import javafx.scene.image.ImageView?>
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
-<?import javafx.scene.text.Text?>
-<?import javafx.scene.text.TextFlow?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.ReceiveKeyController"
@@ -18,6 +18,10 @@
 	  maxWidth="400"
 	  minHeight="145"
 	  spacing="12">
+	<fx:define>
+		<ReceiveKeyState fx:id="loading" fx:constant="LOADING" />
+		<ReceiveKeyState fx:id="needsRegistration" fx:constant="NEEDS_REGISTRATION"/>
+	</fx:define>
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
@@ -26,17 +30,20 @@
 			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
 				<Image url="@../img/bot/bot.png"/>
 			</ImageView>
-			<TextFlow visible="${controller.ready}" managed="${controller.ready}">
-				<Text text="TODO: please login via " />
-				<Hyperlink styleClass="hyperlink-underline" text="${controller.hubUriHost}" onAction="#openBrowser"/>
-			</TextFlow>
-			<FontAwesome5Spinner glyphSize="12" visible="${!controller.ready}" managed="${!controller.ready}"/>
+
+			<FontAwesome5Spinner glyphSize="12" visible="${controller.state == loading}" managed="${controller.state == loading}"/>
+
+			<VBox spacing="6" visible="${controller.state == needsRegistration}" managed="${controller.state == needsRegistration}">
+				<Label text="TODO: register device" labelFor="$locationTextField"/>
+				<TextField fx:id="deviceName" promptText="TODO: device name" VBox.vgrow="ALWAYS"/>
+			</VBox>
 		</HBox>
 
 		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
-			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CX">
 				<buttons>
 					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
+					<Button text="TODO: register device" ButtonBar.buttonData="NEXT_FORWARD" visible="${controller.state == needsRegistration}" managed="${controller.state == needsRegistration}" defaultButton="true" onAction="#register"/>
 				</buttons>
 			</ButtonBar>
 		</VBox>
diff --git a/src/main/resources/license/THIRD-PARTY.txt b/src/main/resources/license/THIRD-PARTY.txt
index e109eb172..0ed1b3cff 100644
--- a/src/main/resources/license/THIRD-PARTY.txt
+++ b/src/main/resources/license/THIRD-PARTY.txt
@@ -11,7 +11,7 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Cryptomator uses 43 third-party dependencies under the following licenses:
+Cryptomator uses 46 third-party dependencies under the following licenses:
         Apache License v2.0:
 			- jffi (com.github.jnr:jffi:1.2.23 - http://github.com/jnr/jffi)
 			- jnr-a64asm (com.github.jnr:jnr-a64asm:1.0.0 - http://nexus.sonatype.org/oss-repository-hosting.html/jnr-a64asm)
@@ -33,7 +33,10 @@ Cryptomator uses 43 third-party dependencies under the following licenses:
 			- Jetty :: Security (org.eclipse.jetty:jetty-security:10.0.6 - https://eclipse.org/jetty/jetty-security)
 			- Jetty :: Server Core (org.eclipse.jetty:jetty-server:10.0.6 - https://eclipse.org/jetty/jetty-server)
 			- Jetty :: Servlet Handling (org.eclipse.jetty:jetty-servlet:10.0.6 - https://eclipse.org/jetty/jetty-servlet)
+			- Jetty :: Utility Servlets and Filters (org.eclipse.jetty:jetty-servlets:10.0.6 - https://eclipse.org/jetty/jetty-servlets)
 			- Jetty :: Utilities (org.eclipse.jetty:jetty-util:10.0.6 - https://eclipse.org/jetty/jetty-util)
+			- Jetty :: Webapp Application Support (org.eclipse.jetty:jetty-webapp:10.0.6 - https://eclipse.org/jetty/jetty-webapp)
+			- Jetty :: XML utilities (org.eclipse.jetty:jetty-xml:10.0.6 - https://eclipse.org/jetty/jetty-xml)
 			- Jetty :: Servlet API and Schemas for JPMS and OSGi (org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6 - https://eclipse.org/jetty/jetty-servlet-api)
         BSD:
 			- asm (org.ow2.asm:asm:7.1 - http://asm.ow2.org/)
@@ -53,7 +56,10 @@ Cryptomator uses 43 third-party dependencies under the following licenses:
 			- Jetty :: Security (org.eclipse.jetty:jetty-security:10.0.6 - https://eclipse.org/jetty/jetty-security)
 			- Jetty :: Server Core (org.eclipse.jetty:jetty-server:10.0.6 - https://eclipse.org/jetty/jetty-server)
 			- Jetty :: Servlet Handling (org.eclipse.jetty:jetty-servlet:10.0.6 - https://eclipse.org/jetty/jetty-servlet)
+			- Jetty :: Utility Servlets and Filters (org.eclipse.jetty:jetty-servlets:10.0.6 - https://eclipse.org/jetty/jetty-servlets)
 			- Jetty :: Utilities (org.eclipse.jetty:jetty-util:10.0.6 - https://eclipse.org/jetty/jetty-util)
+			- Jetty :: Webapp Application Support (org.eclipse.jetty:jetty-webapp:10.0.6 - https://eclipse.org/jetty/jetty-webapp)
+			- Jetty :: XML utilities (org.eclipse.jetty:jetty-xml:10.0.6 - https://eclipse.org/jetty/jetty-xml)
         Eclipse Public License - v 1.0:
 			- Logback Classic Module (ch.qos.logback:logback-classic:1.2.3 - http://logback.qos.ch/logback-classic)
 			- Logback Core Module (ch.qos.logback:logback-core:1.2.3 - http://logback.qos.ch/logback-core)
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java
deleted file mode 100644
index 531f63415..000000000
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthReceiverTest.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-public class AuthReceiverTest {
-
-	static {
-		System.setProperty("LOGLEVEL", "INFO");
-	}
-
-	public static void main(String[] args) {
-		try (var receiver = AuthReceiver.start()) {
-			System.out.println("Waiting on " + receiver.getRedirectURL());
-			var token = receiver.receive();
-			System.out.println("SUCCESS: " + token);
-		} catch (InterruptedException e) {
-			Thread.currentThread().interrupt();
-			System.out.println("CANCELLED");
-		} catch (Exception e) {
-			System.out.println("ERROR");
-			e.printStackTrace();
-		}
-	}
-
-}
\ No newline at end of file

From e866b64352f0a6be20d50969d5a4cd70af4b081b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 17:05:59 +0200
Subject: [PATCH 14/55] fix build

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 45fc9ac1b..fbeb1d07e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.1.0</cryptomator.cryptofs.version>
+		<cryptomator.cryptofs.version>2.1.0-beta10</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0-rc1</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0-beta2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.0.0-beta2</cryptomator.integrations.mac.version>

From e865eaf4125bbc4f267f1116b16b5ba4cf0d1c92 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 12 Aug 2021 17:38:50 +0200
Subject: [PATCH 15/55] added quick & dirty device registration

---
 .../keyloading/hub/ReceiveKeyController.java  | 46 ++++++++++++++-----
 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 7597f2b6e..c87a09efc 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -1,7 +1,9 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
 import com.google.common.io.BaseEncoding;
+import com.google.gson.Gson;
 import com.google.gson.JsonElement;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.ErrorComponent;
@@ -45,6 +47,7 @@ public class ReceiveKeyController implements FxController {
 
 	private final Stage window;
 	private final String bearerToken;
+	private final KeyPair keyPair;
 	private final AtomicReference<EciesParams> eciesParamsRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final ErrorComponent.Builder errorComponent;
@@ -58,19 +61,18 @@ public class ReceiveKeyController implements FxController {
 	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, ErrorComponent.Builder errorComponent) {
 		this.window = window;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
+		this.keyPair = Objects.requireNonNull(keyPairRef.get());
 		this.eciesParamsRef = eciesParamsRef;
 		this.result = result;
 		this.errorComponent = errorComponent;
 		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().executor(executor).build();
-//		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPairRef.get().getPublic().getEncoded());
-//		LOG.info("deviceKey {}", deviceKey);
 	}
 
 	@FXML
 	public void initialize() {
-		var keyUri = appendPath(vaultBaseUri, "/keys/desktop-app-3000"); // TODO use actual device id
+		var keyUri = appendPath(vaultBaseUri, "/keys/desktop-app"); // TODO use actual device id
 		var request = HttpRequest.newBuilder(keyUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
@@ -93,14 +95,36 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void register() {
-		Preconditions.checkArgument(deviceName.textProperty().isNotEmpty().get(), "device name must not be empty");
-//		var keyUri = appendPath(vaultBaseUri, "../../devices/desktop-app-3000");
-//		var request = HttpRequest.newBuilder(keyUri) //
-//				.header("Authorization", "Bearer " + bearerToken) //
-//				.GET() //
-//				.build();
-//		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
-//				.whenCompleteAsync(this::loadedExistingKey, Platform::runLater);
+		Preconditions.checkArgument(!Strings.isNullOrEmpty(deviceName.getText()), "device name must not be empty");
+		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded());
+		var json = """
+    			{
+    				"id": "desktop-app",
+    				"name": "%s",
+    				"publicKey": "%s"
+    			}
+				""".formatted(deviceName.getText(), deviceKey); // TODO use gson
+
+		var regUri = URI.create("http://localhost:9090/devices/desktop-app"); // TODO read api base from vault config!
+		var request = HttpRequest.newBuilder(regUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.header("Content-Type", "application/json; charset=UTF-8") //
+				.PUT(HttpRequest.BodyPublishers.ofString(json)) //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
+				.whenCompleteAsync(this::createdNewDevice, Platform::runLater);
+	}
+
+	private void createdNewDevice(HttpResponse<InputStream> response, Throwable error) {
+		if (error != null) {
+			retrievalFailed(error);
+		} else {
+			switch (response.statusCode()) {
+				case 201 -> LOG.info("TODO device created, waiting for authorization");
+				case 409 -> LOG.info("TODO device already exists. still waiting for authorization");
+				default -> retrievalFailed(new IOException("Unexpected response " + response.statusCode()));
+			}
+		}
 	}
 
 	private void retrievalSucceeded(HttpResponse<InputStream> response) {

From 1322b872b68c409acf436edb5b33d5136ed8c9aa Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 13 Aug 2021 19:59:31 +0200
Subject: [PATCH 16/55] adjusted to new vault config format and unlock status
 codes

---
 pom.xml                                       |  2 +-
 src/main/java/module-info.java                |  2 +
 .../org/cryptomator/ui/common/FxmlFile.java   |  1 +
 .../ui/keyloading/hub/AuthFlow.java           | 24 ++++---
 .../ui/keyloading/hub/AuthFlowController.java | 32 +++------
 .../ui/keyloading/hub/AuthFlowReceiver.java   | 26 +++++---
 .../ui/keyloading/hub/AuthFlowTask.java       | 14 ++--
 .../ui/keyloading/hub/HubConfig.java          | 13 ++++
 .../keyloading/hub/HubKeyLoadingModule.java   | 26 ++++++++
 .../keyloading/hub/HubKeyLoadingStrategy.java |  4 +-
 .../keyloading/hub/ReceiveKeyController.java  | 66 +++++--------------
 .../ui/keyloading/hub/ReceiveKeyState.java    |  6 --
 .../hub/RegisterDeviceController.java         | 59 +++++++++++++++++
 src/main/resources/fxml/hub_receive_key.fxml  | 17 +----
 .../resources/fxml/hub_register_device.fxml   | 40 +++++++++++
 .../hub/AuthFlowIntegrationTest.java          | 12 ++--
 16 files changed, 212 insertions(+), 132 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
 create mode 100644 src/main/resources/fxml/hub_register_device.fxml

diff --git a/pom.xml b/pom.xml
index a27983938..2cd2baec6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.1.0-beta10</cryptomator.cryptofs.version>
+		<cryptomator.cryptofs.version>2.1.0-beta11</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0-rc1</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0-beta2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.0.0-beta2</cryptomator.integrations.mac.version>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index fae730bd1..b8e899845 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -42,6 +42,8 @@ module org.cryptomator.desktop {
 	uses TrayIntegrationProvider;
 	uses UiAppearanceProvider;
 
+	exports org.cryptomator.ui.keyloading.hub to com.fasterxml.jackson.databind;
+
 	opens org.cryptomator.common.settings to com.google.gson;
 
 	opens org.cryptomator.common to javafx.fxml;
diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index aec859702..84ef8983f 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -17,6 +17,7 @@ public enum FxmlFile {
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_P12("/fxml/hub_p12.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
+	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index c587889f6..b261b6cee 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -46,15 +46,15 @@ class AuthFlow implements AutoCloseable {
 	public static final Escaper QUERY_STRING_ESCAPER = new PercentEscaper("-_.!~*'()@:$,;/?", false);
 
 	private final AuthFlowReceiver receiver;
-	private final URI authEndpoint;
-	private final URI tokenEndpoint;
-	private final String clientId;
+	private final URI authEndpoint; // see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
+	private final URI tokenEndpoint; // see https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
+	private final String clientId; // see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
 
-	private AuthFlow(AuthFlowReceiver receiver, URI authEndpoint, URI tokenEndpoint, String clientId) {
+	private AuthFlow(AuthFlowReceiver receiver, HubConfig hubConfig) {
 		this.receiver = receiver;
-		this.authEndpoint = authEndpoint;
-		this.tokenEndpoint = tokenEndpoint;
-		this.clientId = clientId;
+		this.authEndpoint = URI.create(hubConfig.authEndpoint);
+		this.tokenEndpoint = URI.create(hubConfig.tokenEndpoint);
+		this.clientId = hubConfig.clientId;
 	}
 
 	/**
@@ -62,15 +62,13 @@ class AuthFlow implements AutoCloseable {
 	 * <p>
 	 * This will start a loopback server, so make sure to {@link #close()} this resource.
 	 *
-	 * @param authEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.1">Authorization Endpoint</a>
-	 * @param tokenEndpoint Address of the <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.2">Token Endpoint</a>
-	 * @param clientId The <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1"><code>client_id</code></a>
+	 * @param hubConfig A hub config object containing parameters required for this auth flow
 	 * @return An authorization flow
 	 * @throws Exception In case of any problems starting the server
 	 */
-	public static AuthFlow init(URI authEndpoint, URI tokenEndpoint, String clientId) throws Exception {
-		var receiver = AuthFlowReceiver.start();
-		return new AuthFlow(receiver, authEndpoint, tokenEndpoint, clientId);
+	public static AuthFlow init(HubConfig hubConfig) throws Exception {
+		var receiver = AuthFlowReceiver.start(hubConfig);
+		return new AuthFlow(receiver, hubConfig);
 	}
 
 	/**
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 42114f29f..436516fca 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import dagger.Lazy;
-import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
@@ -24,7 +23,6 @@ import javafx.fxml.FXML;
 import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
-import java.io.IOException;
 import java.net.URI;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
@@ -33,14 +31,11 @@ import java.util.concurrent.atomic.AtomicReference;
 public class AuthFlowController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowController.class);
-	private static final String JWT_KEY_AUTH_ENDPOINT = "authEndpoint";
-	private static final String JWT_KEY_TOKEN_ENDPOINT = "tokenEndpoint";
-	private static final String JWT_KEY_CLIENT_ID = "clientId";
 
 	private final Application application;
 	private final Stage window;
 	private final ExecutorService executor;
-	private final Vault vault;
+	private final HubConfig hubConfig;
 	private final AtomicReference<String> tokenRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final Lazy<Scene> receiveKeyScene;
@@ -50,11 +45,11 @@ public class AuthFlowController implements FxController {
 	private AuthFlowTask task;
 
 	@Inject
-	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @KeyLoading Vault vault, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
 		this.application = application;
 		this.window = window;
 		this.executor = executor;
-		this.vault = vault;
+		this.hubConfig = hubConfig;
 		this.tokenRef = tokenRef;
 		this.result = result;
 		this.receiveKeyScene = receiveKeyScene;
@@ -67,15 +62,10 @@ public class AuthFlowController implements FxController {
 	@FXML
 	public void initialize() {
 		assert task == null;
-		try {
-			task = setupTask();
-			task.setOnFailed(this::authFailed);
-			task.setOnSucceeded(this::authSucceeded);
-			executor.submit(task);
-		} catch (IOException e) {
-			LOG.error("Unreadable vault config", e);
-			errorComponent.cause(e).window(window).build().showErrorScene();
-		}
+		task = new AuthFlowTask(hubConfig, this::setAuthUri);;
+		task.setOnFailed(this::authFailed);
+		task.setOnSucceeded(this::authSucceeded);
+		executor.submit(task);
 	}
 
 	@FXML
@@ -88,13 +78,6 @@ public class AuthFlowController implements FxController {
 		window.close();
 	}
 
-	private AuthFlowTask setupTask() throws IOException {
-		var authUri = URI.create(vault.getUnverifiedVaultConfig().get(JWT_KEY_AUTH_ENDPOINT).asString());
-		var tokenUri = URI.create(vault.getUnverifiedVaultConfig().get(JWT_KEY_TOKEN_ENDPOINT).asString());
-		var clientId = vault.getUnverifiedVaultConfig().get(JWT_KEY_CLIENT_ID).asString();
-		return new AuthFlowTask(authUri, tokenUri, clientId, this::setAuthUri);
-	}
-
 	private void setAuthUri(URI uri) {
 		authUri.set(uri);
 		browse();
@@ -138,4 +121,5 @@ public class AuthFlowController implements FxController {
 			return uri.getAuthority().toString();
 		}
 	}
+
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
index 6b8383884..1a1788635 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -40,18 +40,20 @@ class AuthFlowReceiver implements AutoCloseable {
 	private final Server server;
 	private final ServerConnector connector;
 	private final CallbackServlet servlet;
+	private final HubConfig hubConfig;
 
-	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
+	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet, HubConfig hubConfig) {
 		this.server = server;
 		this.connector = connector;
 		this.servlet = servlet;
+		this.hubConfig = hubConfig;
 	}
 
-	public static AuthFlowReceiver start() throws Exception {
+	public static AuthFlowReceiver start(HubConfig hubConfig) throws Exception {
 		var server = new Server();
 		var context = new ServletContextHandler();
 
-		var servlet = new CallbackServlet();
+		var servlet = new CallbackServlet(hubConfig);
 		context.addServlet(new ServletHolder(servlet), CALLBACK_PATH);
 
 		var connector = new ServerConnector(server);
@@ -60,7 +62,7 @@ class AuthFlowReceiver implements AutoCloseable {
 		server.setConnectors(new Connector[]{connector});
 		server.setHandler(context);
 		server.start();
-		return new AuthFlowReceiver(server, connector, servlet);
+		return new AuthFlowReceiver(server, connector, servlet, hubConfig);
 	}
 
 	public String getRedirectUri() {
@@ -81,6 +83,11 @@ class AuthFlowReceiver implements AutoCloseable {
 	private static class CallbackServlet extends HttpServlet {
 
 		private final BlockingQueue<Callback> callback = new LinkedBlockingQueue<>();
+		private final HubConfig hubConfig;
+
+		public CallbackServlet(HubConfig hubConfig) {
+			this.hubConfig = hubConfig;
+		}
 
 		@Override
 		protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
@@ -88,14 +95,15 @@ class AuthFlowReceiver implements AutoCloseable {
 			var code = req.getParameter("code");
 			var state = req.getParameter("state");
 
-			// TODO 302 use redirect to configurable site
-			res.setContentType("text/html;charset=utf-8");
-			res.getWriter().write(HTML_SUCCESS);
-			res.getWriter().flush();
+			res.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
+			if (error == null && code != null) {
+				res.setHeader("Location", hubConfig.unlockSuccessUrl);
+			} else {
+				res.setHeader("Location", hubConfig.unlockErrorUrl);
+			}
 
 			callback.add(new Callback(error, code, state));
 		}
-
 	}
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index 4f303b712..901c7acc7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -7,27 +7,25 @@ import java.util.function.Consumer;
 
 class AuthFlowTask extends Task<String> {
 
-	private final URI authUri;
-	private final URI tokenUri;
-	private final String clientId;
 	private final Consumer<URI> redirectUriConsumer;
 
 	/**
 	 * Spawns a server and waits for the redirectUri to be called.
 	 *
+	 * @param hubConfig Configuration object holding parameters required by {@link AuthFlow}
 	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
 	 */
-	public AuthFlowTask(URI authUri, URI tokenUri, String clientId, Consumer<URI> redirectUriConsumer) {
-		this.authUri = authUri;
-		this.tokenUri = tokenUri;
-		this.clientId = clientId;
+	public AuthFlowTask(HubConfig hubConfig, Consumer<URI> redirectUriConsumer) {
+		this.hubConfig = hubConfig;
 		this.redirectUriConsumer = redirectUriConsumer;
 	}
 
 	@Override
 	protected String call() throws Exception {
-		try (var authFlow = AuthFlow.init(authUri, tokenUri, clientId)) {
+		try (var authFlow = AuthFlow.init(hubConfig)) {
 			return authFlow.run(uri -> Platform.runLater(() -> redirectUriConsumer.accept(uri)));
 		}
 	}
+
+	private final HubConfig hubConfig;
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
new file mode 100644
index 000000000..0e53351e5
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -0,0 +1,13 @@
+package org.cryptomator.ui.keyloading.hub;
+
+// needs to be accessible by JSON decoder
+public class HubConfig {
+
+	public String clientId;
+	public String authEndpoint;
+	public String tokenEndpoint;
+	public String deviceRegistrationUrl;
+	public String unlockSuccessUrl;
+	public String unlockErrorUrl;
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 5de793857..ad2c5c02b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -5,6 +5,7 @@ import dagger.Module;
 import dagger.Provides;
 import dagger.multibindings.IntoMap;
 import dagger.multibindings.StringKey;
+import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxControllerKey;
 import org.cryptomator.ui.common.FxmlFile;
@@ -19,6 +20,8 @@ import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 
 import javax.inject.Named;
 import javafx.scene.Scene;
+import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.net.URI;
 import java.security.KeyPair;
 import java.util.ResourceBundle;
@@ -33,6 +36,16 @@ public abstract class HubKeyLoadingModule {
 		CANCELLED
 	}
 
+	@Provides
+	@KeyLoadingScoped
+	static HubConfig provideHubConfig(@KeyLoading Vault vault) {
+		try {
+			return vault.getUnverifiedVaultConfig().getHeader("hub", HubConfig.class);
+		} catch (IOException e) {
+			throw new UncheckedIOException(e);
+		}
+	}
+
 	@Provides
 	@KeyLoadingScoped
 	static AtomicReference<KeyPair> provideKeyPair() {
@@ -92,6 +105,14 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_RECEIVE_KEY);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REGISTER_DEVICE)
+	@KeyLoadingScoped
+	static Scene provideHubRegisterDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
+	}
+
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(P12Controller.class)
@@ -124,4 +145,9 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(ReceiveKeyController.class)
 	abstract FxController bindReceiveKeyController(ReceiveKeyController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(RegisterDeviceController.class)
+	abstract FxController bindRegisterDeviceController(RegisterDeviceController controller);
+
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 1343f8cc9..b3b213b34 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -29,7 +29,6 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	static final String SCHEME_HUB_HTTP = SCHEME_PREFIX + "http";
 	static final String SCHEME_HUB_HTTPS = SCHEME_PREFIX + "https";
 
-	private final Vault vault;
 	private final Stage window;
 	private final Lazy<Scene> p12LoadingScene;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
@@ -37,8 +36,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final AtomicReference<EciesParams> eciesParams;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Vault vault, @KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> eciesParams) {
-		this.vault = vault;
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> eciesParams) {
 		this.window = window;
 		this.p12LoadingScene = p12LoadingScene;
 		this.userInteraction = userInteraction;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index c87a09efc..9707981ec 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -5,9 +5,12 @@ import com.google.common.base.Strings;
 import com.google.common.io.BaseEncoding;
 import com.google.gson.Gson;
 import com.google.gson.JsonElement;
+import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
@@ -23,6 +26,7 @@ import javafx.beans.property.SimpleObjectProperty;
 import javafx.beans.property.SimpleStringProperty;
 import javafx.beans.property.StringProperty;
 import javafx.fxml.FXML;
+import javafx.scene.Scene;
 import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
@@ -47,23 +51,20 @@ public class ReceiveKeyController implements FxController {
 
 	private final Stage window;
 	private final String bearerToken;
-	private final KeyPair keyPair;
 	private final AtomicReference<EciesParams> eciesParamsRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final Lazy<Scene> registerDeviceScene;
 	private final ErrorComponent.Builder errorComponent;
 	private final URI vaultBaseUri;
-	private final ObjectProperty<ReceiveKeyState> state = new SimpleObjectProperty<>(ReceiveKeyState.LOADING);
 	private final HttpClient httpClient;
 
-	public TextField deviceName;
-
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
-		this.keyPair = Objects.requireNonNull(keyPairRef.get());
 		this.eciesParamsRef = eciesParamsRef;
 		this.result = result;
+		this.registerDeviceScene = registerDeviceScene;
 		this.errorComponent = errorComponent;
 		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
@@ -87,41 +88,8 @@ public class ReceiveKeyController implements FxController {
 		} else {
 			switch (response.statusCode()) {
 				case 200 -> retrievalSucceeded(response);
-				case 404 -> state.set(ReceiveKeyState.NEEDS_REGISTRATION);
-				default -> retrievalFailed(new IOException("Unexpected response " + response.statusCode()));
-			}
-		}
-	}
-
-	@FXML
-	public void register() {
-		Preconditions.checkArgument(!Strings.isNullOrEmpty(deviceName.getText()), "device name must not be empty");
-		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded());
-		var json = """
-    			{
-    				"id": "desktop-app",
-    				"name": "%s",
-    				"publicKey": "%s"
-    			}
-				""".formatted(deviceName.getText(), deviceKey); // TODO use gson
-
-		var regUri = URI.create("http://localhost:9090/devices/desktop-app"); // TODO read api base from vault config!
-		var request = HttpRequest.newBuilder(regUri) //
-				.header("Authorization", "Bearer " + bearerToken) //
-				.header("Content-Type", "application/json; charset=UTF-8") //
-				.PUT(HttpRequest.BodyPublishers.ofString(json)) //
-				.build();
-		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
-				.whenCompleteAsync(this::createdNewDevice, Platform::runLater);
-	}
-
-	private void createdNewDevice(HttpResponse<InputStream> response, Throwable error) {
-		if (error != null) {
-			retrievalFailed(error);
-		} else {
-			switch (response.statusCode()) {
-				case 201 -> LOG.info("TODO device created, waiting for authorization");
-				case 409 -> LOG.info("TODO device already exists. still waiting for authorization");
+				case 403 -> accessNotGranted();
+				case 404 -> needsDeviceRegistration();
 				default -> retrievalFailed(new IOException("Unexpected response " + response.statusCode()));
 			}
 		}
@@ -143,6 +111,14 @@ public class ReceiveKeyController implements FxController {
 		}
 	}
 
+	private void needsDeviceRegistration() {
+		window.setScene(registerDeviceScene.get());
+	}
+
+	private void accessNotGranted() {
+		LOG.warn("unauthorized device"); // TODO
+	}
+
 	private void retrievalFailed(Throwable cause) {
 		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
 		LOG.error("Key retrieval failed", cause);
@@ -183,13 +159,5 @@ public class ReceiveKeyController implements FxController {
 			throw new IllegalStateException("URI constructed from params known to be valid", e);
 		}
 	}
-	/* Getter/Setter */
 
-	public ObjectProperty<ReceiveKeyState> stateProperty() {
-		return state;
-	}
-
-	public ReceiveKeyState getState() {
-		return state.get();
-	}
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
deleted file mode 100644
index ae1562ded..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyState.java
+++ /dev/null
@@ -1,6 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-public enum ReceiveKeyState {
-	LOADING,
-	NEEDS_REGISTRATION
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
new file mode 100644
index 000000000..1110f3b15
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -0,0 +1,59 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.io.BaseEncoding;
+import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+
+import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.event.Event;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.security.KeyPair;
+import java.util.Objects;
+import java.util.concurrent.atomic.AtomicReference;
+
+@KeyLoadingScoped
+public class RegisterDeviceController implements FxController {
+
+	private final Application application;
+	private final Stage window;
+	private final HubConfig hubConfig;
+	private final KeyPair keyPair;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+
+	@Inject
+	public RegisterDeviceController(Application application, @KeyLoading Stage window, HubConfig hubConfig, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
+		this.application = application;
+		this.window = window;
+		this.hubConfig = hubConfig;
+		this.keyPair = Objects.requireNonNull(keyPairRef.get());
+		this.result = result;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void browse() {
+		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded());
+		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + deviceKey;
+		// TODO append further params (including hmac of shown verification code)
+		application.getHostServices().showDocument(url);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		// if not already interacted, mark this workflow as cancelled:
+		if (result.awaitingInteraction().get()) {
+			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
+		}
+	}
+
+}
diff --git a/src/main/resources/fxml/hub_receive_key.fxml b/src/main/resources/fxml/hub_receive_key.fxml
index ef10291e7..0ea9d012c 100644
--- a/src/main/resources/fxml/hub_receive_key.fxml
+++ b/src/main/resources/fxml/hub_receive_key.fxml
@@ -1,12 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
-<?import org.cryptomator.ui.keyloading.hub.ReceiveKeyState?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
-<?import javafx.scene.control.Label?>
-<?import javafx.scene.control.TextField?>
 <?import javafx.scene.image.Image?>
 <?import javafx.scene.image.ImageView?>
 <?import javafx.scene.layout.HBox?>
@@ -18,10 +15,6 @@
 	  maxWidth="400"
 	  minHeight="145"
 	  spacing="12">
-	<fx:define>
-		<ReceiveKeyState fx:id="loading" fx:constant="LOADING" />
-		<ReceiveKeyState fx:id="needsRegistration" fx:constant="NEEDS_REGISTRATION"/>
-	</fx:define>
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
@@ -31,19 +24,13 @@
 				<Image url="@../img/bot/bot.png"/>
 			</ImageView>
 
-			<FontAwesome5Spinner glyphSize="12" visible="${controller.state == loading}" managed="${controller.state == loading}"/>
-
-			<VBox spacing="6" visible="${controller.state == needsRegistration}" managed="${controller.state == needsRegistration}">
-				<Label text="TODO: register device" labelFor="$locationTextField"/>
-				<TextField fx:id="deviceName" promptText="TODO: device name" VBox.vgrow="ALWAYS"/>
-			</VBox>
+			<FontAwesome5Spinner glyphSize="12"/>
 		</HBox>
 
 		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
-			<ButtonBar buttonMinWidth="120" buttonOrder="+CX">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
 				<buttons>
 					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
-					<Button text="TODO: register device" ButtonBar.buttonData="NEXT_FORWARD" visible="${controller.state == needsRegistration}" managed="${controller.state == needsRegistration}" defaultButton="true" onAction="#register"/>
 				</buttons>
 			</ButtonBar>
 		</VBox>
diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
new file mode 100644
index 000000000..5daa3596e
--- /dev/null
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.control.Hyperlink?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+
+			<VBox spacing="12">
+				<Hyperlink text="TODO: Register Device" onAction="#browse"/>
+			</VBox>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+I">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="FINISH" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
index af34d0c0a..2b0f93c25 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
@@ -15,14 +15,18 @@ public class AuthFlowIntegrationTest {
 	}
 
 	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowIntegrationTest.class);
-	private static final URI AUTH_URI = URI.create("http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth");
-	private static final URI TOKEN_URI = URI.create("http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token");
-	private static final String CLIENT_ID = "cryptomator-hub";
 
 	@Test
 	@Disabled // only to be run manually
 	public void testRetrieveToken() throws Exception {
-		try (var authFlow = AuthFlow.init(AUTH_URI, TOKEN_URI, CLIENT_ID)) {
+		var hubConfig = new HubConfig();
+		hubConfig.authEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth";
+		hubConfig.tokenEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token";
+		hubConfig.clientId = "cryptomator-hub";
+		hubConfig.unlockSuccessUrl = "http://localhost:3000/#/unlock-success";
+		hubConfig.unlockErrorUrl = "http://localhost:3000/#/unlock-error";
+
+		try (var authFlow = AuthFlow.init(hubConfig)) {
 			var token = authFlow.run(uri -> {
 				LOG.info("Visit {} to authenticate", uri);
 			});

From be8243d9d18a271fa12a5e05631a2a729e15fedb Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 13 Aug 2021 21:41:10 +0200
Subject: [PATCH 17/55] cleanup

---
 .../java/org/cryptomator/ui/keyloading/hub/AuthFlow.java   | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index b261b6cee..11ef34301 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -5,18 +5,12 @@ import com.google.common.base.Strings;
 import com.google.common.collect.Streams;
 import com.google.common.escape.Escaper;
 import com.google.common.io.BaseEncoding;
-import com.google.common.io.CharStreams;
 import com.google.common.net.PercentEscaper;
-import com.google.gson.JsonElement;
-import com.google.gson.JsonParseException;
-import com.google.gson.JsonParser;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.Reader;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.http.HttpClient;
@@ -164,7 +158,6 @@ class AuthFlow implements AutoCloseable {
 
 		public static final String METHOD = "S256";
 
-
 		public PKCE(String verifier) {
 			this(BASE64URL.encode(sha256(verifier.getBytes(StandardCharsets.US_ASCII))), verifier);
 		}

From afc853f5f58f8fef27165b6ea82ca56c74f34357 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 13 Aug 2021 21:41:43 +0200
Subject: [PATCH 18/55] append device registration params to hub url

---
 .../hub/RegisterDeviceController.java         | 31 ++++++++++++++++---
 .../resources/fxml/hub_register_device.fxml   |  9 +++++-
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 1110f3b15..68654a632 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -1,7 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.io.BaseEncoding;
-import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
@@ -9,11 +8,14 @@ import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 
 import javax.inject.Inject;
 import javafx.application.Application;
-import javafx.event.Event;
 import javafx.fxml.FXML;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Objects;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -25,22 +27,25 @@ public class RegisterDeviceController implements FxController {
 	private final HubConfig hubConfig;
 	private final KeyPair keyPair;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final String verificationCode;
 
 	@Inject
-	public RegisterDeviceController(Application application, @KeyLoading Stage window, HubConfig hubConfig, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
+	public RegisterDeviceController(Application application, SecureRandom csprng, @KeyLoading Stage window, HubConfig hubConfig, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
 		this.application = application;
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.keyPair = Objects.requireNonNull(keyPairRef.get());
 		this.result = result;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+		this.verificationCode = String.format("%06d", csprng.nextInt(1_000_000));
 	}
 
 	@FXML
 	public void browse() {
 		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded());
-		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + deviceKey;
-		// TODO append further params (including hmac of shown verification code)
+		var deviceId = "desktop-app"; // TODO use actual device id
+		var hash = computeVerificationHash(deviceId + deviceKey + verificationCode);
+		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + deviceKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
 		application.getHostServices().showDocument(url);
 	}
 
@@ -56,4 +61,20 @@ public class RegisterDeviceController implements FxController {
 		}
 	}
 
+	private static String computeVerificationHash(String input) {
+		try {
+			var digest = MessageDigest.getInstance("SHA-256");
+			digest.update(StandardCharsets.UTF_8.encode(input));
+			return BaseEncoding.base64Url().omitPadding().encode(digest.digest());
+		} catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
+		}
+	}
+
+	/* Getter */
+
+	public String getVerificationCode() {
+		return verificationCode;
+	}
+
 }
diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
index 5daa3596e..41f49f9f1 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -8,6 +8,8 @@
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
 <?import javafx.scene.control.Hyperlink?>
+<?import javafx.scene.text.TextFlow?>
+<?import javafx.scene.text.Text?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
@@ -25,7 +27,12 @@
 			</ImageView>
 
 			<VBox spacing="12">
-				<Hyperlink text="TODO: Register Device" onAction="#browse"/>
+				<TextFlow styleClass="text-flow">
+					<Text text="TODO: Please click on "/>
+					<Hyperlink styleClass="hyperlink-underline" text="TODO: Register Device" onAction="#browse"/>
+					<Text text=" and enter this device verification code: "/>
+					<Text text="${controller.verificationCode}"/>
+				</TextFlow>
 			</VBox>
 		</HBox>
 

From 5922743f19cfe2507ee5d3867b95b004c11fdc6a Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 17 Aug 2021 16:52:28 +0200
Subject: [PATCH 19/55] removed dead code

[ci skip]
---
 .../ui/keyloading/hub/AuthFlowReceiver.java            | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
index 1a1788635..2f96f05a3 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -26,16 +26,6 @@ class AuthFlowReceiver implements AutoCloseable {
 
 	private static final String LOOPBACK_ADDR = "127.0.0.1";
 	private static final String CALLBACK_PATH = "/callback";
-	private static final String HTML_SUCCESS = """
-			<html>
-			<head>
-				<title>OAuth 2.0 Authentication Token Received</title>
-			</head>
-			<body>
-				<p>Received verification code. You may now close this window.</p>
-			</body>
-			</html>
-			""";
 
 	private final Server server;
 	private final ServerConnector connector;

From fa86d890feddde5fd6a419dc446052d30d79b783 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 20 Aug 2021 17:16:07 +0200
Subject: [PATCH 20/55] use application-global device key that requires a
 system keychain

---
 pom.xml                                       |  15 +-
 src/main/java/module-info.java                |   3 +-
 .../common/settings/DeviceKey.java            | 104 ++++++++++++++
 .../CreateNewVaultPasswordController.java     |   2 +-
 .../org/cryptomator/ui/common/FxmlFile.java   |   1 -
 .../cryptomator/ui/health/CheckExecutor.java  |   2 +-
 .../ui/health/ResultFixApplier.java           |   2 +-
 .../ui/health/StartController.java            |   2 +-
 .../ui/keyloading/hub/EciesHelper.java        | 135 ------------------
 .../ui/keyloading/hub/EciesParams.java        |  31 +---
 .../keyloading/hub/HubKeyLoadingModule.java   |  30 ----
 .../keyloading/hub/HubKeyLoadingStrategy.java |  27 ++--
 .../ui/keyloading/hub/P12AccessHelper.java    | 108 --------------
 .../ui/keyloading/hub/P12Controller.java      |  47 ------
 .../keyloading/hub/P12CreateController.java   | 126 ----------------
 .../ui/keyloading/hub/P12LoadController.java  | 118 ---------------
 .../keyloading/hub/ReceiveKeyController.java  |   2 +-
 .../hub/RegisterDeviceController.java         |   8 +-
 .../ui/keyloading/hub/X509Helper.java         |  81 -----------
 src/main/resources/fxml/hub_p12.fxml          |  19 ---
 src/main/resources/fxml/hub_p12_create.fxml   |  39 -----
 src/main/resources/fxml/hub_p12_load.fxml     |  48 -------
 src/main/resources/license/THIRD-PARTY.txt    |   6 +-
 .../ui/keyloading/hub/EciesHelperTest.java    |  60 --------
 .../keyloading/hub/P12AccessHelperTest.java   |  52 -------
 .../ui/keyloading/hub/X509HelperTest.java     |  25 ----
 26 files changed, 136 insertions(+), 957 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/common/settings/DeviceKey.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
 delete mode 100644 src/main/resources/fxml/hub_p12.fxml
 delete mode 100644 src/main/resources/fxml/hub_p12_create.fxml
 delete mode 100644 src/main/resources/fxml/hub_p12_load.fxml
 delete mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java
 delete mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
 delete mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java

diff --git a/pom.xml b/pom.xml
index 2cd2baec6..d990427e2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,8 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.1.0-beta11</cryptomator.cryptofs.version>
+		<cryptomator.cryptolib.version>2.1.0-beta2</cryptomator.cryptolib.version>
+		<cryptomator.cryptofs.version>2.1.0-beta12</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0-rc1</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0-beta2</cryptomator.integrations.win.version>
 		<cryptomator.integrations.mac.version>1.0.0-beta2</cryptomator.integrations.mac.version>
@@ -58,6 +59,11 @@
 
 	<dependencies>
 		<!-- Cryptomator Libs -->
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>cryptolib</artifactId>
+			<version>${cryptomator.cryptolib.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
 			<artifactId>cryptofs</artifactId>
@@ -130,13 +136,6 @@
 			<version>${commons-lang3.version}</version>
 		</dependency>
 
-		<!-- BouncyCastle -->
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk15on</artifactId>
-			<version>${bouncycastle.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>org.eclipse.jetty</groupId>
 			<artifactId>jetty-server</artifactId>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index b8e899845..552226462 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -4,6 +4,7 @@ import org.cryptomator.integrations.tray.TrayIntegrationProvider;
 import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 
 module org.cryptomator.desktop {
+	requires org.cryptomator.cryptolib;
 	requires org.cryptomator.cryptofs;
 	requires org.cryptomator.frontend.dokany;
 	requires org.cryptomator.frontend.fuse;
@@ -25,8 +26,6 @@ module org.cryptomator.desktop {
 	requires com.tobiasdiez.easybind;
 	requires dagger;
 	requires org.slf4j;
-	requires org.bouncycastle.provider;
-	requires org.bouncycastle.pkix;
 	requires org.apache.commons.lang3;
 	requires org.eclipse.jetty.server;
 	requires org.eclipse.jetty.webapp;
diff --git a/src/main/java/org/cryptomator/common/settings/DeviceKey.java b/src/main/java/org/cryptomator/common/settings/DeviceKey.java
new file mode 100644
index 000000000..aba0bb849
--- /dev/null
+++ b/src/main/java/org/cryptomator/common/settings/DeviceKey.java
@@ -0,0 +1,104 @@
+package org.cryptomator.common.settings;
+
+import com.google.common.base.Preconditions;
+import com.google.common.base.Suppliers;
+import com.google.common.io.BaseEncoding;
+import org.cryptomator.common.Environment;
+import org.cryptomator.common.keychain.KeychainManager;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.cryptomator.cryptolib.common.Pkcs12Exception;
+import org.cryptomator.integrations.keychain.KeychainAccessException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import java.io.IOException;
+import java.nio.CharBuffer;
+import java.nio.file.Files;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.UUID;
+import java.util.function.Supplier;
+
+@Singleton
+public class DeviceKey {
+
+	private static final Logger LOG = LoggerFactory.getLogger(DeviceKey.class);
+	private static final String KEYCHAIN_KEY = "cryptomator-device-p12";
+
+	private final KeychainManager keychainManager;
+	private final Environment env;
+	private final SecureRandom csprng;
+	private final Supplier<P384KeyPair> keyPairSupplier;
+
+	@Inject
+	public DeviceKey(KeychainManager keychainManager, Environment env, SecureRandom csprng) {
+		this.keychainManager = keychainManager;
+		this.env = env;
+		this.csprng = csprng;
+		this.keyPairSupplier = Suppliers.memoize(this::loadOrCreate);
+	}
+
+	public P384KeyPair get() throws DeviceKeyRetrievalException {
+		Preconditions.checkState(keychainManager.isSupported());
+		return keyPairSupplier.get();
+	}
+
+	private P384KeyPair loadOrCreate() throws DeviceKeyRetrievalException {
+		char[] passphrase = null;
+		try {
+			passphrase = keychainManager.loadPassphrase(KEYCHAIN_KEY);
+			if (passphrase != null) {
+				return loadExistingKeyPair(passphrase);
+			} else {
+				passphrase = randomPassword();
+				keychainManager.storePassphrase(KEYCHAIN_KEY, CharBuffer.wrap(passphrase));
+				return createAndStoreNewKeyPair(passphrase);
+			}
+		} catch (KeychainAccessException e) {
+			throw new DeviceKeyRetrievalException("Failed to access system keychain", e);
+		} catch (Pkcs12Exception | IOException e) {
+			throw new DeviceKeyRetrievalException("Failed to access .p12 file", e);
+		} finally {
+			if (passphrase != null) {
+				Arrays.fill(passphrase, '\0');
+			}
+		}
+	}
+
+	private P384KeyPair loadExistingKeyPair(char[] passphrase) throws IOException {
+		var p12File = env.getP12Path() //
+				.filter(Files::isRegularFile) //
+				.findFirst() //
+				.orElseThrow(() -> new DeviceKeyRetrievalException("Missing .p12 file"));
+		LOG.debug("Loading existing device key from {}", p12File);
+		return P384KeyPair.load(p12File, passphrase);
+	}
+
+	private P384KeyPair createAndStoreNewKeyPair(char[] passphrase) throws IOException {
+		var p12File = env.getP12Path() //
+				.findFirst() //
+				.orElseThrow(() -> new DeviceKeyRetrievalException("No path for .p12 file configured"));
+		var keyPair = P384KeyPair.generate();
+		LOG.debug("Store new device key to {}", p12File);
+		keyPair.store(p12File, passphrase);
+		return keyPair;
+	}
+
+	private char[] randomPassword() {
+		// this is a fast & easy attempt to create a random string:
+		var uuid = new UUID(csprng.nextLong(), csprng.nextLong());
+		return uuid.toString().toCharArray();
+	}
+
+	public static class DeviceKeyRetrievalException extends RuntimeException {
+		private DeviceKeyRetrievalException(String message) {
+			super(message);
+		}
+		private DeviceKeyRetrievalException(String message, Throwable cause) {
+			super(message, cause);
+		}
+	}
+
+}
diff --git a/src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultPasswordController.java b/src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultPasswordController.java
index 627793d6e..578b90969 100644
--- a/src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultPasswordController.java
+++ b/src/main/java/org/cryptomator/ui/addvaultwizard/CreateNewVaultPasswordController.java
@@ -182,7 +182,7 @@ public class CreateNewVaultPasswordController implements FxController {
 
 			// 2. initialize vault:
 			try {
-				MasterkeyLoader loader = ignored -> masterkey.clone();
+				MasterkeyLoader loader = ignored -> masterkey.copy();
 				CryptoFileSystemProperties fsProps = CryptoFileSystemProperties.cryptoFileSystemProperties().withCipherCombo(CryptorProvider.Scheme.SIV_CTRMAC).withKeyLoader(loader).build();
 				CryptoFileSystemProvider.initialize(path, fsProps, DEFAULT_KEY_ID);
 
diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index 84ef8983f..8d96dd216 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -15,7 +15,6 @@ public enum FxmlFile {
 	HEALTH_START_FAIL("/fxml/health_start_fail.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
-	HUB_P12("/fxml/hub_p12.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/health/CheckExecutor.java b/src/main/java/org/cryptomator/ui/health/CheckExecutor.java
index 5b14bd17c..a9ee9a17f 100644
--- a/src/main/java/org/cryptomator/ui/health/CheckExecutor.java
+++ b/src/main/java/org/cryptomator/ui/health/CheckExecutor.java
@@ -67,7 +67,7 @@ public class CheckExecutor {
 
 		@Override
 		protected Void call() throws Exception {
-			try (var masterkeyClone = masterkey.clone(); //
+			try (var masterkeyClone = masterkey.copy(); //
 				 var cryptor = CryptorProvider.forScheme(vaultConfig.getCipherCombo()).provide(masterkeyClone, csprng)) {
 				c.getHealthCheck().check(vaultPath, vaultConfig, masterkeyClone, cryptor, diagnosis -> {
 					Platform.runLater(() -> c.getResults().add(Result.create(diagnosis)));
diff --git a/src/main/java/org/cryptomator/ui/health/ResultFixApplier.java b/src/main/java/org/cryptomator/ui/health/ResultFixApplier.java
index 841a8f5c4..3dc91e33b 100644
--- a/src/main/java/org/cryptomator/ui/health/ResultFixApplier.java
+++ b/src/main/java/org/cryptomator/ui/health/ResultFixApplier.java
@@ -50,7 +50,7 @@ class ResultFixApplier {
 
 	public void fix(DiagnosticResult diagnosis) {
 		Preconditions.checkArgument(diagnosis.getSeverity() == DiagnosticResult.Severity.WARN, "Unfixable result");
-		try (var masterkeyClone = masterkey.clone(); //
+		try (var masterkeyClone = masterkey.copy(); //
 			 var cryptor = CryptorProvider.forScheme(vaultConfig.getCipherCombo()).provide(masterkeyClone, csprng)) {
 			diagnosis.fix(vaultPath, vaultConfig, masterkeyClone, cryptor);
 		} catch (Exception e) {
diff --git a/src/main/java/org/cryptomator/ui/health/StartController.java b/src/main/java/org/cryptomator/ui/health/StartController.java
index ebba001b5..ec980b9f0 100644
--- a/src/main/java/org/cryptomator/ui/health/StartController.java
+++ b/src/main/java/org/cryptomator/ui/health/StartController.java
@@ -84,7 +84,7 @@ public class StartController implements FxController {
 		try (var masterkey = keyLoadingStrategy.loadKey(unverifiedCfg.getKeyId())) {
 			var verifiedCfg = unverifiedCfg.verify(masterkey.getEncoded(), unverifiedCfg.allegedVaultVersion());
 			vaultConfigRef.set(verifiedCfg);
-			var old = masterkeyRef.getAndSet(masterkey.clone());
+			var old = masterkeyRef.getAndSet(masterkey.copy());
 			if (old != null) {
 				old.destroy();
 			}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
deleted file mode 100644
index b7dac36ba..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesHelper.java
+++ /dev/null
@@ -1,135 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.base.Preconditions;
-import com.google.common.io.BaseEncoding;
-import org.cryptomator.cryptolib.api.Masterkey;
-import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-import org.cryptomator.cryptolib.common.CipherSupplier;
-import org.cryptomator.cryptolib.common.DestroyableSecretKey;
-
-import javax.crypto.AEADBadTagException;
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyAgreement;
-import javax.crypto.spec.GCMParameterSpec;
-import java.math.BigInteger;
-import java.nio.ByteBuffer;
-import java.nio.ByteOrder;
-import java.security.DigestException;
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.util.Arrays;
-
-class EciesHelper {
-
-	private static final int GCM_KEY_SIZE = 32;
-	private static final int GCM_TAG_SIZE = 16;
-	private static final int GCM_NONCE_SIZE = 12; // 96 bit IVs strongly recommended for GCM
-
-	private EciesHelper() {}
-
-	public static Masterkey decryptMasterkey(KeyPair deviceKey, EciesParams eciesParams) throws MasterkeyLoadingFailedException {
-		var sharedSecret = ecdhAndKdf(deviceKey.getPrivate(), eciesParams.getEphemeralPublicKey(), GCM_KEY_SIZE + GCM_NONCE_SIZE);
-		var cleartext = new byte[0];
-		try (var kek = new DestroyableSecretKey(sharedSecret, 0, GCM_KEY_SIZE, "AES")) {
-			var nonce = Arrays.copyOfRange(sharedSecret, GCM_KEY_SIZE, GCM_KEY_SIZE + GCM_NONCE_SIZE);
-			var cipher = CipherSupplier.AES_GCM.forDecryption(kek, new GCMParameterSpec(GCM_TAG_SIZE * Byte.SIZE, nonce));
-			cleartext = cipher.doFinal(eciesParams.getCiphertext());
-			return new Masterkey(cleartext);
-		} catch (AEADBadTagException e) {
-			throw new MasterkeyLoadingFailedException("Unsuitable KEK to decrypt encrypted masterkey", e);
-		} catch (IllegalBlockSizeException | BadPaddingException e) {
-			throw new IllegalStateException("Unexpected exception during GCM decryption.", e);
-		} finally {
-			Arrays.fill(sharedSecret, (byte) 0x00);
-			Arrays.fill(cleartext, (byte) 0x00);
-		}
-	}
-
-	/**
-	 * Computes a shared secret using ECDH key agreement and derives a key.
-	 *
-	 * @param privateKey Recipient's EC private key
-	 * @param publicKey Sender's EC public key
-	 * @param numBytes Number of bytes requested form KDF
-	 * @return A derived secret key
-	 */
-	// visible for testing
-	static byte[] ecdhAndKdf(PrivateKey privateKey, PublicKey publicKey, int numBytes) {
-		Preconditions.checkArgument(privateKey instanceof ECPrivateKey, "expected ECPrivateKey");
-		Preconditions.checkArgument(publicKey instanceof ECPublicKey, "expected ECPublicKey");
-		byte[] sharedSecret = new byte[0];
-		try {
-			var keyAgreement = createKeyAgreement();
-			keyAgreement.init(privateKey);
-			keyAgreement.doPhase(publicKey, true);
-			sharedSecret = keyAgreement.generateSecret();
-			return kdf(sharedSecret, new byte[0], numBytes);
-		} catch (InvalidKeyException e) {
-			throw new IllegalArgumentException("Invalid keys", e);
-		} finally {
-			Arrays.fill(sharedSecret, (byte) 0x00);
-		}
-	}
-
-	/**
-	 * Performs <a href="https://www.secg.org/sec1-v2.pdf">ANSI-X9.63-KDF</a> with SHA-256
-	 * @param sharedSecret A shared secret
-	 * @param sharedInfo Additional authenticated data
-	 * @param keyDataLen Desired key length (in bytes)
-	 * @return key data
-	 */
-	// visible for testing
-	static byte[] kdf(byte[] sharedSecret, byte[] sharedInfo, int keyDataLen) {
-		MessageDigest digest = sha256(); // max input length is 2^64 - 1, see https://doi.org/10.6028/NIST.SP.800-56Cr2, Table 1
-		int hashLen = digest.getDigestLength();
-
-		// These two checks must be performed according to spec. However with 32 bit integers, we can't exceed any limits anyway:
-		assert BigInteger.valueOf(sharedSecret.length + sharedInfo.length + 4).compareTo(BigInteger.ONE.shiftLeft(64).subtract(BigInteger.ONE)) < 0: "input larger than hashmaxlen";
-		assert keyDataLen < (2L << 32 - 1) * hashLen : "keyDataLen larger than hashLen × (2^32 − 1)";
-
-		ByteBuffer counter = ByteBuffer.allocate(Integer.BYTES);
-		assert ByteOrder.BIG_ENDIAN.equals(counter.order());
-		int n = (keyDataLen + hashLen - 1) / hashLen;
-		byte[] buffer = new byte[n * hashLen];
-		try {
-			for (int i = 0; i < n; i++) {
-				digest.update(sharedSecret);
-				counter.clear();
-				counter.putInt(i + 1);
-				counter.flip();
-				digest.update(counter);
-				digest.update(sharedInfo);
-				digest.digest(buffer, i * hashLen, hashLen);
-			}
-			return Arrays.copyOf(buffer, keyDataLen);
-		} catch (DigestException e) {
-			throw new IllegalStateException("Invalid digest output buffer offset", e);
-		} finally {
-			Arrays.fill(buffer, (byte) 0x00);
-		}
-	}
-
-	private static MessageDigest sha256() {
-		try {
-			return MessageDigest.getInstance("SHA-256");
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
-		}
-	}
-
-	private static KeyAgreement createKeyAgreement() {
-		try {
-			return KeyAgreement.getInstance("ECDH");
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException("ECDH not supported");
-		}
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
index 5e25b37f7..8b0519906 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
@@ -1,43 +1,14 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.google.common.io.BaseEncoding;
-
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PublicKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.X509EncodedKeySpec;
-
 /**
  * ECIES parameters required to decrypt the masterkey:
  * <ul>
  *     <li><code>m</code> Encrypted Masterkey (base64url-encoded ciphertext)</li>
  *     <li><code>epk</code> Ephemeral Public Key (base64url-encoded SPKI format)</li>
  * </ul>
- *
+ * <p>
  * No separate tag required, since we use GCM for encryption.
  */
 record EciesParams(String m, String epk) {
 
-	public byte[] getCiphertext() {
-		return BaseEncoding.base64Url().decode(m());
-	}
-
-	public ECPublicKey getEphemeralPublicKey() {
-		try {
-			byte[] keyBytes = BaseEncoding.base64Url().decode(epk());
-			PublicKey key = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(keyBytes));
-			if (key instanceof ECPublicKey k) {
-				return k;
-			} else {
-				throw new IllegalArgumentException("Key not an EC public key.");
-			}
-		} catch (InvalidKeySpecException e) {
-			throw new IllegalArgumentException("Invalid license public key", e);
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException(e);
-		}
-	}
-
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index ad2c5c02b..f9ade2585 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -46,12 +46,6 @@ public abstract class HubKeyLoadingModule {
 		}
 	}
 
-	@Provides
-	@KeyLoadingScoped
-	static AtomicReference<KeyPair> provideKeyPair() {
-		return new AtomicReference<>();
-	}
-
 	@Provides
 	@Named("bearerToken")
 	@KeyLoadingScoped
@@ -83,13 +77,6 @@ public abstract class HubKeyLoadingModule {
 	@StringKey(HubKeyLoadingStrategy.SCHEME_HUB_HTTPS)
 	abstract KeyLoadingStrategy bindHubKeyLoadingStrategyToHubHttps(HubKeyLoadingStrategy strategy);
 
-	@Provides
-	@FxmlScene(FxmlFile.HUB_P12)
-	@KeyLoadingScoped
-	static Scene provideHubP12LoadingScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
-		return fxmlLoaders.createScene(FxmlFile.HUB_P12);
-	}
-
 	@Provides
 	@FxmlScene(FxmlFile.HUB_AUTH_FLOW)
 	@KeyLoadingScoped
@@ -97,7 +84,6 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_AUTH_FLOW);
 	}
 
-
 	@Provides
 	@FxmlScene(FxmlFile.HUB_RECEIVE_KEY)
 	@KeyLoadingScoped
@@ -112,22 +98,6 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
 	}
 
-
-	@Binds
-	@IntoMap
-	@FxControllerKey(P12Controller.class)
-	abstract FxController bindP12Controller(P12Controller controller);
-
-	@Binds
-	@IntoMap
-	@FxControllerKey(P12LoadController.class)
-	abstract FxController bindP12LoadController(P12LoadController controller);
-
-	@Binds
-	@IntoMap
-	@FxControllerKey(P12CreateController.class)
-	abstract FxController bindP12CreateController(P12CreateController controller);
-
 	@Binds
 	@IntoMap
 	@FxControllerKey(AuthFlowController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index b3b213b34..83338ed06 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -2,10 +2,12 @@ package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
 import dagger.Lazy;
+import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.cryptomator.cryptolib.common.Destroyables;
+import org.cryptomator.cryptolib.common.MasterkeyHubAccess;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -30,17 +32,17 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	static final String SCHEME_HUB_HTTPS = SCHEME_PREFIX + "https";
 
 	private final Stage window;
-	private final Lazy<Scene> p12LoadingScene;
+	private final Lazy<Scene> authFlowScene;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
-	private final AtomicReference<KeyPair> keyPairRef;
+	private final DeviceKey deviceKey;
 	private final AtomicReference<EciesParams> eciesParams;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_P12) Lazy<Scene> p12LoadingScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, AtomicReference<KeyPair> keyPairRef, AtomicReference<EciesParams> eciesParams) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, DeviceKey deviceKey, AtomicReference<EciesParams> eciesParams) {
 		this.window = window;
-		this.p12LoadingScene = p12LoadingScene;
+		this.authFlowScene = authFlowScene;
 		this.userInteraction = userInteraction;
-		this.keyPairRef = keyPairRef;
+		this.deviceKey = deviceKey;
 		this.eciesParams = eciesParams;
 	}
 
@@ -48,28 +50,23 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		try {
+			var keyPair = deviceKey.get();
 			return switch (auth()) {
-				case SUCCESS -> EciesHelper.decryptMasterkey(keyPairRef.get(), eciesParams.get());
+				case SUCCESS -> MasterkeyHubAccess.decryptMasterkey(keyPair.getPrivate(), eciesParams.get().m(), eciesParams.get().epk());
 				case FAILED -> throw new MasterkeyLoadingFailedException("failed to load keypair");
 				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
 			};
+		} catch (DeviceKey.DeviceKeyRetrievalException e) {
+			throw new MasterkeyLoadingFailedException("Failed to create or load device key pair", e);
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
 			throw new UnlockCancelledException("Loading interrupted", e);
 		}
 	}
 
-	@Override
-	public void cleanup(boolean unlockedSuccessfully) {
-		var keyPair = keyPairRef.getAndSet(null);
-		if (keyPair != null) {
-			Destroyables.destroySilently(keyPair.getPrivate());
-		}
-	}
-
 	private HubKeyLoadingModule.HubLoadingResult auth() throws InterruptedException {
 		Platform.runLater(() -> {
-			window.setScene(p12LoadingScene.get());
+			window.setScene(authFlowScene.get());
 			window.show();
 			Window owner = window.getOwner();
 			if (owner != null) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
deleted file mode 100644
index 99bd7d3fe..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12AccessHelper.java
+++ /dev/null
@@ -1,108 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.cryptomator.cryptolib.api.InvalidPassphraseException;
-import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.StandardCopyOption;
-import java.nio.file.StandardOpenOption;
-import java.security.GeneralSecurityException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.X509Certificate;
-import java.security.spec.ECGenParameterSpec;
-
-class P12AccessHelper {
-
-	private static final String EC_ALG = "EC";
-	private static final String EC_CURVE_NAME = "secp384r1";
-	private static final String SIGNATURE_ALG = "SHA256withECDSA";
-	private static final String KEYSTORE_ALIAS_KEY = "key";
-	private static final String KEYSTORE_ALIAS_CERT = "crt";
-
-	private P12AccessHelper() {}
-
-	/**
-	 * Creates a new key pair and stores it in PKCS#12 format at the given path.
-	 *
-	 * @param p12File The path of the .p12 file
-	 * @param pw The password to protect the key material
-	 * @throws IOException In case of I/O errors
-	 * @throws MasterkeyLoadingFailedException If any cryptographic operation fails
-	 */
-	public static KeyPair createNew(Path p12File, char[] pw) throws IOException, MasterkeyLoadingFailedException {
-		try {
-			var keyPair = getKeyPairGenerator().generateKeyPair();
-			var keyStore = getKeyStore();
-			keyStore.load(null, pw);
-			var cert = X509Helper.createSelfSignedCert(keyPair, SIGNATURE_ALG);
-			var chain = new X509Certificate[]{cert};
-			keyStore.setKeyEntry(KEYSTORE_ALIAS_KEY, keyPair.getPrivate(), pw, chain);
-			keyStore.setCertificateEntry(KEYSTORE_ALIAS_CERT, cert);
-			var tmpFile = p12File.resolveSibling(p12File.getFileName().toString() + ".tmp");
-			try (var out = Files.newOutputStream(tmpFile, StandardOpenOption.CREATE_NEW, StandardOpenOption.WRITE)) {
-				keyStore.store(out, pw);
-			}
-			Files.move(tmpFile, p12File, StandardCopyOption.REPLACE_EXISTING);
-			return keyPair;
-		} catch (GeneralSecurityException e) {
-			throw new MasterkeyLoadingFailedException("Failed to store PKCS12 file.", e);
-		}
-	}
-
-	/**
-	 * Loads a key pair from a PKCS#12 file located at the given path.
-	 *
-	 * @param p12File The path of the .p12 file
-	 * @param pw The password to protect the key material
-	 * @throws IOException In case of I/O errors
-	 * @throws InvalidPassphraseException If the supplied password is incorrect
-	 * @throws MasterkeyLoadingFailedException If any cryptographic operation fails
-	 */
-	public static KeyPair loadExisting(Path p12File, char[] pw) throws IOException, InvalidPassphraseException, MasterkeyLoadingFailedException {
-		try (var in = Files.newInputStream(p12File, StandardOpenOption.READ)) {
-			var keyStore = getKeyStore();
-			keyStore.load(in, pw);
-			var sk = (PrivateKey) keyStore.getKey(KEYSTORE_ALIAS_KEY, pw);
-			var pk = keyStore.getCertificate(KEYSTORE_ALIAS_CERT).getPublicKey();
-			return new KeyPair(pk, sk);
-		} catch (UnrecoverableKeyException e) {
-			throw new InvalidPassphraseException();
-		} catch (IOException e) {
-			if (e.getCause() instanceof UnrecoverableKeyException) {
-				throw new InvalidPassphraseException();
-			} else {
-				throw e;
-			}
-		} catch (GeneralSecurityException e) {
-			throw new MasterkeyLoadingFailedException("Failed to load PKCS12 file.", e);
-		}
-	}
-
-	private static KeyPairGenerator getKeyPairGenerator() {
-		try {
-			KeyPairGenerator keyGen = KeyPairGenerator.getInstance(EC_ALG);
-			keyGen.initialize(new ECGenParameterSpec(EC_CURVE_NAME));
-			return keyGen;
-		} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
-			throw new IllegalStateException(EC_CURVE_NAME + " curve not supported");
-		}
-	}
-
-	private static KeyStore getKeyStore() {
-		try {
-			return KeyStore.getInstance("PKCS12");
-		} catch (KeyStoreException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support PKCS12.");
-		}
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
deleted file mode 100644
index e9a70dc8d..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12Controller.java
+++ /dev/null
@@ -1,47 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.cryptomator.common.Environment;
-import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.UserInteractionLock;
-import org.cryptomator.ui.keyloading.KeyLoading;
-import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.inject.Inject;
-import javafx.stage.Stage;
-import javafx.stage.WindowEvent;
-import java.nio.file.Files;
-
-@KeyLoadingScoped
-public class P12Controller implements FxController {
-
-	private static final Logger LOG = LoggerFactory.getLogger(P12Controller.class);
-
-	private final Stage window;
-	private final Environment env;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
-
-	@Inject
-	public P12Controller(@KeyLoading Stage window, Environment env, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction) {
-		this.window = window;
-		this.env = env;
-		this.userInteraction = userInteraction;
-		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
-	}
-
-	private void windowClosed(WindowEvent windowEvent) {
-		// if not already interacted, mark this workflow as cancelled:
-		if (userInteraction.awaitingInteraction().get()) {
-			LOG.debug("P12 loading cancelled by user.");
-			userInteraction.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
-		}
-	}
-
-	/* Getter/Setter */
-
-	public boolean isP12Present() {
-		return env.getP12Path().anyMatch(Files::isRegularFile);
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
deleted file mode 100644
index 3f98e62ca..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12CreateController.java
+++ /dev/null
@@ -1,126 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.base.Preconditions;
-import dagger.Lazy;
-import org.cryptomator.common.Environment;
-import org.cryptomator.cryptolib.common.Destroyables;
-import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.FxmlFile;
-import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.common.NewPasswordController;
-import org.cryptomator.ui.keyloading.KeyLoading;
-import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.inject.Inject;
-import javafx.beans.binding.Bindings;
-import javafx.beans.binding.BooleanExpression;
-import javafx.beans.binding.ObjectBinding;
-import javafx.beans.binding.ObjectExpression;
-import javafx.beans.property.BooleanProperty;
-import javafx.beans.property.SimpleBooleanProperty;
-import javafx.fxml.FXML;
-import javafx.scene.Scene;
-import javafx.scene.control.ContentDisplay;
-import javafx.stage.Stage;
-import javafx.stage.WindowEvent;
-import java.io.IOException;
-import java.nio.file.Path;
-import java.security.KeyPair;
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicReference;
-
-@KeyLoadingScoped
-public class P12CreateController implements FxController  {
-
-	private static final Logger LOG = LoggerFactory.getLogger(P12LoadController.class);
-
-	private final Stage window;
-	private final Environment env;
-	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> authFlowScene;
-
-	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
-	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
-	private final BooleanProperty readyToCreate = new SimpleBooleanProperty();
-
-	public NewPasswordController newPasswordController;
-
-	@Inject
-	public P12CreateController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene) {
-		this.window = window;
-		this.env = env;
-		this.keyPairRef = keyPairRef;
-		this.authFlowScene = authFlowScene;
-		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
-	}
-
-	@FXML
-	public void initialize() {
-		readyToCreate.bind(newPasswordController.goodPasswordProperty());
-		newPasswordController.passwordField.requestFocus();
-	}
-
-	@FXML
-	public void cancel() {
-		window.close();
-	}
-
-	private void windowClosed(WindowEvent windowEvent) {
-		newPasswordController.passwordField.wipe();
-		newPasswordController.reenterField.wipe();
-	}
-
-	@FXML
-	public void create() {
-		Preconditions.checkState(newPasswordController.goodPasswordProperty().get());
-		char[] pw = newPasswordController.passwordField.copyChars();
-		try {
-			Path p12File = env.getP12Path().findFirst().orElseThrow(IllegalStateException::new);
-			var keyPair = P12AccessHelper.createNew(p12File, pw);
-			setKeyPair(keyPair);
-			LOG.debug("Created .p12 file {}", p12File);
-			window.setScene(authFlowScene.get());
-		} catch (IOException e) {
-			LOG.error("Failed to load .p12 file.", e);
-			// TODO
-		} finally {
-			Arrays.fill(pw, '\0');
-		}
-	}
-
-	private void setKeyPair(KeyPair keyPair) {
-		var oldKeyPair = keyPairRef.getAndSet(keyPair);
-		if (oldKeyPair != null) {
-			Destroyables.destroySilently(oldKeyPair.getPrivate());
-		}
-	}
-	/* Getter/Setter */
-
-
-	public BooleanExpression userInteractionDisabledProperty() {
-		return userInteractionDisabled;
-	}
-
-	public boolean isUserInteractionDisabled() {
-		return userInteractionDisabled.get();
-	}
-
-	public ObjectExpression<ContentDisplay> unlockButtonContentDisplayProperty() {
-		return unlockButtonContentDisplay;
-	}
-
-	public ContentDisplay getUnlockButtonContentDisplay() {
-		return userInteractionDisabled.get() ? ContentDisplay.LEFT : ContentDisplay.TEXT_ONLY;
-	}
-
-	public BooleanProperty readyToCreateProperty() {
-		return readyToCreate;
-	}
-
-	public boolean isReadyToCreate() {
-		return readyToCreate.get();
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
deleted file mode 100644
index 24af08384..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/P12LoadController.java
+++ /dev/null
@@ -1,118 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import dagger.Lazy;
-import org.cryptomator.common.Environment;
-import org.cryptomator.cryptolib.api.InvalidPassphraseException;
-import org.cryptomator.cryptolib.common.Destroyables;
-import org.cryptomator.ui.common.Animations;
-import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.FxmlFile;
-import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.controls.NiceSecurePasswordField;
-import org.cryptomator.ui.keyloading.KeyLoading;
-import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.inject.Inject;
-import javafx.beans.binding.Bindings;
-import javafx.beans.binding.BooleanExpression;
-import javafx.beans.binding.ObjectBinding;
-import javafx.beans.binding.ObjectExpression;
-import javafx.beans.property.BooleanProperty;
-import javafx.beans.property.SimpleBooleanProperty;
-import javafx.fxml.FXML;
-import javafx.scene.Scene;
-import javafx.scene.control.ContentDisplay;
-import javafx.stage.Stage;
-import javafx.stage.WindowEvent;
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.security.KeyPair;
-import java.util.Arrays;
-import java.util.concurrent.atomic.AtomicReference;
-
-@KeyLoadingScoped
-public class P12LoadController implements FxController {
-
-	private static final Logger LOG = LoggerFactory.getLogger(P12LoadController.class);
-
-	private final Stage window;
-	private final Environment env;
-	private final AtomicReference<KeyPair> keyPairRef;
-	private final Lazy<Scene> authFlowScene;
-	private final BooleanProperty userInteractionDisabled = new SimpleBooleanProperty();
-	private final ObjectBinding<ContentDisplay> unlockButtonContentDisplay = Bindings.createObjectBinding(this::getUnlockButtonContentDisplay, userInteractionDisabled);
-
-	public NiceSecurePasswordField passwordField;
-
-	@Inject
-	public P12LoadController(@KeyLoading Stage window, Environment env, AtomicReference<KeyPair> keyPairRef, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene) {
-		this.window = window;
-		this.env = env;
-		this.keyPairRef = keyPairRef;
-		this.authFlowScene = authFlowScene;
-		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
-	}
-
-	@FXML
-	public void initialize() {
-		passwordField.requestFocus();
-	}
-
-	@FXML
-	public void cancel() {
-		window.close();
-	}
-
-	private void windowClosed(WindowEvent windowEvent) {
-		passwordField.wipe();
-	}
-
-	@FXML
-	public void load() {
-		char[] pw = passwordField.copyChars();
-		try {
-			Path p12File = env.getP12Path().filter(Files::isRegularFile).findFirst().orElseThrow(IllegalStateException::new);
-			var keyPair = P12AccessHelper.loadExisting(p12File, pw);
-			setKeyPair(keyPair);
-			LOG.debug("Loaded .p12 file {}", p12File);
-			window.setScene(authFlowScene.get());
-		} catch (InvalidPassphraseException e) {
-			LOG.warn("Invalid passphrase entered for .p12 file");
-			Animations.createShakeWindowAnimation(window).playFromStart();
-			// TODO
-		} catch (IOException e) {
-			LOG.error("Failed to load .p12 file.", e);
-			// TODO
-		} finally {
-			Arrays.fill(pw, '\0');
-		}
-	}
-
-	private void setKeyPair(KeyPair keyPair) {
-		var oldKeyPair = keyPairRef.getAndSet(keyPair);
-		if (oldKeyPair != null) {
-			Destroyables.destroySilently(oldKeyPair.getPrivate());
-		}
-	}
-
-	/* Getter/Setter */
-
-	public BooleanExpression userInteractionDisabledProperty() {
-		return userInteractionDisabled;
-	}
-
-	public boolean isUserInteractionDisabled() {
-		return userInteractionDisabled.get();
-	}
-
-	public ObjectExpression<ContentDisplay> unlockButtonContentDisplayProperty() {
-		return unlockButtonContentDisplay;
-	}
-
-	public ContentDisplay getUnlockButtonContentDisplay() {
-		return userInteractionDisabled.get() ? ContentDisplay.LEFT : ContentDisplay.TEXT_ONLY;
-	}
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 9707981ec..295aa9244 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -59,7 +59,7 @@ public class ReceiveKeyController implements FxController {
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, AtomicReference<KeyPair> keyPairRef, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.eciesParamsRef = eciesParamsRef;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 68654a632..ba2c308c7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -1,6 +1,8 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.io.BaseEncoding;
+import org.cryptomator.common.settings.DeviceKey;
+import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
@@ -25,16 +27,16 @@ public class RegisterDeviceController implements FxController {
 	private final Application application;
 	private final Stage window;
 	private final HubConfig hubConfig;
-	private final KeyPair keyPair;
+	private final P384KeyPair keyPair;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final String verificationCode;
 
 	@Inject
-	public RegisterDeviceController(Application application, SecureRandom csprng, @KeyLoading Stage window, HubConfig hubConfig, AtomicReference<KeyPair> keyPairRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
+	public RegisterDeviceController(Application application, SecureRandom csprng, @KeyLoading Stage window, HubConfig hubConfig, DeviceKey deviceKey, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
 		this.application = application;
 		this.window = window;
 		this.hubConfig = hubConfig;
-		this.keyPair = Objects.requireNonNull(keyPairRef.get());
+		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.result = result;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.verificationCode = String.format("%06d", csprng.nextInt(1_000_000));
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
deleted file mode 100644
index d9b7b953a..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/X509Helper.java
+++ /dev/null
@@ -1,81 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.cert.X509v3CertificateBuilder;
-import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
-import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.math.BigInteger;
-import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.sql.Date;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.UUID;
-
-class X509Helper {
-
-	private static final X500Name ISSUER = new X500Name("CN=Cryptomator");
-	private static final X500Name SUBJECT = new X500Name("CN=Self Signed Cert");
-	private static final ASN1ObjectIdentifier ASN1_SUBJECT_KEY_ID = new ASN1ObjectIdentifier("2.5.29.14");
-
-	private X509Helper() {}
-
-	/**
-	 * Creates a self-signed X509Certificate containing the public key and signed with the private key of a given key pair.
-	 *
-	 * @param keyPair A key pair
-	 * @param signatureAlg A signature algorithm suited for the given key pair (see <a href="https://docs.oracle.com/en/java/javase/16/docs/specs/security/standard-names.html#signature-algorithms">available algorithms</a>)
-	 * @return A self-signed X509Certificate
-	 * @throws CertificateException If certificate generation failed, e.g. because of unsupported algorithms
-	 */
-	public static X509Certificate createSelfSignedCert(KeyPair keyPair, String signatureAlg) throws CertificateException {
-		try {
-			X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( //
-					ISSUER, //
-					randomSerialNo(), //
-					Date.from(Instant.now()), //
-					Date.from(Instant.now().plus(3650, ChronoUnit.DAYS)), //
-					SUBJECT, //
-					keyPair.getPublic());
-			certificateBuilder.addExtension(ASN1_SUBJECT_KEY_ID, false, getX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
-			var signer = new JcaContentSignerBuilder(signatureAlg).build(keyPair.getPrivate());
-			var cert = certificateBuilder.build(signer);
-			try (InputStream in = new ByteArrayInputStream(cert.getEncoded())) {
-				return (X509Certificate) getCertFactory().generateCertificate(in);
-			}
-		} catch (IOException | OperatorCreationException e) {
-			throw new CertificateException(e);
-		}
-	}
-
-	private static BigInteger randomSerialNo() {
-		return BigInteger.valueOf(UUID.randomUUID().getMostSignificantBits());
-	}
-
-	private static JcaX509ExtensionUtils getX509ExtensionUtils() {
-		try {
-			return new JcaX509ExtensionUtils();
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-1.");
-		}
-	}
-
-	private static CertificateFactory getCertFactory() {
-		try {
-			return CertificateFactory.getInstance("X.509");
-		} catch (CertificateException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support X.509.");
-		}
-	}
-
-}
diff --git a/src/main/resources/fxml/hub_p12.fxml b/src/main/resources/fxml/hub_p12.fxml
deleted file mode 100644
index 505e2b8a6..000000000
--- a/src/main/resources/fxml/hub_p12.fxml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<?import javafx.geometry.Insets?>
-<?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
-	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.P12Controller"
-	  minWidth="400"
-	  maxWidth="400"
-	  minHeight="145"
-	  spacing="12">
-	<padding>
-		<Insets topRightBottomLeft="12"/>
-	</padding>
-	<children>
-		<fx:include source="hub_p12_load.fxml" visible="${controller.p12Present}" managed="${controller.p12Present}"/>
-		<fx:include source="hub_p12_create.fxml" visible="${!controller.p12Present}" managed="${!controller.p12Present}"/>
-	</children>
-</VBox>
diff --git a/src/main/resources/fxml/hub_p12_create.fxml b/src/main/resources/fxml/hub_p12_create.fxml
deleted file mode 100644
index a4897cbc9..000000000
--- a/src/main/resources/fxml/hub_p12_create.fxml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
-<?import javafx.geometry.Insets?>
-<?import javafx.scene.control.Button?>
-<?import javafx.scene.control.ButtonBar?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
-<?import javafx.scene.layout.HBox?>
-<?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
-	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.P12CreateController"
-	  spacing="12">
-	<padding>
-		<Insets topRightBottomLeft="12"/>
-	</padding>
-	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
-			<fx:include fx:id="newPassword" source="new_password.fxml" disable="${controller.userInteractionDisabled}"/>
-		</HBox>
-
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
-			<ButtonBar buttonMinWidth="120" buttonOrder="+CO">
-				<buttons>
-					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel" disable="${controller.userInteractionDisabled}"/>
-					<Button text="%generic.button.next" ButtonBar.buttonData="OK_DONE" defaultButton="true" onAction="#create" contentDisplay="${controller.unlockButtonContentDisplay}" disable="${!controller.readyToCreate || controller.userInteractionDisabled}">
-						<graphic>
-							<FontAwesome5Spinner glyphSize="12"/>
-						</graphic>
-					</Button>
-				</buttons>
-			</ButtonBar>
-		</VBox>
-	</children>
-</VBox>
diff --git a/src/main/resources/fxml/hub_p12_load.fxml b/src/main/resources/fxml/hub_p12_load.fxml
deleted file mode 100644
index 98fde1dd0..000000000
--- a/src/main/resources/fxml/hub_p12_load.fxml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
-<?import org.cryptomator.ui.controls.NiceSecurePasswordField?>
-<?import javafx.geometry.Insets?>
-<?import javafx.scene.control.Button?>
-<?import javafx.scene.control.ButtonBar?>
-<?import javafx.scene.control.CheckBox?>
-<?import javafx.scene.control.Hyperlink?>
-<?import javafx.scene.control.Label?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
-<?import javafx.scene.layout.HBox?>
-<?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
-	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.keyloading.hub.P12LoadController"
-	  spacing="12">
-	<padding>
-		<Insets topRightBottomLeft="12"/>
-	</padding>
-	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
-			<VBox spacing="6" HBox.hgrow="ALWAYS">
-				<Label text="TODO: Please enter your device secret to start communicating with Cryptomator Hub"/>
-				<NiceSecurePasswordField fx:id="passwordField" disable="${controller.userInteractionDisabled}"/>
-				<CheckBox fx:id="savePasswordCheckbox" text="TODO save password" disable="${controller.userInteractionDisabled}"/>
-				<Hyperlink text="TODO: Click to reset your device secret (you need to re-apply for vault access)"/>
-			</VBox>
-		</HBox>
-
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
-			<ButtonBar buttonMinWidth="120" buttonOrder="+CO">
-				<buttons>
-					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel" disable="${controller.userInteractionDisabled}"/>
-					<Button text="%generic.button.next" ButtonBar.buttonData="OK_DONE" defaultButton="true" onAction="#load" contentDisplay="${controller.unlockButtonContentDisplay}" disable="${controller.userInteractionDisabled}">
-						<graphic>
-							<FontAwesome5Spinner glyphSize="12"/>
-						</graphic>
-					</Button>
-				</buttons>
-			</ButtonBar>
-		</VBox>
-	</children>
-</VBox>
diff --git a/src/main/resources/license/THIRD-PARTY.txt b/src/main/resources/license/THIRD-PARTY.txt
index 0ed1b3cff..6f06bbb39 100644
--- a/src/main/resources/license/THIRD-PARTY.txt
+++ b/src/main/resources/license/THIRD-PARTY.txt
@@ -11,7 +11,7 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Cryptomator uses 46 third-party dependencies under the following licenses:
+Cryptomator uses 43 third-party dependencies under the following licenses:
         Apache License v2.0:
 			- jffi (com.github.jnr:jffi:1.2.23 - http://github.com/jnr/jffi)
 			- jnr-a64asm (com.github.jnr:jnr-a64asm:1.0.0 - http://nexus.sonatype.org/oss-repository-hosting.html/jnr-a64asm)
@@ -44,10 +44,6 @@ Cryptomator uses 46 third-party dependencies under the following licenses:
 			- asm-commons (org.ow2.asm:asm-commons:7.1 - http://asm.ow2.org/)
 			- asm-tree (org.ow2.asm:asm-tree:7.1 - http://asm.ow2.org/)
 			- asm-util (org.ow2.asm:asm-util:7.1 - http://asm.ow2.org/)
-        Bouncy Castle Licence:
-			- Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs (org.bouncycastle:bcpkix-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
-			- Bouncy Castle Provider (org.bouncycastle:bcprov-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
-			- Bouncy Castle ASN.1 Extension and Utility APIs (org.bouncycastle:bcutil-jdk15on:1.69 - https://www.bouncycastle.org/java.html)
         Eclipse Public License - Version 1.0:
 			- Jetty :: Servlet API and Schemas for JPMS and OSGi (org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6 - https://eclipse.org/jetty/jetty-servlet-api)
         Eclipse Public License - Version 2.0:
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java
deleted file mode 100644
index 0bb432608..000000000
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/EciesHelperTest.java
+++ /dev/null
@@ -1,60 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.io.BaseEncoding;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.DisplayName;
-import org.junit.jupiter.api.extension.ParameterContext;
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.converter.ArgumentConversionException;
-import org.junit.jupiter.params.converter.ArgumentConverter;
-import org.junit.jupiter.params.converter.ConvertWith;
-import org.junit.jupiter.params.provider.CsvSource;
-import org.junit.jupiter.params.provider.ValueSource;
-
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-
-public class EciesHelperTest {
-
-	@DisplayName("ECDH + KDF")
-	@ParameterizedTest
-	@ValueSource(ints = {16, 32, 44, 128})
-	public void testEcdhAndKdf(int len) throws NoSuchAlgorithmException {
-		var alice = KeyPairGenerator.getInstance("EC").generateKeyPair();
-		var bob = KeyPairGenerator.getInstance("EC").generateKeyPair();
-
-		byte[] result1 = EciesHelper.ecdhAndKdf(alice.getPrivate(), bob.getPublic(), len);
-		byte[] result2 = EciesHelper.ecdhAndKdf(bob.getPrivate(), alice.getPublic(), len);
-
-		Assertions.assertArrayEquals(result1, result2);
-	}
-
-	@DisplayName("ANSI-X9.63-KDF")
-	@ParameterizedTest
-	@CsvSource(value = {
-			"96c05619d56c328ab95fe84b18264b08725b85e33fd34f08, , 16, 443024c3dae66b95e6f5670601558f71",
-			"96f600b73ad6ac5629577eced51743dd2c24c21b1ac83ee4, , 16, b6295162a7804f5667ba9070f82fa522",
-			"22518b10e70f2a3f243810ae3254139efbee04aa57c7af7d, 75eef81aa3041e33b80971203d2c0c52, 128, c498af77161cc59f2962b9a713e2b215152d139766ce34a776df11866a69bf2e52a13d9c7c6fc878c50c5ea0bc7b00e0da2447cfd874f6cf92f30d0097111485500c90c3af8b487872d04685d14c8d1dc8d7fa08beb0ce0ababc11f0bd496269142d43525a78e5bc79a17f59676a5706dc54d54d4d1f0bd7e386128ec26afc21",
-			"7e335afa4b31d772c0635c7b0e06f26fcd781df947d2990a, d65a4812733f8cdbcdfb4b2f4c191d87, 128, c0bd9e38a8f9de14c2acd35b2f3410c6988cf02400543631e0d6a4c1d030365acbf398115e51aaddebdc9590664210f9aa9fed770d4c57edeafa0b8c14f93300865251218c262d63dadc47dfa0e0284826793985137e0a544ec80abf2fdf5ab90bdaea66204012efe34971dc431d625cd9a329b8217cc8fd0d9f02b13f2f6b0b",
-	})
-	// test vectors from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/800-135testvectors/ansx963_2001.zip
-	public void testKdf(@ConvertWith(HexConverter.class) byte[] sharedSecret, @ConvertWith(HexConverter.class) byte[] sharedInfo, int outLen, @ConvertWith(HexConverter.class) byte[] expectedResult) {
-		byte[] result = EciesHelper.kdf(sharedSecret, sharedInfo, outLen);
-		Assertions.assertArrayEquals(expectedResult, result);
-	}
-
-	public static class HexConverter implements ArgumentConverter {
-
-		@Override
-		public byte[] convert(Object source, ParameterContext context) throws ArgumentConversionException {
-			if (source == null) {
-				return new byte[0];
-			} else if (source instanceof String s) {
-				return BaseEncoding.base16().lowerCase().decode(s);
-			} else {
-				return null;
-			}
-		}
-	}
-
-}
\ No newline at end of file
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
deleted file mode 100644
index a92eb40b3..000000000
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/P12AccessHelperTest.java
+++ /dev/null
@@ -1,52 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.cryptomator.cryptolib.api.InvalidPassphraseException;
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Nested;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
-public class P12AccessHelperTest {
-
-	@Test
-	public void testCreate(@TempDir Path tmpDir) throws IOException {
-		var p12File = tmpDir.resolve("test.p12");
-
-		var keyPair = P12AccessHelper.createNew(p12File, "asd".toCharArray());
-
-		Assertions.assertNotNull(keyPair);
-		Assertions.assertTrue(Files.exists(p12File));
-	}
-
-	@Nested
-	public class ExistingFile {
-
-		private Path p12File;
-
-		@BeforeEach
-		public void setup(@TempDir Path tmpDir) throws IOException {
-			p12File = tmpDir.resolve("test.p12");
-			P12AccessHelper.createNew(p12File, "foo".toCharArray());
-		}
-
-		@Test
-		public void testLoadWithWrongPassword() {
-			Assertions.assertThrows(InvalidPassphraseException.class, () -> {
-				P12AccessHelper.loadExisting(p12File, "bar".toCharArray());
-			});
-		}
-
-		@Test
-		public void testLoad() throws IOException {
-			var keyPair = P12AccessHelper.loadExisting(p12File, "foo".toCharArray());
-
-			Assertions.assertNotNull(keyPair);
-		}
-	}
-
-}
\ No newline at end of file
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java
deleted file mode 100644
index 79abc82f4..000000000
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/X509HelperTest.java
+++ /dev/null
@@ -1,25 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.Test;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyPairGenerator;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.spec.ECGenParameterSpec;
-
-public class X509HelperTest {
-
-	@Test
-	public void testCreateCert() throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException, InvalidAlgorithmParameterException {
-		KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
-		keyGen.initialize(new ECGenParameterSpec("secp256r1"));
-		var keyPair = keyGen.generateKeyPair();
-		var cert = X509Helper.createSelfSignedCert(keyPair, "SHA256withECDSA");
-		Assertions.assertNotNull(cert);
-	}
-
-}
\ No newline at end of file

From 056990151a02eb3c1fca8c4284c85ba582927ec7 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 24 Aug 2021 12:39:29 +0200
Subject: [PATCH 21/55] adjusted vault config

---
 .../org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java   | 4 ++--
 .../java/org/cryptomator/ui/keyloading/hub/HubConfig.java     | 4 ++--
 .../ui/keyloading/hub/AuthFlowIntegrationTest.java            | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
index 2f96f05a3..d2995b0f8 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -87,9 +87,9 @@ class AuthFlowReceiver implements AutoCloseable {
 
 			res.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
 			if (error == null && code != null) {
-				res.setHeader("Location", hubConfig.unlockSuccessUrl);
+				res.setHeader("Location", hubConfig.authSuccessUrl);
 			} else {
-				res.setHeader("Location", hubConfig.unlockErrorUrl);
+				res.setHeader("Location", hubConfig.authErrorUrl);
 			}
 
 			callback.add(new Callback(error, code, state));
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
index 0e53351e5..050435327 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -7,7 +7,7 @@ public class HubConfig {
 	public String authEndpoint;
 	public String tokenEndpoint;
 	public String deviceRegistrationUrl;
-	public String unlockSuccessUrl;
-	public String unlockErrorUrl;
+	public String authSuccessUrl;
+	public String authErrorUrl;
 
 }
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
index 2b0f93c25..1c875365a 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
@@ -23,8 +23,8 @@ public class AuthFlowIntegrationTest {
 		hubConfig.authEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth";
 		hubConfig.tokenEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token";
 		hubConfig.clientId = "cryptomator-hub";
-		hubConfig.unlockSuccessUrl = "http://localhost:3000/#/unlock-success";
-		hubConfig.unlockErrorUrl = "http://localhost:3000/#/unlock-error";
+		hubConfig.authSuccessUrl = "http://localhost:3000/#/unlock-success";
+		hubConfig.authErrorUrl = "http://localhost:3000/#/unlock-error";
 
 		try (var authFlow = AuthFlow.init(hubConfig)) {
 			var token = authFlow.run(uri -> {

From 1477bf07a9306e8c4ceaf1c0dadd6c14c9f0bcc2 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 24 Aug 2021 13:59:51 +0200
Subject: [PATCH 22/55] use public key hash as device id

---
 .../keyloading/hub/ReceiveKeyController.java  | 24 +++++++++----------
 .../hub/RegisterDeviceController.java         | 11 +++++----
 2 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 295aa9244..d14b59ced 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -1,12 +1,12 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
 import com.google.common.io.BaseEncoding;
-import com.google.gson.Gson;
-import com.google.gson.JsonElement;
 import dagger.Lazy;
+import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.cryptolib.common.MessageDigestSupplier;
+import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
@@ -19,15 +19,9 @@ import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Named;
-import javafx.application.Application;
 import javafx.application.Platform;
-import javafx.beans.property.ObjectProperty;
-import javafx.beans.property.SimpleObjectProperty;
-import javafx.beans.property.SimpleStringProperty;
-import javafx.beans.property.StringProperty;
 import javafx.fxml.FXML;
 import javafx.scene.Scene;
-import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.io.IOException;
@@ -38,7 +32,6 @@ import java.net.URISyntaxException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
-import java.security.KeyPair;
 import java.util.Objects;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
@@ -50,6 +43,7 @@ public class ReceiveKeyController implements FxController {
 	private static final String SCHEME_PREFIX = "hub+";
 
 	private final Stage window;
+	private final P384KeyPair keyPair;
 	private final String bearerToken;
 	private final AtomicReference<EciesParams> eciesParamsRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
@@ -58,9 +52,11 @@ public class ReceiveKeyController implements FxController {
 	private final URI vaultBaseUri;
 	private final HttpClient httpClient;
 
+
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
+		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.eciesParamsRef = eciesParamsRef;
 		this.result = result;
@@ -73,7 +69,10 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void initialize() {
-		var keyUri = appendPath(vaultBaseUri, "/keys/desktop-app"); // TODO use actual device id
+		var deviceKey = keyPair.getPublic().getEncoded();
+		var hashedKey = MessageDigestSupplier.SHA256.get().digest(deviceKey);
+		var deviceId = BaseEncoding.base16().encode(hashedKey);
+		var keyUri = appendPath(vaultBaseUri, "/keys/" + deviceId);
 		var request = HttpRequest.newBuilder(keyUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
 				.GET() //
@@ -159,5 +158,4 @@ public class ReceiveKeyController implements FxController {
 			throw new IllegalStateException("URI constructed from params known to be valid", e);
 		}
 	}
-
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index ba2c308c7..c4e33dbf5 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -2,6 +2,7 @@ package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.io.BaseEncoding;
 import org.cryptomator.common.settings.DeviceKey;
+import org.cryptomator.cryptolib.common.MessageDigestSupplier;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -44,10 +45,12 @@ public class RegisterDeviceController implements FxController {
 
 	@FXML
 	public void browse() {
-		var deviceKey = BaseEncoding.base64Url().omitPadding().encode(keyPair.getPublic().getEncoded());
-		var deviceId = "desktop-app"; // TODO use actual device id
-		var hash = computeVerificationHash(deviceId + deviceKey + verificationCode);
-		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + deviceKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
+		var deviceKey = keyPair.getPublic().getEncoded();
+		var encodedKey = BaseEncoding.base64Url().omitPadding().encode(deviceKey);
+		var hashedKey = MessageDigestSupplier.SHA256.get().digest(deviceKey);
+		var deviceId = BaseEncoding.base16().encode(hashedKey);
+		var hash = computeVerificationHash(deviceId + encodedKey + verificationCode);
+		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + encodedKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
 		application.getHostServices().showDocument(url);
 	}
 

From 346ce67bc4b89ff2c4cbeaf91419d4327a1bc5a1 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 24 Aug 2021 14:43:26 +0200
Subject: [PATCH 23/55] add "unauthorized device" scene

---
 .../org/cryptomator/ui/common/FxmlFile.java   |  1 +
 .../keyloading/hub/HubKeyLoadingModule.java   | 11 +++++
 .../keyloading/hub/ReceiveKeyController.java  |  6 ++-
 .../hub/UnauthorizedDeviceController.java     | 42 +++++++++++++++++++
 .../fxml/hub_unauthorized_device.fxml         | 40 ++++++++++++++++++
 5 files changed, 98 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
 create mode 100644 src/main/resources/fxml/hub_unauthorized_device.fxml

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index 8d96dd216..3588b0fe4 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -17,6 +17,7 @@ public enum FxmlFile {
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
+	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
 	MAIN_WINDOW("/fxml/main_window.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index f9ade2585..7ec46cd7a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -98,6 +98,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE)
+	@KeyLoadingScoped
+	static Scene provideHubUnauthorizedDeviceScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE);
+	}
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(AuthFlowController.class)
@@ -120,4 +127,8 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(RegisterDeviceController.class)
 	abstract FxController bindRegisterDeviceController(RegisterDeviceController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(UnauthorizedDeviceController.class)
+	abstract FxController bindUnauthorizedDeviceController(UnauthorizedDeviceController controller);
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index d14b59ced..5c8d488fd 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -48,19 +48,21 @@ public class ReceiveKeyController implements FxController {
 	private final AtomicReference<EciesParams> eciesParamsRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final Lazy<Scene> registerDeviceScene;
+	private final Lazy<Scene> unauthorizedScene;
 	private final ErrorComponent.Builder errorComponent;
 	private final URI vaultBaseUri;
 	private final HttpClient httpClient;
 
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
 		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.eciesParamsRef = eciesParamsRef;
 		this.result = result;
 		this.registerDeviceScene = registerDeviceScene;
+		this.unauthorizedScene = unauthorizedScene;
 		this.errorComponent = errorComponent;
 		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
@@ -115,7 +117,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	private void accessNotGranted() {
-		LOG.warn("unauthorized device"); // TODO
+		window.setScene(unauthorizedScene.get());
 	}
 
 	private void retrievalFailed(Throwable cause) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
new file mode 100644
index 000000000..a915f4016
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
@@ -0,0 +1,42 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.UserInteractionLock;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+
+@KeyLoadingScoped
+public class UnauthorizedDeviceController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(UnauthorizedDeviceController.class);
+
+	private final Stage window;
+	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+
+	@Inject
+	public UnauthorizedDeviceController(@KeyLoading Stage window, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
+		this.window = window;
+		this.result = result;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		// if not already interacted, mark this workflow as cancelled:
+		if (result.awaitingInteraction().get()) {
+			LOG.debug("Authorization cancelled. Device not authorized.");
+			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
+		}
+	}
+}
diff --git a/src/main/resources/fxml/hub_unauthorized_device.fxml b/src/main/resources/fxml/hub_unauthorized_device.fxml
new file mode 100644
index 000000000..9538d19ef
--- /dev/null
+++ b/src/main/resources/fxml/hub_unauthorized_device.fxml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.image.Image?>
+<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.VBox?>
+<VBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.UnauthorizedDeviceController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<HBox spacing="12" VBox.vgrow="ALWAYS">
+			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
+				<Image url="@../img/bot/bot.png"/>
+			</ImageView>
+
+			<VBox spacing="12">
+				<Label text="TODO: Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it." wrapText="true"/>
+			</VBox>
+		</HBox>
+
+		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</VBox>

From d4c3f02d8ab9c47cc9361b66b24e80cc4fcef323 Mon Sep 17 00:00:00 2001
From: Tobias Hagemann <tobias.hagemann@skymatic.de>
Date: Thu, 18 Nov 2021 17:02:58 +0100
Subject: [PATCH 24/55] beautified hub_register_device

---
 .../resources/fxml/hub_register_device.fxml   | 31 ++++++++++++-------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
index 41f49f9f1..edf7249e6 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -1,15 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
 <?import javafx.scene.image.Image?>
 <?import javafx.scene.image.ImageView?>
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
-<?import javafx.scene.control.Hyperlink?>
-<?import javafx.scene.text.TextFlow?>
 <?import javafx.scene.text.Text?>
+<?import javafx.scene.text.TextFlow?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
@@ -22,24 +23,30 @@
 	</padding>
 	<children>
 		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
+			<HBox alignment="CENTER">
+				<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
+					<Image url="@../img/bot/bot.png"/>
+				</ImageView>
+			</HBox>
 
-			<VBox spacing="12">
+			<VBox spacing="6">
+				<Label text="This device is not yet known to Cryptomator Hub. Please register this device first." wrapText="true"/>
 				<TextFlow styleClass="text-flow">
-					<Text text="TODO: Please click on "/>
-					<Hyperlink styleClass="hyperlink-underline" text="TODO: Register Device" onAction="#browse"/>
-					<Text text=" and enter this device verification code: "/>
-					<Text text="${controller.verificationCode}"/>
+					<Text text="Verification Code: "/>
+					<Text styleClass="label-large" text="${controller.verificationCode}"/>
 				</TextFlow>
 			</VBox>
 		</HBox>
 
 		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
-			<ButtonBar buttonMinWidth="120" buttonOrder="+I">
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
 				<buttons>
-					<Button text="%generic.button.close" ButtonBar.buttonData="FINISH" defaultButton="true" onAction="#close"/>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
+					<Button text="Register Device" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#browse" contentDisplay="LEFT">
+						<graphic>
+							<FontAwesome5IconView glyph="LINK" glyphSize="12"/>
+						</graphic>
+					</Button>
 				</buttons>
 			</ButtonBar>
 		</VBox>

From 34e4383c1ea6004cc82030460a18826f1d3688d4 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 24 Nov 2021 14:46:21 +0100
Subject: [PATCH 25/55] adjust release build to support hub features

---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 03d913c91..ea7d5fd42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,7 @@ jobs:
             --java-options "-Dcryptomator.pluginDir=\"~/.local/share/Cryptomator/plugins\""
             --java-options "-Dcryptomator.settingsPath=\"~/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\""
             --java-options "-Dcryptomator.ipcSocketPath=\"~/.config/Cryptomator/ipc.socket\""
+            --java-options "-Dcryptomator.p12Path=\"~/.config/Cryptomator/key.p12\""
             --java-options "-Dcryptomator.mountPointsDir=\"~/.local/share/Cryptomator/mnt\""
             --java-options "-Dcryptomator.showTrayIcon=false"
             --java-options "-Dcryptomator.buildNumber=\"appimage-${{ needs.metadata.outputs.revNum }}\""
@@ -134,6 +135,7 @@ jobs:
             --java-options "-Dcryptomator.pluginDir=\"~/AppData/Roaming/Cryptomator/Plugins\""
             --java-options "-Dcryptomator.settingsPath=\"~/AppData/Roaming/Cryptomator/settings.json\""
             --java-options "-Dcryptomator.ipcSocketPath=\"~/AppData/Roaming/Cryptomator/ipc.socket\""
+            --java-options "-Dcryptomator.p12Path=\"~/AppData/Roaming/Cryptomator/key.p12\""
             --java-options "-Dcryptomator.keychainPath=\"~/AppData/Roaming/Cryptomator/keychain.json\""
             --java-options "-Dcryptomator.mountPointsDir=\"~/Cryptomator\""
             --java-options "-Dcryptomator.showTrayIcon=true"
@@ -150,6 +152,7 @@ jobs:
             --java-options "-Dcryptomator.pluginDir=\"~/Library/Application Support/Cryptomator/Plugins\""
             --java-options "-Dcryptomator.settingsPath=\"~/Library/Application Support/Cryptomator/settings.json\""
             --java-options "-Dcryptomator.ipcSocketPath=\"~/Library/Application Support/Cryptomator/ipc.socket\""
+            --java-options "-Dcryptomator.p12Path=\"~/Library/Application Support/Cryptomator/key.p12\""
             --java-options "-Dcryptomator.showTrayIcon=true"
             --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.metadata.outputs.revNum }}\""
             --mac-package-identifier org.cryptomator
@@ -170,7 +173,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility
           --no-header-files
           --no-man-pages
           --strip-debug

From 0110e5bedd0ed7fbfe785d82e256df5401039fe7 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 9 Dec 2021 14:02:39 +0100
Subject: [PATCH 26/55] added JWE decryption helper

---
 pom.xml                                       |  7 ++-
 src/main/java/module-info.java                |  1 +
 .../ui/keyloading/hub/JWEHelper.java          | 55 ++++++++++++++++++
 src/main/resources/license/THIRD-PARTY.txt    |  4 +-
 .../ui/keyloading/hub/JWEHelperTest.java      | 56 +++++++++++++++++++
 5 files changed, 121 insertions(+), 2 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
 create mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java

diff --git a/pom.xml b/pom.xml
index 3ae31ef15..d52701afb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptolib.version>2.1.0-beta2</cryptomator.cryptolib.version>
+		<cryptomator.cryptolib.version>2.1.0-beta3</cryptomator.cryptolib.version>
 		<cryptomator.cryptofs.version>2.2.0</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0</cryptomator.integrations.win.version>
@@ -157,6 +157,11 @@
 			<artifactId>java-jwt</artifactId>
 			<version>${jwt.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>nimbus-jose-jwt</artifactId>
+			<version>9.15.2</version>
+		</dependency>
 
 		<!-- EasyBind -->
 		<dependency>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 920c3bdc8..6627f5528 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -35,6 +35,7 @@ module org.cryptomator.desktop {
 	requires static javax.inject; /* ugly dagger/guava crap */
 	requires logback.classic;
 	requires logback.core;
+	requires com.nimbusds.jose.jwt;
 
 	uses AutoStartProvider;
 	uses KeychainAccessProvider;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
new file mode 100644
index 000000000..2c2b9baa4
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java
@@ -0,0 +1,55 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import com.google.common.io.BaseEncoding;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEObject;
+import com.nimbusds.jose.crypto.ECDHDecrypter;
+import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.interfaces.ECPrivateKey;
+import java.util.Arrays;
+
+class JWEHelper {
+
+	private static final Logger LOG = LoggerFactory.getLogger(JWEHelper.class);
+	private static final String JWE_PAYLOAD_MASTERKEY_FIELD = "key";
+
+	private JWEHelper(){}
+
+	public static Masterkey decrypt(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
+		try {
+			jwe.decrypt(new ECDHDecrypter(privateKey));
+			return readKey(jwe);
+		} catch (JOSEException e) {
+			LOG.warn("Failed to decrypt JWE: {}", jwe);
+			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+		}
+	}
+
+	private static Masterkey readKey(JWEObject jwe) throws MasterkeyLoadingFailedException {
+		Preconditions.checkArgument(jwe.getState() == JWEObject.State.DECRYPTED);
+		var fields = jwe.getPayload().toJSONObject();
+		if (fields == null) {
+			LOG.error("Expected JWE payload to be JSON: {}", jwe.getPayload());
+			throw new MasterkeyLoadingFailedException("Expected JWE payload to be JSON");
+		}
+		var keyBytes = new byte[0];
+		try {
+			if (fields.get(JWE_PAYLOAD_MASTERKEY_FIELD) instanceof String key) {
+				keyBytes = BaseEncoding.base64().decode(key);
+				return new Masterkey(keyBytes);
+			} else {
+				throw new IllegalArgumentException("JWE payload doesn't contain field " + JWE_PAYLOAD_MASTERKEY_FIELD);
+			}
+		} catch (IllegalArgumentException e) {
+			LOG.error("Unexpected JWE payload: {}", jwe.getPayload());
+			throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
+		} finally {
+			Arrays.fill(keyBytes, (byte) 0x00);
+		}
+	}
+}
diff --git a/src/main/resources/license/THIRD-PARTY.txt b/src/main/resources/license/THIRD-PARTY.txt
index e58486ddd..5344f58e8 100644
--- a/src/main/resources/license/THIRD-PARTY.txt
+++ b/src/main/resources/license/THIRD-PARTY.txt
@@ -11,16 +11,18 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Cryptomator uses 43 third-party dependencies under the following licenses:
+Cryptomator uses 45 third-party dependencies under the following licenses:
         Apache License v2.0:
 			- jffi (com.github.jnr:jffi:1.3.5 - http://github.com/jnr/jffi)
 			- jnr-a64asm (com.github.jnr:jnr-a64asm:1.0.0 - http://nexus.sonatype.org/oss-repository-hosting.html/jnr-a64asm)
 			- jnr-constants (com.github.jnr:jnr-constants:0.10.2 - http://github.com/jnr/jnr-constants)
 			- jnr-ffi (com.github.jnr:jnr-ffi:2.2.7 - http://github.com/jnr/jnr-ffi)
+			- JCIP Annotations under Apache License (com.github.stephenc.jcip:jcip-annotations:1.0-1 - http://stephenc.github.com/jcip-annotations)
 			- Gson (com.google.code.gson:gson:2.8.8 - https://github.com/google/gson/gson)
 			- Dagger (com.google.dagger:dagger:2.39 - https://github.com/google/dagger)
 			- Guava InternalFutureFailureAccess and InternalFutures (com.google.guava:failureaccess:1.0.1 - https://github.com/google/guava/failureaccess)
 			- Guava: Google Core Libraries for Java (com.google.guava:guava:31.0-jre - https://github.com/google/guava)
+			- Nimbus JOSE+JWT (com.nimbusds:nimbus-jose-jwt:9.15.2 - https://bitbucket.org/connect2id/nimbus-jose-jwt)
 			- Apache Commons CLI (commons-cli:commons-cli:1.4 - http://commons.apache.org/proper/commons-cli/)
 			- javax.inject (javax.inject:javax.inject:1 - http://code.google.com/p/atinject/)
 			- Apache Commons Lang (org.apache.commons:commons-lang3:3.12.0 - https://commons.apache.org/proper/commons-lang/)
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
new file mode 100644
index 000000000..3d495e8c1
--- /dev/null
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/JWEHelperTest.java
@@ -0,0 +1,56 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.nimbusds.jose.JWEObject;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.cryptomator.cryptolib.common.P384KeyPair;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.text.ParseException;
+import java.util.Arrays;
+import java.util.Base64;
+
+public class JWEHelperTest {
+
+	private static final String JWE = "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IllUcEY3bGtTc3JvZVVUVFdCb21LNzBTN0FhVTJyc0ptMURpZ1ZzbjRMY2F5eUxFNFBabldkYmFVcE9jQVV5a1ciLCJ5IjoiLU5pS3loUktjSk52Nm02Z0ZJUWc4cy1Xd1VXUW9uT3A5dkQ4cHpoa2tUU3U2RzFlU2FUTVlhZGltQ2Q4V0ExMSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..BECWGzd9UvhHcTJC.znt4TlS-qiNEjxiu2v-du_E1QOBnyBR6LCt865SHxD-kwRc1JwX_Lq9XVoFj2GnK9-9CgxhCLGurg5Jt9g38qv2brGAzWL7eSVeY1fIqdO_kUhLpGslRTN6h2U0NHJi2-iE.WDVI2kOk9Dy3PWHyIg8gKA";
+	private static final String PRIV_KEY = "ME8CAQAwEAYHKoZIzj0CAQYFK4EEACIEODA2AgEBBDEA6QybmBitf94veD5aCLr7nlkF5EZpaXHCfq1AXm57AKQyGOjTDAF9EQB28fMywTDQ";
+	private static final String PUB_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERxQR+NRN6Wga01370uBBzr2NHDbKIC56tPUEq2HX64RhITGhii8Zzbkb1HnRmdF0aq6uqmUy4jUhuxnKxsv59A6JeK7Unn+mpmm3pQAygjoGc9wrvoH4HWJSQYUlsXDu";
+
+	@Test
+	public void testDecrypt() throws ParseException, InvalidKeySpecException {
+		var jwe = JWEObject.parse(JWE);
+		var keyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY)));
+
+		var masterkey = JWEHelper.decrypt(jwe, keyPair.getPrivate());
+
+		var expectedEncKey = new byte[32];
+		var expectedMacKey = new byte[32];
+		Arrays.fill(expectedEncKey, (byte) 0x55);
+		Arrays.fill(expectedMacKey, (byte) 0x77);
+		Assertions.assertArrayEquals(expectedEncKey, masterkey.getEncKey().getEncoded());
+		Assertions.assertArrayEquals(expectedMacKey, masterkey.getMacKey().getEncoded());
+	}
+
+	@ParameterizedTest
+	@ValueSource(strings = {
+			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6ImdodGR3VnNoUU8wRGFBdjVBOXBiZ1NCTW0yYzZKWVF4dkloR3p6RVdQTncxczZZcEFYeTRQTjBXRFJUWExtQ2wiLCJ5IjoiN3Rncm1Gd016NGl0ZmVQNzBndkpLcjRSaGdjdENCMEJHZjZjWE9WZ2M0bjVXMWQ4dFgxZ1RQakdrczNVSm1zUiJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..x6JWRGSojUJUJYpp.5BRuzcaV.lLIhGH7Wz0n_iTBAubDFZA", // wrong key
+			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IkM2bWhsNE5BTHhEdHMwUlFlNXlyZWxQVDQyOGhDVzJNeUNYS3EwdUI0TDFMdnpXRHhVaVk3YTdZcEhJakJXcVoiLCJ5IjoiakM2dWc1NE9tbmdpNE9jUk1hdkNrczJpcFpXQjdkUmotR3QzOFhPSDRwZ2tpQ0lybWNlUnFxTnU3Z0c3Qk1yOSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..HNJJghL-SvERFz2v.N0z8YwFg.rYw29iX4i8XujdM4P4KKWg", // payload is not json
+			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6InB3R05vcXRnY093MkJ6RDVmSnpBWDJvMzUwSWNsY3A5cFdVTHZ5VDRqRWVCRWdCc3hhTVJXQ1ZyNlJMVUVXVlMiLCJ5IjoiZ2lIVEE5MlF3VU5lbmg1OFV1bWFfb09BX3hnYmFDVWFXSlRnb3Z4WjU4R212TnN4eUlQRElLSm9WV1h5X0R6OSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..jDbzdI7d67_cUjGD.01BPnMq_tQ.aG_uFA6FYqoPS64QAJ4VBQ", // json payload doesn't contain "key"
+			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6IkJyYm9UQkl5Y0NDUEdJQlBUekU2RjBnbTRzRjRCamZPN1I0a2x0aWlCaThKZkxxcVdXNVdUSVBLN01yMXV5QVUiLCJ5IjoiNUpGVUI0WVJiYjM2RUZpN2Y0TUxMcFFyZXd2UV9Tc3dKNHRVbFd1a2c1ZU04X1ZyM2pkeml2QXI2WThRczVYbSJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..QEq4Z2m6iwBx2ioS.IBo8TbKJTS4pug.61Z-agIIXgP8bX10O_yEMA", // json payload field "key" not a string
+			"eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkdDTSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0Iiwia2V5X29wcyI6W10sImV4dCI6dHJ1ZSwieCI6ImNZdlVFZm9LYkJjenZySE5zQjUxOGpycUxPMGJDOW5lZjR4NzFFMUQ5dk95MXRqd1piZzV3cFI0OE5nU1RQdHgiLCJ5IjoiaWRJekhCWERzSzR2NTZEeU9yczJOcDZsSG1zb29fMXV0VTlzX3JNdVVkbkxuVXIzUXdLZkhYMWdaVXREM1RKayJ9LCJhcHUiOiIiLCJhcHYiOiIifQ..0VZqu5ei9U3blGtq.eDvhU6drw7mIwvXu6Q.f05QnhI7JWG3IYHvexwdFQ" // json payload field "key" invalid base64 data
+	})
+	public void testDecryptInvalid(String malformed) throws ParseException, InvalidKeySpecException {
+		var jwe = JWEObject.parse(malformed);
+		var keyPair = P384KeyPair.create(new X509EncodedKeySpec(Base64.getDecoder().decode(PUB_KEY)), new PKCS8EncodedKeySpec(Base64.getDecoder().decode(PRIV_KEY)));
+
+		Assertions.assertThrows(MasterkeyLoadingFailedException.class, () -> {
+			JWEHelper.decrypt(jwe, keyPair.getPrivate());
+		});
+	}
+
+}
\ No newline at end of file

From fb580ff79d8063471c9023d5bddb63f4e016bf7b Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 9 Dec 2021 14:03:39 +0100
Subject: [PATCH 27/55] read masterkey from JWE

---
 .../ui/keyloading/hub/EciesParams.java        | 14 -------------
 .../keyloading/hub/HubKeyLoadingModule.java   |  3 ++-
 .../keyloading/hub/HubKeyLoadingStrategy.java | 14 +++++--------
 .../keyloading/hub/ReceiveKeyController.java  | 21 +++++++------------
 .../hub/RegisterDeviceController.java         |  2 +-
 5 files changed, 16 insertions(+), 38 deletions(-)
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java b/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
deleted file mode 100644
index 8b0519906..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/EciesParams.java
+++ /dev/null
@@ -1,14 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-/**
- * ECIES parameters required to decrypt the masterkey:
- * <ul>
- *     <li><code>m</code> Encrypted Masterkey (base64url-encoded ciphertext)</li>
- *     <li><code>epk</code> Ephemeral Public Key (base64url-encoded SPKI format)</li>
- * </ul>
- * <p>
- * No separate tag required, since we use GCM for encryption.
- */
-record EciesParams(String m, String epk) {
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 7c76bc229..bf2cb10d5 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -1,5 +1,6 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.nimbusds.jose.JWEObject;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
@@ -55,7 +56,7 @@ public abstract class HubKeyLoadingModule {
 
 	@Provides
 	@KeyLoadingScoped
-	static AtomicReference<EciesParams> provideEciesParamsRef() {
+	static AtomicReference<JWEObject> provideJweRef() {
 		return new AtomicReference<>();
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 83338ed06..2aadfb1d0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -1,13 +1,11 @@
 package org.cryptomator.ui.keyloading.hub;
 
 import com.google.common.base.Preconditions;
+import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.settings.DeviceKey;
-import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-import org.cryptomator.cryptolib.common.Destroyables;
-import org.cryptomator.cryptolib.common.MasterkeyHubAccess;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
@@ -21,7 +19,6 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
-import java.security.KeyPair;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoading
@@ -35,24 +32,23 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final Lazy<Scene> authFlowScene;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
 	private final DeviceKey deviceKey;
-	private final AtomicReference<EciesParams> eciesParams;
+	private final AtomicReference<JWEObject> jweRef;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, DeviceKey deviceKey, AtomicReference<EciesParams> eciesParams) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, DeviceKey deviceKey, AtomicReference<JWEObject> jweRef) {
 		this.window = window;
 		this.authFlowScene = authFlowScene;
 		this.userInteraction = userInteraction;
 		this.deviceKey = deviceKey;
-		this.eciesParams = eciesParams;
+		this.jweRef = jweRef;
 	}
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		try {
-			var keyPair = deviceKey.get();
 			return switch (auth()) {
-				case SUCCESS -> MasterkeyHubAccess.decryptMasterkey(keyPair.getPrivate(), eciesParams.get().m(), eciesParams.get().epk());
+				case SUCCESS -> JWEHelper.decrypt(jweRef.get(), deviceKey.get().getPrivate());
 				case FAILED -> throw new MasterkeyLoadingFailedException("failed to load keypair");
 				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
 			};
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index e16df1994..7514730cd 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -1,7 +1,7 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.google.common.base.Preconditions;
 import com.google.common.io.BaseEncoding;
+import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.common.vaults.Vault;
@@ -32,6 +32,7 @@ import java.net.URISyntaxException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.text.ParseException;
 import java.util.Objects;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
@@ -45,7 +46,7 @@ public class ReceiveKeyController implements FxController {
 	private final Stage window;
 	private final P384KeyPair keyPair;
 	private final String bearerToken;
-	private final AtomicReference<EciesParams> eciesParamsRef;
+	private final AtomicReference<JWEObject> jweRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
 	private final Lazy<Scene> registerDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
@@ -53,13 +54,12 @@ public class ReceiveKeyController implements FxController {
 	private final URI vaultBaseUri;
 	private final HttpClient httpClient;
 
-
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<EciesParams> eciesParamsRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<JWEObject> jweRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
 		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
-		this.eciesParamsRef = eciesParamsRef;
+		this.jweRef = jweRef;
 		this.result = result;
 		this.registerDeviceScene = registerDeviceScene;
 		this.unauthorizedScene = unauthorizedScene;
@@ -98,16 +98,11 @@ public class ReceiveKeyController implements FxController {
 
 	private void retrievalSucceeded(HttpResponse<InputStream> response) {
 		try {
-			var json = HttpHelper.parseBody(response);
-			Preconditions.checkArgument(json.isJsonObject());
-			Preconditions.checkArgument(json.getAsJsonObject().has("device_specific_masterkey"));
-			Preconditions.checkArgument(json.getAsJsonObject().has("ephemeral_public_key"));
-			var m = json.getAsJsonObject().get("device_specific_masterkey").getAsString();
-			var epk = json.getAsJsonObject().get("ephemeral_public_key").getAsString();
-			eciesParamsRef.set(new EciesParams(m, epk));
+			var string = HttpHelper.readBody(response);
+			jweRef.set(JWEObject.parse(string));
 			result.interacted(HubKeyLoadingModule.HubLoadingResult.SUCCESS);
 			window.close();
-		} catch (IOException | IllegalArgumentException e) {
+		} catch (ParseException | IOException e) {
 			retrievalFailed(e);
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index c4e33dbf5..46349280b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -50,7 +50,7 @@ public class RegisterDeviceController implements FxController {
 		var hashedKey = MessageDigestSupplier.SHA256.get().digest(deviceKey);
 		var deviceId = BaseEncoding.base16().encode(hashedKey);
 		var hash = computeVerificationHash(deviceId + encodedKey + verificationCode);
-		var url = hubConfig.deviceRegistrationUrl + "?device_key=" + encodedKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
+		var url = hubConfig.deviceRegistrationUrl + "&device_key=" + encodedKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
 		application.getHostServices().showDocument(url);
 	}
 

From 921dd8fe677428b0de450bd7f361ad375c4e4581 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 10 Dec 2021 13:42:37 +0100
Subject: [PATCH 28/55] Add query to redirection to provide more context in the
 frontend (#1973)

Co-authored-by: Sebastian Stenzel <sebastian.stenzel@gmail.com>
---
 .../ui/keyloading/hub/AuthFlow.java           |  4 ++--
 .../ui/keyloading/hub/AuthFlowContext.java    |  5 +++++
 .../ui/keyloading/hub/AuthFlowController.java |  6 +++--
 .../ui/keyloading/hub/AuthFlowReceiver.java   | 22 ++++++++++---------
 .../ui/keyloading/hub/AuthFlowTask.java       |  6 +++--
 .../keyloading/hub/HubKeyLoadingModule.java   | 15 +++++++++++--
 .../keyloading/hub/ReceiveKeyController.java  | 13 +++--------
 .../hub/AuthFlowIntegrationTest.java          |  8 +++----
 8 files changed, 46 insertions(+), 33 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowContext.java

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index 11ef34301..a4a55e78c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -60,8 +60,8 @@ class AuthFlow implements AutoCloseable {
 	 * @return An authorization flow
 	 * @throws Exception In case of any problems starting the server
 	 */
-	public static AuthFlow init(HubConfig hubConfig) throws Exception {
-		var receiver = AuthFlowReceiver.start(hubConfig);
+	public static AuthFlow init(HubConfig hubConfig, AuthFlowContext authFlowContext) throws Exception {
+		var receiver = AuthFlowReceiver.start(hubConfig, authFlowContext);
 		return new AuthFlow(receiver, hubConfig);
 	}
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowContext.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowContext.java
new file mode 100644
index 000000000..3ee2b55eb
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowContext.java
@@ -0,0 +1,5 @@
+package org.cryptomator.ui.keyloading.hub;
+
+record AuthFlowContext(String deviceId) {
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 436516fca..65c9a0df7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -35,6 +35,7 @@ public class AuthFlowController implements FxController {
 	private final Application application;
 	private final Stage window;
 	private final ExecutorService executor;
+	private final String deviceId;
 	private final HubConfig hubConfig;
 	private final AtomicReference<String> tokenRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
@@ -45,10 +46,11 @@ public class AuthFlowController implements FxController {
 	private AuthFlowTask task;
 
 	@Inject
-	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
 		this.application = application;
 		this.window = window;
 		this.executor = executor;
+		this.deviceId = deviceId;
 		this.hubConfig = hubConfig;
 		this.tokenRef = tokenRef;
 		this.result = result;
@@ -62,7 +64,7 @@ public class AuthFlowController implements FxController {
 	@FXML
 	public void initialize() {
 		assert task == null;
-		task = new AuthFlowTask(hubConfig, this::setAuthUri);;
+		task = new AuthFlowTask(hubConfig, new AuthFlowContext(deviceId), this::setAuthUri);;
 		task.setOnFailed(this::authFailed);
 		task.setOnSucceeded(this::authSucceeded);
 		executor.submit(task);
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
index d2995b0f8..dc84c450c 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
@@ -30,20 +30,18 @@ class AuthFlowReceiver implements AutoCloseable {
 	private final Server server;
 	private final ServerConnector connector;
 	private final CallbackServlet servlet;
-	private final HubConfig hubConfig;
 
-	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet, HubConfig hubConfig) {
+	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
 		this.server = server;
 		this.connector = connector;
 		this.servlet = servlet;
-		this.hubConfig = hubConfig;
 	}
 
-	public static AuthFlowReceiver start(HubConfig hubConfig) throws Exception {
+	public static AuthFlowReceiver start(HubConfig hubConfig, AuthFlowContext authFlowContext) throws Exception {
 		var server = new Server();
 		var context = new ServletContextHandler();
 
-		var servlet = new CallbackServlet(hubConfig);
+		var servlet = new CallbackServlet(hubConfig, authFlowContext);
 		context.addServlet(new ServletHolder(servlet), CALLBACK_PATH);
 
 		var connector = new ServerConnector(server);
@@ -52,7 +50,7 @@ class AuthFlowReceiver implements AutoCloseable {
 		server.setConnectors(new Connector[]{connector});
 		server.setHandler(context);
 		server.start();
-		return new AuthFlowReceiver(server, connector, servlet, hubConfig);
+		return new AuthFlowReceiver(server, connector, servlet);
 	}
 
 	public String getRedirectUri() {
@@ -68,15 +66,19 @@ class AuthFlowReceiver implements AutoCloseable {
 		server.stop();
 	}
 
-	public static record Callback(String error, String code, String state){}
+	public static record Callback(String error, String code, String state) {
+
+	}
 
 	private static class CallbackServlet extends HttpServlet {
 
 		private final BlockingQueue<Callback> callback = new LinkedBlockingQueue<>();
 		private final HubConfig hubConfig;
+		private final AuthFlowContext authFlowContext;
 
-		public CallbackServlet(HubConfig hubConfig) {
+		public CallbackServlet(HubConfig hubConfig, AuthFlowContext authFlowContext) {
 			this.hubConfig = hubConfig;
+			this.authFlowContext = authFlowContext;
 		}
 
 		@Override
@@ -87,9 +89,9 @@ class AuthFlowReceiver implements AutoCloseable {
 
 			res.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
 			if (error == null && code != null) {
-				res.setHeader("Location", hubConfig.authSuccessUrl);
+				res.setHeader("Location", hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId());
 			} else {
-				res.setHeader("Location", hubConfig.authErrorUrl);
+				res.setHeader("Location", hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId());
 			}
 
 			callback.add(new Callback(error, code, state));
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index 901c7acc7..be41df2dd 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -7,6 +7,7 @@ import java.util.function.Consumer;
 
 class AuthFlowTask extends Task<String> {
 
+	private final AuthFlowContext authFlowContext;
 	private final Consumer<URI> redirectUriConsumer;
 
 	/**
@@ -15,14 +16,15 @@ class AuthFlowTask extends Task<String> {
 	 * @param hubConfig Configuration object holding parameters required by {@link AuthFlow}
 	 * @param redirectUriConsumer A callback invoked with the redirectUri, as soon as the server has started
 	 */
-	public AuthFlowTask(HubConfig hubConfig, Consumer<URI> redirectUriConsumer) {
+	public AuthFlowTask(HubConfig hubConfig, AuthFlowContext authFlowContext, Consumer<URI> redirectUriConsumer) {
 		this.hubConfig = hubConfig;
+		this.authFlowContext = authFlowContext;
 		this.redirectUriConsumer = redirectUriConsumer;
 	}
 
 	@Override
 	protected String call() throws Exception {
-		try (var authFlow = AuthFlow.init(hubConfig)) {
+		try (var authFlow = AuthFlow.init(hubConfig, authFlowContext)) {
 			return authFlow.run(uri -> Platform.runLater(() -> redirectUriConsumer.accept(uri)));
 		}
 	}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index bf2cb10d5..04faa1493 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -1,12 +1,15 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.google.common.io.BaseEncoding;
 import com.nimbusds.jose.JWEObject;
 import dagger.Binds;
 import dagger.Module;
 import dagger.Provides;
 import dagger.multibindings.IntoMap;
 import dagger.multibindings.StringKey;
+import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.cryptolib.common.MessageDigestSupplier;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxControllerKey;
 import org.cryptomator.ui.common.FxmlFile;
@@ -23,8 +26,7 @@ import javax.inject.Named;
 import javafx.scene.Scene;
 import java.io.IOException;
 import java.io.UncheckedIOException;
-import java.net.URI;
-import java.security.KeyPair;
+import java.util.Objects;
 import java.util.ResourceBundle;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -47,6 +49,15 @@ public abstract class HubKeyLoadingModule {
 		}
 	}
 
+	@Provides
+	@KeyLoadingScoped
+	@Named("deviceId")
+	static String provideDeviceId(DeviceKey deviceKey) {
+		var publicKey = Objects.requireNonNull(deviceKey.get()).getPublic().getEncoded();
+		var hashedKey = MessageDigestSupplier.SHA256.get().digest(publicKey);
+		return BaseEncoding.base16().encode(hashedKey);
+	}
+
 	@Provides
 	@Named("bearerToken")
 	@KeyLoadingScoped
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 7514730cd..90efc6abc 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -1,12 +1,8 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import com.google.common.io.BaseEncoding;
 import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
-import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.cryptolib.common.MessageDigestSupplier;
-import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
@@ -44,7 +40,7 @@ public class ReceiveKeyController implements FxController {
 	private static final String SCHEME_PREFIX = "hub+";
 
 	private final Stage window;
-	private final P384KeyPair keyPair;
+	private final String deviceId;
 	private final String bearerToken;
 	private final AtomicReference<JWEObject> jweRef;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
@@ -55,9 +51,9 @@ public class ReceiveKeyController implements FxController {
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, DeviceKey deviceKey, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<JWEObject> jweRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<JWEObject> jweRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
 		this.window = window;
-		this.keyPair = Objects.requireNonNull(deviceKey.get());
+		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
 		this.jweRef = jweRef;
 		this.result = result;
@@ -71,9 +67,6 @@ public class ReceiveKeyController implements FxController {
 
 	@FXML
 	public void initialize() {
-		var deviceKey = keyPair.getPublic().getEncoded();
-		var hashedKey = MessageDigestSupplier.SHA256.get().digest(deviceKey);
-		var deviceId = BaseEncoding.base16().encode(hashedKey);
 		var keyUri = appendPath(vaultBaseUri, "/keys/" + deviceId);
 		var request = HttpRequest.newBuilder(keyUri) //
 				.header("Authorization", "Bearer " + bearerToken) //
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
index 1c875365a..f2b9e9cd5 100644
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
+++ b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
@@ -6,8 +6,6 @@ import org.junit.jupiter.api.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.net.URI;
-
 public class AuthFlowIntegrationTest {
 
 	static {
@@ -23,10 +21,10 @@ public class AuthFlowIntegrationTest {
 		hubConfig.authEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth";
 		hubConfig.tokenEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token";
 		hubConfig.clientId = "cryptomator-hub";
-		hubConfig.authSuccessUrl = "http://localhost:3000/#/unlock-success";
-		hubConfig.authErrorUrl = "http://localhost:3000/#/unlock-error";
+		hubConfig.authSuccessUrl = "http://localhost:3000/#/unlock-success?vault=vaultId";
+		hubConfig.authErrorUrl = "http://localhost:3000/#/unlock-error?vault=vaultId";
 
-		try (var authFlow = AuthFlow.init(hubConfig)) {
+		try (var authFlow = AuthFlow.init(hubConfig, new AuthFlowContext("deviceId"))) {
 			var token = authFlow.run(uri -> {
 				LOG.info("Visit {} to authenticate", uri);
 			});

From ef281f810fbba4e5c52c2fd7f076f54c6848a0a5 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Tue, 14 Dec 2021 17:35:24 +0100
Subject: [PATCH 29/55] register device via rest api

---
 src/main/java/module-info.java                |  2 +-
 .../ui/keyloading/hub/CreateDeviceDto.java    |  9 ++
 .../keyloading/hub/HubKeyLoadingStrategy.java |  1 +
 .../keyloading/hub/ReceiveKeyController.java  | 23 ++---
 .../hub/RegisterDeviceController.java         | 86 ++++++++++++-------
 .../resources/fxml/hub_register_device.fxml   | 24 +++---
 6 files changed, 91 insertions(+), 54 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java

diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index 6627f5528..fe1da0f3e 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -45,6 +45,7 @@ module org.cryptomator.desktop {
 	exports org.cryptomator.ui.keyloading.hub to com.fasterxml.jackson.databind;
 
 	opens org.cryptomator.common.settings to com.google.gson;
+	opens org.cryptomator.ui.keyloading.hub to com.google.gson, javafx.fxml;
 
 	opens org.cryptomator.common to javafx.fxml;
 	opens org.cryptomator.common.vaults to javafx.fxml;
@@ -55,7 +56,6 @@ module org.cryptomator.desktop {
 	opens org.cryptomator.ui.forgetPassword to javafx.fxml;
 	opens org.cryptomator.ui.fxapp to javafx.fxml;
 	opens org.cryptomator.ui.health to javafx.fxml;
-	opens org.cryptomator.ui.keyloading.hub to javafx.fxml;
 	opens org.cryptomator.ui.keyloading.masterkeyfile to javafx.fxml;
 	opens org.cryptomator.ui.lock to javafx.fxml;
 	opens org.cryptomator.ui.mainwindow to javafx.fxml;
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
new file mode 100644
index 000000000..71377a318
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CreateDeviceDto.java
@@ -0,0 +1,9 @@
+package org.cryptomator.ui.keyloading.hub;
+
+class CreateDeviceDto {
+
+	public String id;
+	public String name;
+	public String publicKey;
+
+}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 2aadfb1d0..8316f640a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -19,6 +19,7 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
+import java.util.concurrent.CompletionStage;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoading
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 90efc6abc..5bc8bc419 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -10,6 +10,7 @@ import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.eclipse.jetty.io.RuntimeIOException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -73,30 +74,31 @@ public class ReceiveKeyController implements FxController {
 				.GET() //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
-				.whenCompleteAsync(this::loadedExistingKey, Platform::runLater);
+				.thenAcceptAsync(this::loadedExistingKey, Platform::runLater) //
+				.exceptionallyAsync(this::retrievalFailed, Platform::runLater);
 	}
 
-	private void loadedExistingKey(HttpResponse<InputStream> response, Throwable error) {
-		if (error != null) {
-			retrievalFailed(error);
-		} else {
+	private void loadedExistingKey(HttpResponse<InputStream> response) {
+		try {
 			switch (response.statusCode()) {
 				case 200 -> retrievalSucceeded(response);
 				case 403 -> accessNotGranted();
 				case 404 -> needsDeviceRegistration();
-				default -> retrievalFailed(new IOException("Unexpected response " + response.statusCode()));
+				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
+		} catch (IOException e) {
+			throw new RuntimeIOException(e);
 		}
 	}
 
-	private void retrievalSucceeded(HttpResponse<InputStream> response) {
+	private void retrievalSucceeded(HttpResponse<InputStream> response) throws IOException {
 		try {
 			var string = HttpHelper.readBody(response);
 			jweRef.set(JWEObject.parse(string));
 			result.interacted(HubKeyLoadingModule.HubLoadingResult.SUCCESS);
 			window.close();
-		} catch (ParseException | IOException e) {
-			retrievalFailed(e);
+		} catch (ParseException e) {
+			throw new IOException("Failed to parse JWE", e);
 		}
 	}
 
@@ -108,10 +110,11 @@ public class ReceiveKeyController implements FxController {
 		window.setScene(unauthorizedScene.get());
 	}
 
-	private void retrievalFailed(Throwable cause) {
+	private Void retrievalFailed(Throwable cause) {
 		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
 		LOG.error("Key retrieval failed", cause);
 		errorComponent.cause(cause).window(window).build().showErrorScene();
+		return null;
 	}
 
 	@FXML
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 46349280b..442fe2022 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -1,57 +1,92 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.google.common.io.BaseEncoding;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
 import org.cryptomator.common.settings.DeviceKey;
-import org.cryptomator.cryptolib.common.MessageDigestSupplier;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
-import javafx.application.Application;
+import javax.inject.Named;
+import javafx.application.Platform;
 import javafx.fxml.FXML;
+import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
-import java.security.KeyPair;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.util.Objects;
+import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
 public class RegisterDeviceController implements FxController {
 
-	private final Application application;
+	private static final Logger LOG = LoggerFactory.getLogger(RegisterDeviceController.class);
+	private static final Gson GSON = new GsonBuilder().setLenient().create();
+
 	private final Stage window;
 	private final HubConfig hubConfig;
+	private final String bearerToken;
+	private final String deviceId;
 	private final P384KeyPair keyPair;
 	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
-	private final String verificationCode;
+	private final DecodedJWT jwt;
+	private final HttpClient httpClient;
+
+	public TextField deviceNameField;
 
 	@Inject
-	public RegisterDeviceController(Application application, SecureRandom csprng, @KeyLoading Stage window, HubConfig hubConfig, DeviceKey deviceKey, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
-		this.application = application;
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @Named("bearerToken") AtomicReference<String> bearerToken) {
 		this.window = window;
 		this.hubConfig = hubConfig;
+		this.deviceId = deviceId;
 		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.result = result;
+		this.bearerToken = Objects.requireNonNull(bearerToken.get());
+		this.jwt = JWT.decode(this.bearerToken);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
-		this.verificationCode = String.format("%06d", csprng.nextInt(1_000_000));
+		this.httpClient = HttpClient.newBuilder().executor(executor).build();
 	}
 
 	@FXML
-	public void browse() {
+	public void register() {
+		var keyUri = URI.create("http://localhost:9090/devices/" + deviceId); // TODO lol hubConfig.deviceRegistrationUrl
 		var deviceKey = keyPair.getPublic().getEncoded();
-		var encodedKey = BaseEncoding.base64Url().omitPadding().encode(deviceKey);
-		var hashedKey = MessageDigestSupplier.SHA256.get().digest(deviceKey);
-		var deviceId = BaseEncoding.base16().encode(hashedKey);
-		var hash = computeVerificationHash(deviceId + encodedKey + verificationCode);
-		var url = hubConfig.deviceRegistrationUrl + "&device_key=" + encodedKey + "&device_id=" + deviceId + "&verification_hash=" + hash;
-		application.getHostServices().showDocument(url);
+		var dto = new CreateDeviceDto();
+		dto.id = deviceId;
+		dto.name = deviceNameField.getText();
+		dto.publicKey = BaseEncoding.base64Url().omitPadding().encode(deviceKey);
+		var json = GSON.toJson(dto); // TODO: do we want to keep GSON? doesn't support records -.-
+		var request = HttpRequest.newBuilder(keyUri) //
+				.header("Authorization", "Bearer " + bearerToken) //
+				.header("Content-Type", "application/json").PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
+				.build();
+		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
+				.thenAcceptAsync(this::registrationSucceeded, Platform::runLater) //
+				.exceptionallyAsync(this::registrationFailed, Platform::runLater);
+	}
+
+	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
+		LOG.info("Registered!");
+	}
+
+	private Void registrationFailed(Throwable cause) {
+		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
+		LOG.error("Key retrieval failed", cause);
+		// TODO errorComponent.cause(cause).window(window).build().showErrorScene();
+		return null;
 	}
 
 	@FXML
@@ -66,20 +101,11 @@ public class RegisterDeviceController implements FxController {
 		}
 	}
 
-	private static String computeVerificationHash(String input) {
-		try {
-			var digest = MessageDigest.getInstance("SHA-256");
-			digest.update(StandardCharsets.UTF_8.encode(input));
-			return BaseEncoding.base64Url().omitPadding().encode(digest.digest());
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
-		}
-	}
-
 	/* Getter */
 
-	public String getVerificationCode() {
-		return verificationCode;
+	public String getUserName() {
+		return jwt.getClaim("email").asString();
 	}
 
+
 }
diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
index edf7249e6..2fd5ceaa5 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -1,16 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import org.cryptomator.ui.controls.FormattedLabel?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
 <?import javafx.scene.control.Label?>
+<?import javafx.scene.control.TextField?>
 <?import javafx.scene.image.Image?>
 <?import javafx.scene.image.ImageView?>
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
-<?import javafx.scene.text.Text?>
-<?import javafx.scene.text.TextFlow?>
 <VBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
@@ -30,11 +29,14 @@
 			</HBox>
 
 			<VBox spacing="6">
-				<Label text="This device is not yet known to Cryptomator Hub. Please register this device first." wrapText="true"/>
-				<TextFlow styleClass="text-flow">
-					<Text text="Verification Code: "/>
-					<Text styleClass="label-large" text="${controller.verificationCode}"/>
-				</TextFlow>
+				<Label text="TODO This device is not yet known to Cryptomator Hub. Please register this device first." wrapText="true"/>
+				<HBox spacing="6" alignment="CENTER_LEFT">
+					<FormattedLabel format="TODO User %s" arg1="${controller.userName}"/>
+				</HBox>
+				<HBox spacing="6" alignment="CENTER_LEFT">
+					<Label text="TODO Device Name" labelFor="$deviceNameField"/>
+					<TextField fx:id="deviceNameField"/>
+				</HBox>
 			</VBox>
 		</HBox>
 
@@ -42,11 +44,7 @@
 			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
 				<buttons>
 					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
-					<Button text="Register Device" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#browse" contentDisplay="LEFT">
-						<graphic>
-							<FontAwesome5IconView glyph="LINK" glyphSize="12"/>
-						</graphic>
-					</Button>
+					<Button text="TODO Register Device" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register"/>
 				</buttons>
 			</ButtonBar>
 		</VBox>

From 157bef5df61b8af9ba645a8ef7ddeabd0331e1bf Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 15 Dec 2021 17:19:00 +0100
Subject: [PATCH 30/55] close dialog after successful device registration (to
 be improved lol)

---
 .../cryptomator/ui/keyloading/hub/RegisterDeviceController.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 442fe2022..e22a4db18 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -80,6 +80,7 @@ public class RegisterDeviceController implements FxController {
 
 	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
 		LOG.info("Registered!");
+		result.cancel(true); // TODO: show visual feedback "please wait for device authorization"
 	}
 
 	private Void registrationFailed(Throwable cause) {

From 25b9722019ddcabb847f53182691fe4470b75941 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 15 Dec 2021 17:19:59 +0100
Subject: [PATCH 31/55] Use CompletableFuture instead of UserInteractionLock +
 AtomicReference

---
 .../ui/keyloading/hub/AuthFlowController.java | 26 +++++-----------
 .../keyloading/hub/HubKeyLoadingModule.java   | 18 ++---------
 .../keyloading/hub/HubKeyLoadingStrategy.java | 31 +++++++++----------
 .../keyloading/hub/ReceiveKeyController.java  | 24 ++++----------
 .../hub/RegisterDeviceController.java         | 16 ++++------
 .../hub/UnauthorizedDeviceController.java     | 17 +++-------
 6 files changed, 42 insertions(+), 90 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 65c9a0df7..339030cf2 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -1,15 +1,12 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
-import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -24,29 +21,27 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
 import java.net.URI;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
 public class AuthFlowController implements FxController {
 
-	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowController.class);
-
 	private final Application application;
 	private final Stage window;
 	private final ExecutorService executor;
 	private final String deviceId;
 	private final HubConfig hubConfig;
 	private final AtomicReference<String> tokenRef;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final CompletableFuture<JWEObject> result;
 	private final Lazy<Scene> receiveKeyScene;
-	private final ErrorComponent.Builder errorComponent;
 	private final ObjectProperty<URI> authUri;
 	private final StringBinding authHost;
 	private AuthFlowTask task;
 
 	@Inject
-	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene, ErrorComponent.Builder errorComponent) {
+	public AuthFlowController(Application application, @KeyLoading Stage window, ExecutorService executor, @Named("deviceId") String deviceId, HubConfig hubConfig, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_RECEIVE_KEY) Lazy<Scene> receiveKeyScene) {
 		this.application = application;
 		this.window = window;
 		this.executor = executor;
@@ -55,7 +50,6 @@ public class AuthFlowController implements FxController {
 		this.tokenRef = tokenRef;
 		this.result = result;
 		this.receiveKeyScene = receiveKeyScene;
-		this.errorComponent = errorComponent;
 		this.authUri = new SimpleObjectProperty<>();
 		this.authHost = Bindings.createStringBinding(this::getAuthHost, authUri);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
@@ -64,7 +58,7 @@ public class AuthFlowController implements FxController {
 	@FXML
 	public void initialize() {
 		assert task == null;
-		task = new AuthFlowTask(hubConfig, new AuthFlowContext(deviceId), this::setAuthUri);;
+		task = new AuthFlowTask(hubConfig, new AuthFlowContext(deviceId), this::setAuthUri);
 		task.setOnFailed(this::authFailed);
 		task.setOnSucceeded(this::authSucceeded);
 		executor.submit(task);
@@ -88,11 +82,7 @@ public class AuthFlowController implements FxController {
 	private void windowClosed(WindowEvent windowEvent) {
 		// stop server, if it is still running
 		task.cancel();
-		// if not already interacted, mark this workflow as cancelled:
-		if (result.awaitingInteraction().get()) {
-			LOG.debug("Authorization cancelled by user.");
-			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
-		}
+		result.cancel(true);
 	}
 
 	private void authSucceeded(WorkerStateEvent workerStateEvent) {
@@ -102,11 +92,9 @@ public class AuthFlowController implements FxController {
 	}
 
 	private void authFailed(WorkerStateEvent workerStateEvent) {
-		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
 		window.requestFocus();
 		var exception = workerStateEvent.getSource().getException();
-		LOG.error("Authentication failed", exception);
-		errorComponent.cause(exception).window(window).build().showErrorScene();
+		result.completeExceptionally(exception);
 	}
 
 	/* Getter/Setter */
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 04faa1493..4d4d810a3 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -17,7 +17,6 @@ import org.cryptomator.ui.common.FxmlLoaderFactory;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.common.NewPasswordController;
 import org.cryptomator.ui.common.PasswordStrengthUtil;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
@@ -28,17 +27,12 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.util.Objects;
 import java.util.ResourceBundle;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.atomic.AtomicReference;
 
 @Module
 public abstract class HubKeyLoadingModule {
 
-	public enum HubLoadingResult {
-		SUCCESS,
-		FAILED,
-		CANCELLED
-	}
-
 	@Provides
 	@KeyLoadingScoped
 	static HubConfig provideHubConfig(@KeyLoading Vault vault) {
@@ -67,14 +61,8 @@ public abstract class HubKeyLoadingModule {
 
 	@Provides
 	@KeyLoadingScoped
-	static AtomicReference<JWEObject> provideJweRef() {
-		return new AtomicReference<>();
-	}
-
-	@Provides
-	@KeyLoadingScoped
-	static UserInteractionLock<HubLoadingResult> provideResultLock() {
-		return new UserInteractionLock<>(null);
+	static CompletableFuture<JWEObject> provideResult() {
+		return new CompletableFuture<>();
 	}
 
 	@Binds
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 8316f640a..10d1399e2 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -8,7 +8,6 @@ import org.cryptomator.cryptolib.api.Masterkey;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 import org.cryptomator.ui.unlock.UnlockCancelledException;
@@ -19,8 +18,9 @@ import javafx.scene.Scene;
 import javafx.stage.Stage;
 import javafx.stage.Window;
 import java.net.URI;
-import java.util.concurrent.CompletionStage;
-import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
 
 @KeyLoading
 public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
@@ -31,37 +31,37 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 
 	private final Stage window;
 	private final Lazy<Scene> authFlowScene;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction;
+	private final CompletableFuture<JWEObject> result;
 	private final DeviceKey deviceKey;
-	private final AtomicReference<JWEObject> jweRef;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> userInteraction, DeviceKey deviceKey, AtomicReference<JWEObject> jweRef) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, CompletableFuture<JWEObject> result, DeviceKey deviceKey) {
 		this.window = window;
 		this.authFlowScene = authFlowScene;
-		this.userInteraction = userInteraction;
+		this.result = result;
 		this.deviceKey = deviceKey;
-		this.jweRef = jweRef;
 	}
 
 	@Override
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
 		Preconditions.checkArgument(keyId.getScheme().startsWith(SCHEME_PREFIX));
 		try {
-			return switch (auth()) {
-				case SUCCESS -> JWEHelper.decrypt(jweRef.get(), deviceKey.get().getPrivate());
-				case FAILED -> throw new MasterkeyLoadingFailedException("failed to load keypair");
-				case CANCELLED -> throw new UnlockCancelledException("User cancelled auth workflow");
-			};
+			startAuthFlow();
+			var jwe = result.get();
+			return JWEHelper.decrypt(jwe, deviceKey.get().getPrivate());
 		} catch (DeviceKey.DeviceKeyRetrievalException e) {
-			throw new MasterkeyLoadingFailedException("Failed to create or load device key pair", e);
+			throw new MasterkeyLoadingFailedException("Failed to load keypair", e);
+		} catch (CancellationException e) {
+			throw new UnlockCancelledException("User cancelled auth workflow", e);
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
 			throw new UnlockCancelledException("Loading interrupted", e);
+		} catch (ExecutionException e) {
+			throw new MasterkeyLoadingFailedException("Failed to retrieve key", e);
 		}
 	}
 
-	private HubKeyLoadingModule.HubLoadingResult auth() throws InterruptedException {
+	private void startAuthFlow() {
 		Platform.runLater(() -> {
 			window.setScene(authFlowScene.get());
 			window.show();
@@ -73,7 +73,6 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 				window.centerOnScreen();
 			}
 		});
-		return userInteraction.awaitInteraction();
 	}
 
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 5bc8bc419..ee584b764 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -3,11 +3,9 @@ package org.cryptomator.ui.keyloading.hub;
 import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.ui.common.ErrorComponent;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.eclipse.jetty.io.RuntimeIOException;
@@ -31,6 +29,7 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.text.ParseException;
 import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -43,24 +42,20 @@ public class ReceiveKeyController implements FxController {
 	private final Stage window;
 	private final String deviceId;
 	private final String bearerToken;
-	private final AtomicReference<JWEObject> jweRef;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final CompletableFuture<JWEObject> result;
 	private final Lazy<Scene> registerDeviceScene;
 	private final Lazy<Scene> unauthorizedScene;
-	private final ErrorComponent.Builder errorComponent;
 	private final URI vaultBaseUri;
 	private final HttpClient httpClient;
 
 	@Inject
-	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, AtomicReference<JWEObject> jweRef, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene, ErrorComponent.Builder errorComponent) {
+	public ReceiveKeyController(@KeyLoading Vault vault, ExecutorService executor, @KeyLoading Stage window, @Named("deviceId") String deviceId, @Named("bearerToken") AtomicReference<String> tokenRef, CompletableFuture<JWEObject> result, @FxmlScene(FxmlFile.HUB_REGISTER_DEVICE) Lazy<Scene> registerDeviceScene, @FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE) Lazy<Scene> unauthorizedScene) {
 		this.window = window;
 		this.deviceId = deviceId;
 		this.bearerToken = Objects.requireNonNull(tokenRef.get());
-		this.jweRef = jweRef;
 		this.result = result;
 		this.registerDeviceScene = registerDeviceScene;
 		this.unauthorizedScene = unauthorizedScene;
-		this.errorComponent = errorComponent;
 		this.vaultBaseUri = getVaultBaseUri(vault);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().executor(executor).build();
@@ -94,8 +89,7 @@ public class ReceiveKeyController implements FxController {
 	private void retrievalSucceeded(HttpResponse<InputStream> response) throws IOException {
 		try {
 			var string = HttpHelper.readBody(response);
-			jweRef.set(JWEObject.parse(string));
-			result.interacted(HubKeyLoadingModule.HubLoadingResult.SUCCESS);
+			result.complete(JWEObject.parse(string));
 			window.close();
 		} catch (ParseException e) {
 			throw new IOException("Failed to parse JWE", e);
@@ -111,9 +105,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	private Void retrievalFailed(Throwable cause) {
-		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
-		LOG.error("Key retrieval failed", cause);
-		errorComponent.cause(cause).window(window).build().showErrorScene();
+		result.completeExceptionally(cause);
 		return null;
 	}
 
@@ -123,11 +115,7 @@ public class ReceiveKeyController implements FxController {
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
-		// if not already interacted, mark this workflow as cancelled:
-		if (result.awaitingInteraction().get()) {
-			LOG.debug("Authorization cancelled by user.");
-			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
-		}
+		result.cancel(true);
 	}
 
 	private static URI appendPath(URI base, String path) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index e22a4db18..721573755 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -5,10 +5,10 @@ import com.auth0.jwt.interfaces.DecodedJWT;
 import com.google.common.io.BaseEncoding;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
+import com.nimbusds.jose.JWEObject;
 import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.slf4j.Logger;
@@ -27,6 +27,7 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicReference;
 
@@ -41,14 +42,14 @@ public class RegisterDeviceController implements FxController {
 	private final String bearerToken;
 	private final String deviceId;
 	private final P384KeyPair keyPair;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final CompletableFuture<JWEObject> result;
 	private final DecodedJWT jwt;
 	private final HttpClient httpClient;
 
 	public TextField deviceNameField;
 
 	@Inject
-	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result, @Named("bearerToken") AtomicReference<String> bearerToken) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
@@ -84,9 +85,7 @@ public class RegisterDeviceController implements FxController {
 	}
 
 	private Void registrationFailed(Throwable cause) {
-		result.interacted(HubKeyLoadingModule.HubLoadingResult.FAILED);
-		LOG.error("Key retrieval failed", cause);
-		// TODO errorComponent.cause(cause).window(window).build().showErrorScene();
+		result.completeExceptionally(cause);
 		return null;
 	}
 
@@ -96,10 +95,7 @@ public class RegisterDeviceController implements FxController {
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
-		// if not already interacted, mark this workflow as cancelled:
-		if (result.awaitingInteraction().get()) {
-			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
-		}
+		result.cancel(true);
 	}
 
 	/* Getter */
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
index a915f4016..1a7cbab02 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/UnauthorizedDeviceController.java
@@ -1,27 +1,24 @@
 package org.cryptomator.ui.keyloading.hub;
 
+import com.nimbusds.jose.JWEObject;
 import org.cryptomator.ui.common.FxController;
-import org.cryptomator.ui.common.UserInteractionLock;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
 import javafx.fxml.FXML;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
+import java.util.concurrent.CompletableFuture;
 
 @KeyLoadingScoped
 public class UnauthorizedDeviceController implements FxController {
 
-	private static final Logger LOG = LoggerFactory.getLogger(UnauthorizedDeviceController.class);
-
 	private final Stage window;
-	private final UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result;
+	private final CompletableFuture<JWEObject> result;
 
 	@Inject
-	public UnauthorizedDeviceController(@KeyLoading Stage window, UserInteractionLock<HubKeyLoadingModule.HubLoadingResult> result) {
+	public UnauthorizedDeviceController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
 		this.window = window;
 		this.result = result;
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
@@ -33,10 +30,6 @@ public class UnauthorizedDeviceController implements FxController {
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
-		// if not already interacted, mark this workflow as cancelled:
-		if (result.awaitingInteraction().get()) {
-			LOG.debug("Authorization cancelled. Device not authorized.");
-			result.interacted(HubKeyLoadingModule.HubLoadingResult.CANCELLED);
-		}
+		result.cancel(true);
 	}
 }

From e6f43d1f059f27ffa2f6817ff5b4125bee259a2f Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 15 Dec 2021 17:31:08 +0100
Subject: [PATCH 32/55] no need to run code in ui thread

---
 .../org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java | 2 +-
 .../cryptomator/ui/keyloading/hub/RegisterDeviceController.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index ee584b764..be4c3b791 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -70,7 +70,7 @@ public class ReceiveKeyController implements FxController {
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofInputStream()) //
 				.thenAcceptAsync(this::loadedExistingKey, Platform::runLater) //
-				.exceptionallyAsync(this::retrievalFailed, Platform::runLater);
+				.exceptionally(this::retrievalFailed);
 	}
 
 	private void loadedExistingKey(HttpResponse<InputStream> response) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 721573755..890ae55a0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -76,7 +76,7 @@ public class RegisterDeviceController implements FxController {
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
 				.thenAcceptAsync(this::registrationSucceeded, Platform::runLater) //
-				.exceptionallyAsync(this::registrationFailed, Platform::runLater);
+				.exceptionally(this::registrationFailed);
 	}
 
 	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {

From abc0f952e07877b4f8f5098798822af467f3d607 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 15 Dec 2021 17:32:11 +0100
Subject: [PATCH 33/55] closing the window will cancel implicitly

---
 .../cryptomator/ui/keyloading/hub/RegisterDeviceController.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 890ae55a0..d50b565b5 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -81,7 +81,7 @@ public class RegisterDeviceController implements FxController {
 
 	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
 		LOG.info("Registered!");
-		result.cancel(true); // TODO: show visual feedback "please wait for device authorization"
+		window.close(); // TODO: show visual feedback "please wait for device authorization"
 	}
 
 	private Void registrationFailed(Throwable cause) {

From 165f190004558659b703157b36b8cbc888c66d6c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 18 Feb 2022 09:13:33 +0100
Subject: [PATCH 34/55] read device registration url from vault config

---
 src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java  | 2 +-
 .../cryptomator/ui/keyloading/hub/RegisterDeviceController.java | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
index 050435327..7c2bc8be7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubConfig.java
@@ -6,7 +6,7 @@ public class HubConfig {
 	public String clientId;
 	public String authEndpoint;
 	public String tokenEndpoint;
-	public String deviceRegistrationUrl;
+	public String devicesResourceUrl;
 	public String authSuccessUrl;
 	public String authErrorUrl;
 
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index d50b565b5..2c346d977 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -63,7 +63,7 @@ public class RegisterDeviceController implements FxController {
 
 	@FXML
 	public void register() {
-		var keyUri = URI.create("http://localhost:9090/devices/" + deviceId); // TODO lol hubConfig.deviceRegistrationUrl
+		var keyUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
 		var deviceKey = keyPair.getPublic().getEncoded();
 		var dto = new CreateDeviceDto();
 		dto.id = deviceId;

From 9f7442c1c0dd3d48bdd781637d60727fe453b5c9 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Wed, 23 Feb 2022 12:49:39 +0100
Subject: [PATCH 35/55] read clientId from vault config

---
 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
index a4a55e78c..80bad9c6e 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
@@ -107,7 +107,7 @@ class AuthFlow implements AutoCloseable {
 
 	private String token(PKCE pkce, String authCode) throws IOException, InterruptedException {
 		var params = Map.of("grant_type", "authorization_code", //
-				"client_id", "cryptomator-hub", // TODO
+				"client_id", clientId, //
 				"redirect_uri", receiver.getRedirectUri(), //
 				"code", authCode, //
 				"code_verifier", pkce.verifier //

From 2108a77e12a7a3be48109b1ce4a44bf8948e6b20 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 8 Apr 2022 20:45:22 +0200
Subject: [PATCH 36/55] adjusted build scripts for Cryptomator Hub

---
 .github/workflows/appimage.yml | 3 ++-
 .github/workflows/mac-dmg.yml  | 3 ++-
 .github/workflows/win-exe.yml  | 3 ++-
 dist/linux/appimage/build.sh   | 2 +-
 dist/linux/debian/rules        | 3 ++-
 dist/mac/dmg/build.sh          | 3 ++-
 dist/win/build.ps1             | 3 ++-
 7 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml
index ce23bac60..225bf1e46 100644
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -60,7 +60,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
           --no-header-files
           --no-man-pages
           --strip-debug
@@ -86,6 +86,7 @@ jobs:
           --java-options "-Dcryptomator.logDir=\"~/.local/share/Cryptomator/logs\""
           --java-options "-Dcryptomator.pluginDir=\"~/.local/share/Cryptomator/plugins\""
           --java-options "-Dcryptomator.settingsPath=\"~/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"~/.config/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"~/.config/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.mountPointsDir=\"~/.local/share/Cryptomator/mnt\""
           --java-options "-Dcryptomator.showTrayIcon=false"
diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 3e1e6ceac..3f3b45d9a 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -60,7 +60,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
           --strip-native-commands
           --no-header-files
           --no-man-pages
@@ -88,6 +88,7 @@ jobs:
           --java-options "-Dcryptomator.logDir=\"~/Library/Logs/Cryptomator\""
           --java-options "-Dcryptomator.pluginDir=\"~/Library/Application Support/Cryptomator/Plugins\""
           --java-options "-Dcryptomator.settingsPath=\"~/Library/Application Support/Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"~/Library/Application Support/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"~/Library/Application Support/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.showTrayIcon=true"
           --java-options "-Dcryptomator.buildNumber=\"dmg-${{ steps.versions.outputs.revNum }}\""
diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index 5b1ba1aaf..8a6e459b2 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -65,7 +65,7 @@ jobs:
           --verbose
           --output runtime
           --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
           --strip-native-commands
           --no-header-files
           --no-man-pages
@@ -92,6 +92,7 @@ jobs:
           --java-options "-Dcryptomator.logDir=\"~/AppData/Roaming/Cryptomator\""
           --java-options "-Dcryptomator.pluginDir=\"~/AppData/Roaming/Cryptomator/Plugins\""
           --java-options "-Dcryptomator.settingsPath=\"~/AppData/Roaming/Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"~/AppData/Roaming/Cryptomator/key.p12\""
           --java-options "-Dcryptomator.ipcSocketPath=\"~/AppData/Roaming/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.keychainPath=\"~/AppData/Roaming/Cryptomator/keychain.json\""
           --java-options "-Dcryptomator.mountPointsDir=\"~/Cryptomator\""
diff --git a/dist/linux/appimage/build.sh b/dist/linux/appimage/build.sh
index 6dd670df2..c9fdb77f0 100755
--- a/dist/linux/appimage/build.sh
+++ b/dist/linux/appimage/build.sh
@@ -19,7 +19,7 @@ cp ../../../target/cryptomator-*.jar ../../../target/mods
 ${JAVA_HOME}/bin/jlink \
     --output runtime \
     --module-path "${JAVA_HOME}/jmods" \
-    --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
     --no-header-files \
     --no-man-pages \
     --strip-debug \
diff --git a/dist/linux/debian/rules b/dist/linux/debian/rules
index e4f824394..b6292ceef 100755
--- a/dist/linux/debian/rules
+++ b/dist/linux/debian/rules
@@ -18,7 +18,7 @@ override_dh_auto_build:
 	ln -s ../common/org.cryptomator.Cryptomator512.png resources/cryptomator.png
 	jlink \
 		--output runtime \
-		--add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
+		--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
 		--no-header-files \
 		--no-man-pages \
 		--strip-debug \
@@ -39,6 +39,7 @@ override_dh_auto_build:
 		--java-options "-Dcryptomator.logDir=\"~/.local/share/Cryptomator/logs\"" \
 		--java-options "-Dcryptomator.pluginDir=\"~/.local/share/Cryptomator/plugins\"" \
 		--java-options "-Dcryptomator.settingsPath=\"~/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\"" \
+		--java-options "-Dcryptomator.p12Path=\"~/.config/Cryptomator/key.p12\""
 		--java-options "-Dcryptomator.ipcSocketPath=\"~/.config/Cryptomator/ipc.socket\"" \
 		--java-options "-Dcryptomator.mountPointsDir=\"~/.local/share/Cryptomator/mnt\"" \
 		--java-options "-Dcryptomator.showTrayIcon=false" \
diff --git a/dist/mac/dmg/build.sh b/dist/mac/dmg/build.sh
index c90411acb..5c23804b7 100755
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -37,7 +37,7 @@ cp ../../../target/cryptomator-*.jar ../../../target/mods
 ${JAVA_HOME}/bin/jlink \
     --output runtime \
     --module-path "${JAVA_HOME}/jmods" \
-    --add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
     --no-header-files \
     --no-man-pages \
     --strip-debug \
@@ -64,6 +64,7 @@ ${JAVA_HOME}/bin/jpackage \
     --java-options "-Dcryptomator.logDir=\"~/Library/Logs/Cryptomator\"" \
     --java-options "-Dcryptomator.pluginDir=\"~/Library/Application Support/Cryptomator/Plugins\"" \
     --java-options "-Dcryptomator.settingsPath=\"~/Library/Application Support/Cryptomator/settings.json\"" \
+    --java-options "-Dcryptomator.p12Path=\"~/Library/Application Support/Cryptomator/key.p12\"" \
     --java-options "-Dcryptomator.ipcSocketPath=\"~/Library/Application Support/Cryptomator/ipc.socket\"" \
     --java-options "-Dcryptomator.showTrayIcon=true" \
     --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NO}\"" \
diff --git a/dist/win/build.ps1 b/dist/win/build.ps1
index e3ba36efd..aee2caa7b 100644
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -41,7 +41,7 @@ if ($clean -and (Test-Path -Path $runtimeImagePath)) {
 	--verbose `
 	--output runtime `
 	--module-path "$Env:JAVA_HOME/jmods" `
-	--add-modules java.base,java.desktop,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr `
+	--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr `
 	--no-header-files `
 	--no-man-pages `
 	--strip-debug `
@@ -72,6 +72,7 @@ if ($clean -and (Test-Path -Path $appPath)) {
 	--java-options "-Dcryptomator.logDir=`"~/AppData/Roaming/Cryptomator`"" `
 	--java-options "-Dcryptomator.pluginDir=`"~/AppData/Roaming/Cryptomator/Plugins`"" `
 	--java-options "-Dcryptomator.settingsPath=`"~/AppData/Roaming/Cryptomator/settings.json`"" `
+	--java-options "-Dcryptomator.p12Path=`"~/AppData/Roaming/Cryptomator/key.p12`"" `
 	--java-options "-Dcryptomator.ipcSocketPath=`"~/AppData/Roaming/Cryptomator/ipc.socket`"" `
 	--java-options "-Dcryptomator.keychainPath=`"~/AppData/Roaming/Cryptomator/keychain.json`"" `
 	--java-options "-Dcryptomator.mountPointsDir=`"~/Cryptomator`"" `

From 9d4f9c12b90a22a46bfca8c1fbe01b7dbfd77a81 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Mon, 25 Apr 2022 16:28:54 +0200
Subject: [PATCH 37/55] outsourced authorization flow to
 https://github.com/coffeelibs/tiny-oauth2-client

---
 pom.xml                                       |  20 +-
 src/main/java/module-info.java                |   4 +-
 .../ui/keyloading/hub/AuthFlow.java           | 186 ------------------
 .../ui/keyloading/hub/AuthFlowController.java |   7 +-
 .../ui/keyloading/hub/AuthFlowReceiver.java   | 101 ----------
 .../ui/keyloading/hub/AuthFlowTask.java       |  18 +-
 .../ui/keyloading/hub/HttpHelper.java         |   8 -
 .../keyloading/hub/ReceiveKeyController.java  |   3 +-
 .../hub/AuthFlowIntegrationTest.java          |  36 ----
 9 files changed, 23 insertions(+), 360 deletions(-)
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
 delete mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
 delete mode 100644 src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java

diff --git a/pom.xml b/pom.xml
index fa1470c96..518d17251 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,7 +48,6 @@
 		<zxcvbn.version>1.6.0</zxcvbn.version>
 		<slf4j.version>1.7.36</slf4j.version>
 		<logback.version>1.2.11</logback.version>
-		<jetty.version>10.0.6</jetty.version>
 
 		<!-- test dependencies -->
 		<junit.jupiter.version>5.8.1</junit.jupiter.version>
@@ -140,23 +139,12 @@
 			<version>${commons-lang3.version}</version>
 		</dependency>
 
+		<!-- OAuth/JWT -->
 		<dependency>
-			<groupId>org.eclipse.jetty</groupId>
-			<artifactId>jetty-server</artifactId>
-			<version>${jetty.version}</version>
+			<groupId>io.github.coffeelibs</groupId>
+			<artifactId>tiny-oauth2-client</artifactId>
+			<version>0.1.1</version>
 		</dependency>
-		<dependency>
-			<groupId>org.eclipse.jetty</groupId>
-			<artifactId>jetty-webapp</artifactId>
-			<version>${jetty.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>org.eclipse.jetty</groupId>
-			<artifactId>jetty-servlets</artifactId>
-			<version>${jetty.version}</version>
-		</dependency>
-
-		<!-- JWT -->
 		<dependency>
 			<groupId>com.auth0</groupId>
 			<artifactId>java-jwt</artifactId>
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
index ae2d4c320..7138bcf09 100644
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -28,11 +28,9 @@ module org.cryptomator.desktop {
 	requires com.nulabinc.zxcvbn;
 	requires com.tobiasdiez.easybind;
 	requires dagger;
+	requires io.github.coffeelibs.tinyoauth2client;
 	requires org.slf4j;
 	requires org.apache.commons.lang3;
-	requires org.eclipse.jetty.server;
-	requires org.eclipse.jetty.webapp;
-	requires org.eclipse.jetty.servlets;
 
 	/* TODO: filename-based modules: */
 	requires static javax.inject; /* ugly dagger/guava crap */
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
deleted file mode 100644
index 80bad9c6e..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlow.java
+++ /dev/null
@@ -1,186 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import com.google.common.base.Splitter;
-import com.google.common.base.Strings;
-import com.google.common.collect.Streams;
-import com.google.common.escape.Escaper;
-import com.google.common.io.BaseEncoding;
-import com.google.common.net.PercentEscaper;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.http.HttpResponse;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.Map;
-import java.util.function.Consumer;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-/**
- * Simple OAuth 2.0 Authentication Code Flow with {@link PKCE}.
- * <p>
- * @see <a href="https://datatracker.ietf.org/doc/html/rfc8252">RFC 8252</a>
- * @see <a href="https://datatracker.ietf.org/doc/html/rfc6749">RFC 6749</a>
- * @see <a href="https://datatracker.ietf.org/doc/html/rfc7636">RFC 7636</a>
- */
-class AuthFlow implements AutoCloseable {
-
-	private static final Logger LOG = LoggerFactory.getLogger(AuthFlow.class);
-	private static final SecureRandom CSPRNG = new SecureRandom();
-	private static final BaseEncoding BASE64URL = BaseEncoding.base64Url().omitPadding();
-	public static final Escaper QUERY_STRING_ESCAPER = new PercentEscaper("-_.!~*'()@:$,;/?", false);
-
-	private final AuthFlowReceiver receiver;
-	private final URI authEndpoint; // see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
-	private final URI tokenEndpoint; // see https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
-	private final String clientId; // see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
-
-	private AuthFlow(AuthFlowReceiver receiver, HubConfig hubConfig) {
-		this.receiver = receiver;
-		this.authEndpoint = URI.create(hubConfig.authEndpoint);
-		this.tokenEndpoint = URI.create(hubConfig.tokenEndpoint);
-		this.clientId = hubConfig.clientId;
-	}
-
-	/**
-	 * Prepares an Authorization Code Flow with PKCE.
-	 * <p>
-	 * This will start a loopback server, so make sure to {@link #close()} this resource.
-	 *
-	 * @param hubConfig A hub config object containing parameters required for this auth flow
-	 * @return An authorization flow
-	 * @throws Exception In case of any problems starting the server
-	 */
-	public static AuthFlow init(HubConfig hubConfig, AuthFlowContext authFlowContext) throws Exception {
-		var receiver = AuthFlowReceiver.start(hubConfig, authFlowContext);
-		return new AuthFlow(receiver, hubConfig);
-	}
-
-	/**
-	 * Runs this Authorization Code Flow. This will take a long time and should be done in a background thread.
-	 *
-	 * @param browser A callback that will open the auth URI in a browser
-	 * @return The access token
-	 * @throws IOException In case of any errors, including failed authentication.
-	 * @throws InterruptedException If this method is interrupted while waiting for responses from the authorization server
-	 */
-	public String run(Consumer<URI> browser) throws IOException, InterruptedException {
-		var pkce = new PKCE();
-		var authCode = auth(pkce, browser);
-		return token(pkce, authCode);
-	}
-
-	private String auth(PKCE pkce, Consumer<URI> browser) throws IOException, InterruptedException {
-		var state = BASE64URL.encode(randomBytes(16));
-		var params = Map.of("response_type", "code", //
-				"client_id", clientId, //
-				"redirect_uri", receiver.getRedirectUri(), //
-				"state", state, //
-				"code_challenge", pkce.challenge, //
-				"code_challenge_method", PKCE.METHOD //
-		);
-		var uri = appendQueryParams(this.authEndpoint, params);
-
-		// open browser and wait for response
-		LOG.debug("waiting for user to log into {}", uri);
-		browser.accept(uri);
-		var callback = receiver.receive();
-
-		if (!state.equals(callback.state())) {
-			throw new IOException("Invalid CSRF Token");
-		} else if (callback.error() != null) {
-			throw new IOException("Authentication failed " + callback.error());
-		} else if (callback.code() == null) {
-			throw new IOException("Received neither authentication code nor error");
-		}
-		return callback.code();
-	}
-
-	private String token(PKCE pkce, String authCode) throws IOException, InterruptedException {
-		var params = Map.of("grant_type", "authorization_code", //
-				"client_id", clientId, //
-				"redirect_uri", receiver.getRedirectUri(), //
-				"code", authCode, //
-				"code_verifier", pkce.verifier //
-		);
-		var paramStr = paramString(params).collect(Collectors.joining("&"));
-		var request = HttpRequest.newBuilder(this.tokenEndpoint) //
-				.header("Content-Type", "application/x-www-form-urlencoded") //
-				.POST(HttpRequest.BodyPublishers.ofString(paramStr)) //
-				.build();
-		HttpResponse<InputStream> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofInputStream());
-		if (response.statusCode() == 200) {
-			var json = HttpHelper.parseBody(response);
-			return json.getAsJsonObject().get("access_token").getAsString();
-		} else {
-			LOG.error("Unexpected HTTP response {}: {}", response.statusCode(), HttpHelper.readBody(response));
-			throw new IOException("Unexpected HTTP response code " + response.statusCode());
-		}
-	}
-
-	private URI appendQueryParams(URI uri, Map<String, String> params) {
-		var oldParams = Splitter.on("&").omitEmptyStrings().splitToStream(Strings.nullToEmpty(uri.getQuery()));
-		var newParams = paramString(params);
-		var query = Streams.concat(oldParams, newParams).collect(Collectors.joining("&"));
-		try {
-			return new URI(uri.getScheme(), uri.getAuthority(), uri.getPath(), query, uri.getFragment());
-		} catch (URISyntaxException e) {
-			throw new IllegalArgumentException("Unable to create URI from given", e);
-		}
-	}
-
-	private Stream<String> paramString(Map<String, String> params) {
-		return params.entrySet().stream().map(param -> {
-			var key = QUERY_STRING_ESCAPER.escape(param.getKey());
-			var value = QUERY_STRING_ESCAPER.escape(param.getValue());
-			return key + "=" + value;
-		});
-	}
-
-	@Override
-	public void close() throws Exception {
-		receiver.close();
-	}
-
-	/**
-	 * @see <a href="https://datatracker.ietf.org/doc/html/rfc7636">RFC 7636</a>
-	 */
-	private static record PKCE(String challenge, String verifier) {
-
-		public static final String METHOD = "S256";
-
-		public PKCE(String verifier) {
-			this(BASE64URL.encode(sha256(verifier.getBytes(StandardCharsets.US_ASCII))), verifier);
-		}
-
-		public PKCE() {
-			this(BASE64URL.encode(randomBytes(32)));
-		}
-
-	}
-
-	private static byte[] randomBytes(int len) {
-		byte[] bytes = new byte[len];
-		CSPRNG.nextBytes(bytes);
-		return bytes;
-	}
-
-	private static byte[] sha256(byte[] input) {
-		try {
-			var digest = MessageDigest.getInstance("SHA-256");
-			return digest.digest(input);
-		} catch (NoSuchAlgorithmException e) {
-			throw new IllegalStateException("Every implementation of the Java platform is required to support SHA-256.");
-		}
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 339030cf2..23ecfff91 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -11,6 +11,7 @@ import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Application;
+import javafx.application.Platform;
 import javafx.beans.binding.Bindings;
 import javafx.beans.binding.StringBinding;
 import javafx.beans.property.ObjectProperty;
@@ -75,8 +76,10 @@ public class AuthFlowController implements FxController {
 	}
 
 	private void setAuthUri(URI uri) {
-		authUri.set(uri);
-		browse();
+		Platform.runLater(() -> {
+			authUri.set(uri);
+			browse();
+		});
 	}
 
 	private void windowClosed(WindowEvent windowEvent) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
deleted file mode 100644
index dc84c450c..000000000
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowReceiver.java
+++ /dev/null
@@ -1,101 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.servlet.ServletHolder;
-
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.concurrent.BlockingQueue;
-import java.util.concurrent.LinkedBlockingQueue;
-
-/**
- * A basic implementation for RFC 8252, Section 7.3:
- * <p>
- * We're spawning a local http server on a system-assigned high port and
- * use <code>http://127.0.0.1:{PORT}/callback</code> as a redirect URI.
- * <p>
- * Furthermore, we can deliver a html response to inform the user that the
- * auth workflow finished and she can close the browser tab.
- */
-class AuthFlowReceiver implements AutoCloseable {
-
-	private static final String LOOPBACK_ADDR = "127.0.0.1";
-	private static final String CALLBACK_PATH = "/callback";
-
-	private final Server server;
-	private final ServerConnector connector;
-	private final CallbackServlet servlet;
-
-	private AuthFlowReceiver(Server server, ServerConnector connector, CallbackServlet servlet) {
-		this.server = server;
-		this.connector = connector;
-		this.servlet = servlet;
-	}
-
-	public static AuthFlowReceiver start(HubConfig hubConfig, AuthFlowContext authFlowContext) throws Exception {
-		var server = new Server();
-		var context = new ServletContextHandler();
-
-		var servlet = new CallbackServlet(hubConfig, authFlowContext);
-		context.addServlet(new ServletHolder(servlet), CALLBACK_PATH);
-
-		var connector = new ServerConnector(server);
-		connector.setPort(0);
-		connector.setHost(LOOPBACK_ADDR);
-		server.setConnectors(new Connector[]{connector});
-		server.setHandler(context);
-		server.start();
-		return new AuthFlowReceiver(server, connector, servlet);
-	}
-
-	public String getRedirectUri() {
-		return "http://" + LOOPBACK_ADDR + ":" + connector.getLocalPort() + CALLBACK_PATH;
-	}
-
-	public Callback receive() throws InterruptedException {
-		return servlet.callback.take();
-	}
-
-	@Override
-	public void close() throws Exception {
-		server.stop();
-	}
-
-	public static record Callback(String error, String code, String state) {
-
-	}
-
-	private static class CallbackServlet extends HttpServlet {
-
-		private final BlockingQueue<Callback> callback = new LinkedBlockingQueue<>();
-		private final HubConfig hubConfig;
-		private final AuthFlowContext authFlowContext;
-
-		public CallbackServlet(HubConfig hubConfig, AuthFlowContext authFlowContext) {
-			this.hubConfig = hubConfig;
-			this.authFlowContext = authFlowContext;
-		}
-
-		@Override
-		protected void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException {
-			var error = req.getParameter("error");
-			var code = req.getParameter("code");
-			var state = req.getParameter("state");
-
-			res.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
-			if (error == null && code != null) {
-				res.setHeader("Location", hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId());
-			} else {
-				res.setHeader("Location", hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId());
-			}
-
-			callback.add(new Callback(error, code, state));
-		}
-	}
-
-}
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index be41df2dd..b9b4fdf0b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -1,12 +1,16 @@
 package org.cryptomator.ui.keyloading.hub;
 
-import javafx.application.Platform;
+import com.google.gson.JsonParser;
+import io.github.coffeelibs.tinyoauth2client.AuthFlow;
+
 import javafx.concurrent.Task;
+import java.io.IOException;
 import java.net.URI;
 import java.util.function.Consumer;
 
 class AuthFlowTask extends Task<String> {
 
+	private final HubConfig hubConfig;
 	private final AuthFlowContext authFlowContext;
 	private final Consumer<URI> redirectUriConsumer;
 
@@ -23,11 +27,13 @@ class AuthFlowTask extends Task<String> {
 	}
 
 	@Override
-	protected String call() throws Exception {
-		try (var authFlow = AuthFlow.init(hubConfig, authFlowContext)) {
-			return authFlow.run(uri -> Platform.runLater(() -> redirectUriConsumer.accept(uri)));
-		}
+	protected String call() throws IOException, InterruptedException {
+		// TODO configure redirectURIs with deviceId from authFlowContext
+		var response = AuthFlow.asClient(hubConfig.clientId) //
+				.authorize(URI.create(hubConfig.authEndpoint), redirectUriConsumer) //
+				.getAccessToken(URI.create(hubConfig.tokenEndpoint));
+		var json = JsonParser.parseString(response);
+		return json.getAsJsonObject().get("access_token").getAsString();
 	}
 
-	private final HubConfig hubConfig;
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
index 7de2902be..51f3662a7 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HttpHelper.java
@@ -20,12 +20,4 @@ class HttpHelper {
 		}
 	}
 
-	public static JsonElement parseBody(HttpResponse<InputStream> response) throws IOException {
-		try (InputStream in = response.body(); Reader reader = new InputStreamReader(in, StandardCharsets.UTF_8)) {
-			return JsonParser.parseReader(reader);
-		} catch (JsonParseException e) {
-			throw new IOException("Failed to parse JSON", e);
-		}
-	}
-
 }
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index be4c3b791..2bdb772a6 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -8,7 +8,6 @@ import org.cryptomator.ui.common.FxmlFile;
 import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
-import org.eclipse.jetty.io.RuntimeIOException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -82,7 +81,7 @@ public class ReceiveKeyController implements FxController {
 				default -> throw new IOException("Unexpected response " + response.statusCode());
 			}
 		} catch (IOException e) {
-			throw new RuntimeIOException(e);
+			throw new UncheckedIOException(e);
 		}
 	}
 
diff --git a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java b/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
deleted file mode 100644
index f2b9e9cd5..000000000
--- a/src/test/java/org/cryptomator/ui/keyloading/hub/AuthFlowIntegrationTest.java
+++ /dev/null
@@ -1,36 +0,0 @@
-package org.cryptomator.ui.keyloading.hub;
-
-import org.junit.jupiter.api.Assertions;
-import org.junit.jupiter.api.Disabled;
-import org.junit.jupiter.api.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class AuthFlowIntegrationTest {
-
-	static {
-		System.setProperty("LOGLEVEL", "INFO");
-	}
-
-	private static final Logger LOG = LoggerFactory.getLogger(AuthFlowIntegrationTest.class);
-
-	@Test
-	@Disabled // only to be run manually
-	public void testRetrieveToken() throws Exception {
-		var hubConfig = new HubConfig();
-		hubConfig.authEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/auth";
-		hubConfig.tokenEndpoint = "http://localhost:8080/auth/realms/cryptomator/protocol/openid-connect/token";
-		hubConfig.clientId = "cryptomator-hub";
-		hubConfig.authSuccessUrl = "http://localhost:3000/#/unlock-success?vault=vaultId";
-		hubConfig.authErrorUrl = "http://localhost:3000/#/unlock-error?vault=vaultId";
-
-		try (var authFlow = AuthFlow.init(hubConfig, new AuthFlowContext("deviceId"))) {
-			var token = authFlow.run(uri -> {
-				LOG.info("Visit {} to authenticate", uri);
-			});
-			LOG.info("Received token {}", token);
-			Assertions.assertNotNull(token);
-		}
-	}
-
-}
\ No newline at end of file

From d4b3eff42f7ac93b7c47da28188da3b92942d249 Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Thu, 28 Apr 2022 12:59:27 +0200
Subject: [PATCH 38/55] restored success/error redirects

---
 pom.xml                                                        | 2 +-
 .../java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index ce0324ada..23a97717d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -143,7 +143,7 @@
 		<dependency>
 			<groupId>io.github.coffeelibs</groupId>
 			<artifactId>tiny-oauth2-client</artifactId>
-			<version>0.1.1</version>
+			<version>0.2.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.auth0</groupId>
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index b9b4fdf0b..180a51ef0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -28,8 +28,9 @@ class AuthFlowTask extends Task<String> {
 
 	@Override
 	protected String call() throws IOException, InterruptedException {
-		// TODO configure redirectURIs with deviceId from authFlowContext
 		var response = AuthFlow.asClient(hubConfig.clientId) //
+				.withSuccessRedirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId())) //
+				.withErrorRedirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId())) //
 				.authorize(URI.create(hubConfig.authEndpoint), redirectUriConsumer) //
 				.getAccessToken(URI.create(hubConfig.tokenEndpoint));
 		var json = JsonParser.parseString(response);

From d6f489ea98ef0d84a5699794390570b20bce5211 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 22 Jun 2022 12:36:00 +0200
Subject: [PATCH 39/55] bump dependencies

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2be9cc560..c22254d13 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,7 +40,7 @@
 		<!-- 3rd party dependencies -->
 		<javafx.version>18.0.1</javafx.version>
 		<commons-lang3.version>3.12.0</commons-lang3.version>
-		<jwt.version>3.19.1</jwt.version>
+		<jwt.version>3.19.2</jwt.version>
 		<easybind.version>2.2</easybind.version>
 		<guava.version>31.1-jre</guava.version>
 		<dagger.version>2.41</dagger.version>
@@ -153,7 +153,7 @@
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>9.15.2</version>
+			<version>9.23</version>
 		</dependency>
 
 		<!-- EasyBind -->

From f96c52cdb1367da10c760353184583ad6d923598 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 24 Jun 2022 10:26:34 +0200
Subject: [PATCH 40/55] Disable Password tab if vault.config.keyid.scheme is
 not masterkeyfile

---
 .../ui/vaultoptions/VaultOptionsController.java           | 8 +++++++-
 src/main/resources/fxml/vault_options.fxml                | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/vaultoptions/VaultOptionsController.java b/src/main/java/org/cryptomator/ui/vaultoptions/VaultOptionsController.java
index 15879e316..c0023acb8 100644
--- a/src/main/java/org/cryptomator/ui/vaultoptions/VaultOptionsController.java
+++ b/src/main/java/org/cryptomator/ui/vaultoptions/VaultOptionsController.java
@@ -1,5 +1,6 @@
 package org.cryptomator.ui.vaultoptions;
 
+import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.ui.common.FxController;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -18,6 +19,7 @@ public class VaultOptionsController implements FxController {
 	private static final Logger LOG = LoggerFactory.getLogger(VaultOptionsController.class);
 
 	private final Stage window;
+	private final Vault vault;
 	private final ObjectProperty<SelectedVaultOptionsTab> selectedTabProperty;
 	public TabPane tabPane;
 	public Tab generalTab;
@@ -25,8 +27,9 @@ public class VaultOptionsController implements FxController {
 	public Tab keyTab;
 
 	@Inject
-	VaultOptionsController(@VaultOptionsWindow Stage window, ObjectProperty<SelectedVaultOptionsTab> selectedTabProperty) {
+	VaultOptionsController(@VaultOptionsWindow Stage window, @VaultOptionsWindow Vault vault, ObjectProperty<SelectedVaultOptionsTab> selectedTabProperty) {
 		this.window = window;
+		this.vault = vault;
 		this.selectedTabProperty = selectedTabProperty;
 	}
 
@@ -35,6 +38,9 @@ public class VaultOptionsController implements FxController {
 		window.setOnShowing(this::windowWillAppear);
 		selectedTabProperty.addListener(observable -> this.selectChosenTab());
 		tabPane.getSelectionModel().selectedItemProperty().addListener(observable -> this.selectedTabChanged());
+		if(!vault.getVaultConfigCache().getUnchecked().getKeyId().getScheme().equals("masterkeyfile")){
+			tabPane.getTabs().remove(keyTab);
+		}
 	}
 
 	private void selectChosenTab() {
diff --git a/src/main/resources/fxml/vault_options.fxml b/src/main/resources/fxml/vault_options.fxml
index e387cd7d2..6ecc2af9b 100644
--- a/src/main/resources/fxml/vault_options.fxml
+++ b/src/main/resources/fxml/vault_options.fxml
@@ -28,7 +28,7 @@
 				<fx:include source="vault_options_mount.fxml"/>
 			</content>
 		</Tab>
-		<Tab fx:id="keyTab" id="KEY" text="%vaultOptions.masterkey">
+		<Tab fx:id="keyTab" id="KEY" text="%vaultOptions.masterkey"> <!-- is removed in controller, when config.keyid.scheme is not masterkeyfile -->
 			<graphic>
 				<FontAwesome5IconView glyph="KEY"/>
 			</graphic>

From 9386804216f39d3159e40af2f87ff509b517f159 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 30 Jun 2022 13:13:17 +0200
Subject: [PATCH 41/55] redesign auth processing dialog: * adjust to new design
 * add translation keys

---
 .../ui/keyloading/hub/AuthFlowController.java | 17 ------
 src/main/resources/fxml/hub_auth_flow.fxml    | 53 +++++++++++++------
 src/main/resources/i18n/strings.properties    |  5 ++
 3 files changed, 42 insertions(+), 33 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
index 23ecfff91..5765f56e0 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -38,7 +38,6 @@ public class AuthFlowController implements FxController {
 	private final CompletableFuture<JWEObject> result;
 	private final Lazy<Scene> receiveKeyScene;
 	private final ObjectProperty<URI> authUri;
-	private final StringBinding authHost;
 	private AuthFlowTask task;
 
 	@Inject
@@ -52,7 +51,6 @@ public class AuthFlowController implements FxController {
 		this.result = result;
 		this.receiveKeyScene = receiveKeyScene;
 		this.authUri = new SimpleObjectProperty<>();
-		this.authHost = Bindings.createStringBinding(this::getAuthHost, authUri);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 	}
 
@@ -100,19 +98,4 @@ public class AuthFlowController implements FxController {
 		result.completeExceptionally(exception);
 	}
 
-	/* Getter/Setter */
-
-	public StringBinding authHostProperty() {
-		return authHost;
-	}
-
-	public String getAuthHost() {
-		var uri = authUri.get();
-		if (uri == null) {
-			return "";
-		} else {
-			return uri.getAuthority().toString();
-		}
-	}
-
 }
diff --git a/src/main/resources/fxml/hub_auth_flow.fxml b/src/main/resources/fxml/hub_auth_flow.fxml
index a6d086ea3..40bb9986a 100644
--- a/src/main/resources/fxml/hub_auth_flow.fxml
+++ b/src/main/resources/fxml/hub_auth_flow.fxml
@@ -1,37 +1,58 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
 <?import javafx.scene.control.Hyperlink?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
 <?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
 <?import javafx.scene.layout.VBox?>
-<?import javafx.scene.text.Text?>
+<?import javafx.scene.shape.Circle?>
 <?import javafx.scene.text.TextFlow?>
-<VBox xmlns:fx="http://javafx.com/fxml"
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.AuthFlowController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"
-	  spacing="12">
+	  spacing="12"
+	  alignment="TOP_LEFT">
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
 	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
-			<TextFlow visible="${!controller.authHost.empty}" managed="${!controller.authHost.empty}">
-				<Text text="TODO: please login via " />
-				<Hyperlink styleClass="hyperlink-underline" text="${controller.authHost}" onAction="#browse"/>
-			</TextFlow>
-		</HBox>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5Spinner styleClass="glyph-icon-white" glyphSize="24"/>
+			</StackPane>
+		</Group>
 
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.auth.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.auth.description" wrapText="true"/>
+			<Hyperlink styleClass="hyperlink-underline" text="%hub.auth.loginLink" onAction="#browse">
+				<graphic>
+					<FontAwesome5IconView glyph="LINK" glyphSize="12"/>
+				</graphic>
+				<padding>
+					<Insets top="12"/>
+				</padding>
+			</Hyperlink>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
 				<buttons>
 					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
@@ -39,4 +60,4 @@
 			</ButtonBar>
 		</VBox>
 	</children>
-</VBox>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 2c1c8b157..5ad138044 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -124,6 +124,11 @@ unlock.error.message=Unable to unlock vault
 unlock.error.invalidMountPoint.notExisting=Mount point "%s" is not a directory, not empty or does not exist.
 unlock.error.invalidMountPoint.existing=Mount point "%s" already exists or parent folder is missing.
 unlock.error.invalidMountPoint.driveLetterOccupied=Drive Letter "%s" is already in use.
+## Hub
+### Waiting
+hub.auth.message=Waiting for authentication…
+hub.auth.description=You should automatically be redirected to the login page.
+hub.auth.loginLink=Not redirected? Click here to open it.
 
 # Lock
 ## Force

From e011a98fa0d836eb010c10aefc2abc44bbc1acf3 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 4 Jul 2022 10:36:15 +0200
Subject: [PATCH 42/55] add window title to hub keyloading

---
 .../ui/keyloading/hub/HubKeyLoadingModule.java            | 8 ++++++++
 .../ui/keyloading/hub/HubKeyLoadingStrategy.java          | 4 +++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index 4d4d810a3..eacdfc10b 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -43,6 +43,14 @@ public abstract class HubKeyLoadingModule {
 		}
 	}
 
+	@Provides
+	@KeyLoadingScoped
+	@Named("windowTitle")
+	static String provideWindowTitle(@KeyLoading Vault vault, ResourceBundle resourceBundle) {
+		return String.format(resourceBundle.getString("unlock.title"), vault.getDisplayName());
+	}
+
+
 	@Provides
 	@KeyLoadingScoped
 	@Named("deviceId")
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
index 10d1399e2..dcb5722d2 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -13,6 +13,7 @@ import org.cryptomator.ui.keyloading.KeyLoadingStrategy;
 import org.cryptomator.ui.unlock.UnlockCancelledException;
 
 import javax.inject.Inject;
+import javax.inject.Named;
 import javafx.application.Platform;
 import javafx.scene.Scene;
 import javafx.stage.Stage;
@@ -35,8 +36,9 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy {
 	private final DeviceKey deviceKey;
 
 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, CompletableFuture<JWEObject> result, DeviceKey deviceKey) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, CompletableFuture<JWEObject> result, DeviceKey deviceKey, @Named("windowTitle") String windowTitle) {
 		this.window = window;
+		window.setTitle(windowTitle);
 		this.authFlowScene = authFlowScene;
 		this.result = result;
 		this.deviceKey = deviceKey;

From 3ce0270cdedb6b509f3b8d375b805213ec1a1fd7 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 4 Jul 2022 11:37:49 +0200
Subject: [PATCH 43/55] Adjust hub register device to new design

---
 .../resources/fxml/hub_register_device.fxml   | 59 +++++++++++--------
 src/main/resources/i18n/strings.properties    |  5 ++
 2 files changed, 39 insertions(+), 25 deletions(-)

diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
index 2fd5ceaa5..ff361e60b 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -1,52 +1,61 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<?import org.cryptomator.ui.controls.FormattedLabel?>
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
 <?import javafx.scene.control.Label?>
 <?import javafx.scene.control.TextField?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.Group?>
 <?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
 <?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"
-	  spacing="12">
+	  spacing="12"
+	  alignment="TOP_LEFT">
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
 	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<HBox alignment="CENTER">
-				<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-					<Image url="@../img/bot/bot.png"/>
-				</ImageView>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="INFO" glyphSize="24"/>
+			</StackPane>
+		</Group>
+
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.register.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.register.description" wrapText="true"/>
+			<HBox spacing="6" alignment="CENTER_LEFT">
+				<padding>
+					<Insets top="12"/>
+				</padding>
+				<Label text="%hub.register.nameLabel" labelFor="$deviceNameField"/>
+				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
 			</HBox>
 
-			<VBox spacing="6">
-				<Label text="TODO This device is not yet known to Cryptomator Hub. Please register this device first." wrapText="true"/>
-				<HBox spacing="6" alignment="CENTER_LEFT">
-					<FormattedLabel format="TODO User %s" arg1="${controller.userName}"/>
-				</HBox>
-				<HBox spacing="6" alignment="CENTER_LEFT">
-					<Label text="TODO Device Name" labelFor="$deviceNameField"/>
-					<TextField fx:id="deviceNameField"/>
-				</HBox>
-			</VBox>
-		</HBox>
-
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
 				<buttons>
 					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
-					<Button text="TODO Register Device" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register"/>
+					<Button text="%hub.register.registerBtn" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register"/>
 				</buttons>
 			</ButtonBar>
 		</VBox>
 	</children>
-</VBox>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 5ad138044..242681f2f 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -129,6 +129,11 @@ unlock.error.invalidMountPoint.driveLetterOccupied=Drive Letter "%s" is already
 hub.auth.message=Waiting for authentication…
 hub.auth.description=You should automatically be redirected to the login page.
 hub.auth.loginLink=Not redirected? Click here to open it.
+### Register Device
+hub.register.message=Device unknown
+hub.register.description=Cryptomator Hub does not recognize this device. Please register it.
+hub.register.nameLabel=Device Name
+hub.register.registerBtn=Register
 
 # Lock
 ## Force

From ae2c67a88b406dca1ece6234dd4aec2db59b98fc Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 4 Jul 2022 11:50:07 +0200
Subject: [PATCH 44/55] fit unauthorized device dialog to new design

---
 .../fxml/hub_unauthorized_device.fxml         | 43 ++++++++++++-------
 src/main/resources/i18n/strings.properties    |  4 ++
 2 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/src/main/resources/fxml/hub_unauthorized_device.fxml b/src/main/resources/fxml/hub_unauthorized_device.fxml
index 9538d19ef..085798387 100644
--- a/src/main/resources/fxml/hub_unauthorized_device.fxml
+++ b/src/main/resources/fxml/hub_unauthorized_device.fxml
@@ -1,40 +1,53 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
 <?import javafx.scene.control.Label?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.Group?>
 <?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
 <?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.UnauthorizedDeviceController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"
-	  spacing="12">
+	  spacing="12"
+	  alignment="TOP_LEFT">
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
 	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="BAN" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.unauthorized.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.unauthorized.description" wrapText="true"/>
 
-			<VBox spacing="12">
-				<Label text="TODO: Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it." wrapText="true"/>
-			</VBox>
-		</HBox>
-
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
 				<buttons>
 					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+					<!-- TODO: add request access button -->
+					<!--Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/-->
 				</buttons>
 			</ButtonBar>
 		</VBox>
 	</children>
-</VBox>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 242681f2f..d405d66a8 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -134,6 +134,10 @@ hub.register.message=Device unknown
 hub.register.description=Cryptomator Hub does not recognize this device. Please register it.
 hub.register.nameLabel=Device Name
 hub.register.registerBtn=Register
+### Unauthorized
+hub.unauthorized.message=Access denied
+hub.unauthorized.description=Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it.
+
 
 # Lock
 ## Force

From 381c1cd8d3f13f2273dd759c38f0545110351bac Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 4 Jul 2022 17:15:00 +0200
Subject: [PATCH 45/55] Bump tinyoauth2 dependecy and adjust to new api

---
 pom.xml                                       | 13 +++++-----
 .../ui/keyloading/hub/AuthFlowTask.java       | 25 ++++++++++++++-----
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/pom.xml b/pom.xml
index c22254d13..8382efff4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,16 +38,17 @@
 		<cryptomator.webdav.version>1.2.7</cryptomator.webdav.version>
 
 		<!-- 3rd party dependencies -->
-		<javafx.version>18.0.1</javafx.version>
 		<commons-lang3.version>3.12.0</commons-lang3.version>
-		<jwt.version>3.19.2</jwt.version>
+		<dagger.version>2.41</dagger.version>
 		<easybind.version>2.2</easybind.version>
 		<guava.version>31.1-jre</guava.version>
-		<dagger.version>2.41</dagger.version>
 		<gson.version>2.9.0</gson.version>
-		<zxcvbn.version>1.7.0</zxcvbn.version>
-		<slf4j.version>1.7.36</slf4j.version>
+		<javafx.version>18.0.1</javafx.version>
+		<jwt.version>3.19.2</jwt.version>
 		<logback.version>1.2.11</logback.version>
+		<slf4j.version>1.7.36</slf4j.version>
+		<tinyoauth2.version>0.5.1</tinyoauth2.version>
+		<zxcvbn.version>1.7.0</zxcvbn.version>
 
 		<!-- test dependencies -->
 		<junit.jupiter.version>5.8.1</junit.jupiter.version>
@@ -143,7 +144,7 @@
 		<dependency>
 			<groupId>io.github.coffeelibs</groupId>
 			<artifactId>tiny-oauth2-client</artifactId>
-			<version>0.2.0</version>
+			<version>${tinyoauth2.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>com.auth0</groupId>
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
index 180a51ef0..c65256007 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowTask.java
@@ -2,6 +2,8 @@ package org.cryptomator.ui.keyloading.hub;
 
 import com.google.gson.JsonParser;
 import io.github.coffeelibs.tinyoauth2client.AuthFlow;
+import io.github.coffeelibs.tinyoauth2client.TinyOAuth2;
+import io.github.coffeelibs.tinyoauth2client.http.response.Response;
 
 import javafx.concurrent.Task;
 import java.io.IOException;
@@ -28,13 +30,24 @@ class AuthFlowTask extends Task<String> {
 
 	@Override
 	protected String call() throws IOException, InterruptedException {
-		var response = AuthFlow.asClient(hubConfig.clientId) //
-				.withSuccessRedirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId())) //
-				.withErrorRedirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId())) //
-				.authorize(URI.create(hubConfig.authEndpoint), redirectUriConsumer) //
-				.getAccessToken(URI.create(hubConfig.tokenEndpoint));
-		var json = JsonParser.parseString(response);
+		var response = TinyOAuth2.client(hubConfig.clientId) //
+				.withTokenEndpoint(URI.create(hubConfig.tokenEndpoint)) //
+				.authFlow(URI.create(hubConfig.authEndpoint)) //
+				.setSuccessResponse(Response.redirect(URI.create(hubConfig.authSuccessUrl + "&device=" + authFlowContext.deviceId()))) //
+				.setErrorResponse(Response.redirect(URI.create(hubConfig.authErrorUrl + "&device=" + authFlowContext.deviceId()))) //
+				.authorize(redirectUriConsumer);
+		if (response.statusCode() != 200) {
+			throw new NotOkResponseException("Authorization returned status code " + response.statusCode());
+		}
+		var json = JsonParser.parseString(response.body());
 		return json.getAsJsonObject().get("access_token").getAsString();
 	}
 
+	public static class NotOkResponseException extends RuntimeException {
+
+		NotOkResponseException(String msg) {
+			super(msg);
+		}
+	}
+
 }

From 077825f98a9206e1775df1536ba135425c22a40c Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 5 Jul 2022 09:29:49 +0200
Subject: [PATCH 46/55] Add desgin to recieve key dialog

---
 .../keyloading/hub/ReceiveKeyController.java  |  1 -
 src/main/resources/fxml/hub_receive_key.fxml  | 38 +++++++++++++------
 src/main/resources/i18n/strings.properties    |  3 ++
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
index 2bdb772a6..85af2c66d 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/ReceiveKeyController.java
@@ -35,7 +35,6 @@ import java.util.concurrent.atomic.AtomicReference;
 @KeyLoadingScoped
 public class ReceiveKeyController implements FxController {
 
-	private static final Logger LOG = LoggerFactory.getLogger(ReceiveKeyController.class);
 	private static final String SCHEME_PREFIX = "hub+";
 
 	private final Stage window;
diff --git a/src/main/resources/fxml/hub_receive_key.fxml b/src/main/resources/fxml/hub_receive_key.fxml
index 0ea9d012c..a180c997e 100644
--- a/src/main/resources/fxml/hub_receive_key.fxml
+++ b/src/main/resources/fxml/hub_receive_key.fxml
@@ -4,30 +4,44 @@
 <?import javafx.geometry.Insets?>
 <?import javafx.scene.control.Button?>
 <?import javafx.scene.control.ButtonBar?>
-<?import javafx.scene.image.Image?>
-<?import javafx.scene.image.ImageView?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
 <?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
 <?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.ReceiveKeyController"
 	  minWidth="400"
 	  maxWidth="400"
 	  minHeight="145"
-	  spacing="12">
+	  spacing="12"
+	  alignment="TOP_LEFT">
 	<padding>
 		<Insets topRightBottomLeft="12"/>
 	</padding>
 	<children>
-		<HBox spacing="12" VBox.vgrow="ALWAYS">
-			<ImageView VBox.vgrow="ALWAYS" fitWidth="64" preserveRatio="true" cache="true">
-				<Image url="@../img/bot/bot.png"/>
-			</ImageView>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5Spinner styleClass="glyph-icon-white" glyphSize="24"/>
+			</StackPane>
+		</Group>
 
-			<FontAwesome5Spinner glyphSize="12"/>
-		</HBox>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.receive.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.receive.description" wrapText="true"/>
 
-		<VBox alignment="BOTTOM_CENTER" VBox.vgrow="ALWAYS">
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
 				<buttons>
 					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#cancel"/>
@@ -35,4 +49,4 @@
 			</ButtonBar>
 		</VBox>
 	</children>
-</VBox>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index d405d66a8..8fe27bc0b 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -129,6 +129,9 @@ unlock.error.invalidMountPoint.driveLetterOccupied=Drive Letter "%s" is already
 hub.auth.message=Waiting for authentication…
 hub.auth.description=You should automatically be redirected to the login page.
 hub.auth.loginLink=Not redirected? Click here to open it.
+### Receive Key
+hub.receive.message=Processing response…
+hub.receive.description=Cryptomator is receiving and processing the response from Hub. Please wait.
 ### Register Device
 hub.register.message=Device unknown
 hub.register.description=Cryptomator Hub does not recognize this device. Please register it.

From a2d6db0415e548a82fbc5134378d5e7d5d6c4f27 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 5 Jul 2022 11:09:29 +0200
Subject: [PATCH 47/55] Add device registrations success screen

---
 .../org/cryptomator/ui/common/FxmlFile.java   |  1 +
 .../keyloading/hub/HubKeyLoadingModule.java   | 12 +++++
 .../hub/RegisterDeviceController.java         | 12 +++--
 .../hub/RegisterSuccessController.java        | 24 +++++++++
 .../resources/fxml/hub_register_success.fxml  | 52 +++++++++++++++++++
 src/main/resources/i18n/strings.properties    |  3 ++
 6 files changed, 101 insertions(+), 3 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/RegisterSuccessController.java
 create mode 100644 src/main/resources/fxml/hub_register_success.fxml

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index b9e6a990e..f842a0798 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -16,6 +16,7 @@ public enum FxmlFile {
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
+	HUB_REGISTER_SUCCESS("/fxml/hub_register_success.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index eacdfc10b..f5516fcc9 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -106,6 +106,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_DEVICE);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS)
+	@KeyLoadingScoped
+	static Scene provideHubRegisterSuccessScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_SUCCESS);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE)
 	@KeyLoadingScoped
@@ -135,6 +142,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(RegisterDeviceController.class)
 	abstract FxController bindRegisterDeviceController(RegisterDeviceController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(RegisterSuccessController.class)
+	abstract FxController bindRegisterSuccessController(RegisterSuccessController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(UnauthorizedDeviceController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 2c346d977..5719e6f23 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -6,9 +6,12 @@ import com.google.common.io.BaseEncoding;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.nimbusds.jose.JWEObject;
+import dagger.Lazy;
 import org.cryptomator.common.settings.DeviceKey;
 import org.cryptomator.cryptolib.common.P384KeyPair;
 import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
 import org.cryptomator.ui.keyloading.KeyLoading;
 import org.cryptomator.ui.keyloading.KeyLoadingScoped;
 import org.slf4j.Logger;
@@ -18,6 +21,7 @@ import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Platform;
 import javafx.fxml.FXML;
+import javafx.scene.Scene;
 import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
@@ -40,6 +44,7 @@ public class RegisterDeviceController implements FxController {
 	private final Stage window;
 	private final HubConfig hubConfig;
 	private final String bearerToken;
+	private final Lazy<Scene> registerSuccessScene;
 	private final String deviceId;
 	private final P384KeyPair keyPair;
 	private final CompletableFuture<JWEObject> result;
@@ -49,13 +54,14 @@ public class RegisterDeviceController implements FxController {
 	public TextField deviceNameField;
 
 	@Inject
-	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
 		this.keyPair = Objects.requireNonNull(deviceKey.get());
 		this.result = result;
 		this.bearerToken = Objects.requireNonNull(bearerToken.get());
+		this.registerSuccessScene = registerSuccessScene;
 		this.jwt = JWT.decode(this.bearerToken);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().executor(executor).build();
@@ -80,8 +86,8 @@ public class RegisterDeviceController implements FxController {
 	}
 
 	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
-		LOG.info("Registered!");
-		window.close(); // TODO: show visual feedback "please wait for device authorization"
+		LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
+		window.setScene(registerSuccessScene.get());
 	}
 
 	private Void registrationFailed(Throwable cause) {
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterSuccessController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterSuccessController.java
new file mode 100644
index 000000000..bba13516c
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterSuccessController.java
@@ -0,0 +1,24 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.KeyLoading;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+
+public class RegisterSuccessController implements FxController {
+
+	private final Stage window;
+
+	@Inject
+	public RegisterSuccessController(@KeyLoading Stage window) {
+		this.window = window;
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+}
diff --git a/src/main/resources/fxml/hub_register_success.fxml b/src/main/resources/fxml/hub_register_success.fxml
new file mode 100644
index 000000000..822a4489e
--- /dev/null
+++ b/src/main/resources/fxml/hub_register_success.fxml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterSuccessController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="CHECK" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.registerSuccess.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.registerSuccess.description" wrapText="true"/>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+					<!-- TODO: add request access button -->
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 8fe27bc0b..069918e5d 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -137,6 +137,9 @@ hub.register.message=Device unknown
 hub.register.description=Cryptomator Hub does not recognize this device. Please register it.
 hub.register.nameLabel=Device Name
 hub.register.registerBtn=Register
+### Registration Success
+hub.registerSuccess.message=Device registered
+hub.registerSuccess.description=To access the vault, your device needs to be authorized by the vault owner.
 ### Unauthorized
 hub.unauthorized.message=Access denied
 hub.unauthorized.description=Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it.

From c191df9ee3aae96aa404b544bae0dbb817720f1c Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 5 Jul 2022 11:20:52 +0200
Subject: [PATCH 48/55] add device registration failed controller

---
 .../org/cryptomator/ui/common/FxmlFile.java   |  1 +
 .../keyloading/hub/HubKeyLoadingModule.java   | 12 +++++
 .../hub/RegisterDeviceController.java         | 19 +++++--
 .../hub/RegisterFailedController.java         | 29 +++++++++++
 .../resources/fxml/hub_register_failed.fxml   | 51 +++++++++++++++++++
 src/main/resources/i18n/strings.properties    |  3 ++
 6 files changed, 110 insertions(+), 5 deletions(-)
 create mode 100644 src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
 create mode 100644 src/main/resources/fxml/hub_register_failed.fxml

diff --git a/src/main/java/org/cryptomator/ui/common/FxmlFile.java b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
index f842a0798..0ab7375d7 100644
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -17,6 +17,7 @@ public enum FxmlFile {
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_REGISTER_SUCCESS("/fxml/hub_register_success.fxml"), //
+	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"),
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
index f5516fcc9..587810021 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -113,6 +113,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_SUCCESS);
 	}
 
+	@Provides
+	@FxmlScene(FxmlFile.HUB_REGISTER_FAILED)
+	@KeyLoadingScoped
+	static Scene provideHubRegisterFailedScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_REGISTER_FAILED);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE)
 	@KeyLoadingScoped
@@ -147,6 +154,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(RegisterSuccessController.class)
 	abstract FxController bindRegisterSuccessController(RegisterSuccessController controller);
 
+	@Binds
+	@IntoMap
+	@FxControllerKey(RegisterFailedController.class)
+	abstract FxController bindRegisterFailedController(RegisterFailedController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(UnauthorizedDeviceController.class)
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 5719e6f23..a8cbe4148 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -45,6 +45,7 @@ public class RegisterDeviceController implements FxController {
 	private final HubConfig hubConfig;
 	private final String bearerToken;
 	private final Lazy<Scene> registerSuccessScene;
+	private final Lazy<Scene> registerFailedScene;
 	private final String deviceId;
 	private final P384KeyPair keyPair;
 	private final CompletableFuture<JWEObject> result;
@@ -54,7 +55,7 @@ public class RegisterDeviceController implements FxController {
 	public TextField deviceNameField;
 
 	@Inject
-	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene) {
+	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
 		this.window = window;
 		this.hubConfig = hubConfig;
 		this.deviceId = deviceId;
@@ -62,6 +63,7 @@ public class RegisterDeviceController implements FxController {
 		this.result = result;
 		this.bearerToken = Objects.requireNonNull(bearerToken.get());
 		this.registerSuccessScene = registerSuccessScene;
+		this.registerFailedScene = registerFailedScene;
 		this.jwt = JWT.decode(this.bearerToken);
 		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
 		this.httpClient = HttpClient.newBuilder().executor(executor).build();
@@ -81,8 +83,14 @@ public class RegisterDeviceController implements FxController {
 				.header("Content-Type", "application/json").PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
-				.thenAcceptAsync(this::registrationSucceeded, Platform::runLater) //
-				.exceptionally(this::registrationFailed);
+				.handleAsync((response, throwable) -> {
+					if( response != null) {
+						this.registrationSucceeded(response);
+					} else {
+						this.registrationFailed(throwable);
+					}
+					return null;
+				}, Platform::runLater);
 	}
 
 	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
@@ -90,9 +98,10 @@ public class RegisterDeviceController implements FxController {
 		window.setScene(registerSuccessScene.get());
 	}
 
-	private Void registrationFailed(Throwable cause) {
+	private void registrationFailed(Throwable cause) {
+		LOG.warn("Device registration failed.", cause);
+		window.setScene(registerFailedScene.get());
 		result.completeExceptionally(cause);
-		return null;
 	}
 
 	@FXML
diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
new file mode 100644
index 000000000..8a4278d72
--- /dev/null
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterFailedController.java
@@ -0,0 +1,29 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.nimbusds.jose.JWEObject;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.KeyLoading;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import java.util.concurrent.CompletableFuture;
+
+public class RegisterFailedController implements FxController {
+
+	private final Stage window;
+	private final CompletableFuture<JWEObject> result;
+
+	@Inject
+	public RegisterFailedController(@KeyLoading Stage window, CompletableFuture<JWEObject> result) {
+		this.window = window;
+		this.result = result;
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+
+}
diff --git a/src/main/resources/fxml/hub_register_failed.fxml b/src/main/resources/fxml/hub_register_failed.fxml
new file mode 100644
index 000000000..7ebf59279
--- /dev/null
+++ b/src/main/resources/fxml/hub_register_failed.fxml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterFailedController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="EXCLAMATION" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.registerFailed.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.registerFailed.description" wrapText="true"/>
+
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 069918e5d..8e0bbfabb 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -140,6 +140,9 @@ hub.register.registerBtn=Register
 ### Registration Success
 hub.registerSuccess.message=Device registered
 hub.registerSuccess.description=To access the vault, your device needs to be authorized by the vault owner.
+### Registration Failed
+hub.registerFailed.message=Device registration failed
+hub.registerFailed.description=An error was thrown in the registration process. For more details, look into the application log.
 ### Unauthorized
 hub.unauthorized.message=Access denied
 hub.unauthorized.description=Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it.

From 73442cddc8cc2c529c66fa07898a671b75a08a7d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 6 Jul 2022 10:41:13 +0200
Subject: [PATCH 49/55] Change register device dialog text to make intent clear

---
 src/main/resources/i18n/strings.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index 8e0bbfabb..a908b8370 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -133,8 +133,8 @@ hub.auth.loginLink=Not redirected? Click here to open it.
 hub.receive.message=Processing response…
 hub.receive.description=Cryptomator is receiving and processing the response from Hub. Please wait.
 ### Register Device
-hub.register.message=Device unknown
-hub.register.description=Cryptomator Hub does not recognize this device. Please register it.
+hub.register.message=Register device?
+hub.register.description=This seems to be the first access from this device to Cryptomator Hub. In order to unlock any vault, you need to choose a name and register it.
 hub.register.nameLabel=Device Name
 hub.register.registerBtn=Register
 ### Registration Success

From cf38a10284467c69af871ca1e832a598c6ae92c0 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 7 Jul 2022 12:01:34 +0200
Subject: [PATCH 50/55] Change text from registration to "naming" and prefill
 device name

---
 .../hub/RegisterDeviceController.java          | 18 +++++++++++++++++-
 src/main/resources/i18n/strings.properties     | 12 ++++++------
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index a8cbe4148..7fdbf4b95 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -25,6 +25,9 @@ import javafx.scene.Scene;
 import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
@@ -33,6 +36,7 @@ import java.nio.charset.StandardCharsets;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
+import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
@@ -69,6 +73,18 @@ public class RegisterDeviceController implements FxController {
 		this.httpClient = HttpClient.newBuilder().executor(executor).build();
 	}
 
+	public void initialize() {
+		deviceNameField.setText(System.getProperty("user.name") + "-" + determineHostname());
+	}
+
+	private String determineHostname() {
+		try {
+			return new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("hostname").getInputStream())).readLine();
+		} catch (IOException e) {
+			return String.valueOf(ThreadLocalRandom.current().nextInt());
+		}
+	}
+
 	@FXML
 	public void register() {
 		var keyUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
@@ -84,7 +100,7 @@ public class RegisterDeviceController implements FxController {
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
 				.handleAsync((response, throwable) -> {
-					if( response != null) {
+					if (response != null) {
 						this.registrationSucceeded(response);
 					} else {
 						this.registrationFailed(throwable);
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index a908b8370..a7f59b63d 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -133,16 +133,16 @@ hub.auth.loginLink=Not redirected? Click here to open it.
 hub.receive.message=Processing response…
 hub.receive.description=Cryptomator is receiving and processing the response from Hub. Please wait.
 ### Register Device
-hub.register.message=Register device?
-hub.register.description=This seems to be the first access from this device to Cryptomator Hub. In order to unlock any vault, you need to choose a name and register it.
+hub.register.message=Device name required
+hub.register.description=This seems to be the first Hub access from this device. In order to identify it for access authorization, you need to name this device.
 hub.register.nameLabel=Device Name
-hub.register.registerBtn=Register
+hub.register.registerBtn=Confirm
 ### Registration Success
-hub.registerSuccess.message=Device registered
+hub.registerSuccess.message=Device named
 hub.registerSuccess.description=To access the vault, your device needs to be authorized by the vault owner.
 ### Registration Failed
-hub.registerFailed.message=Device registration failed
-hub.registerFailed.description=An error was thrown in the registration process. For more details, look into the application log.
+hub.registerFailed.message=Device naming failed
+hub.registerFailed.description=An error was thrown in the naming process. For more details, look into the application log.
 ### Unauthorized
 hub.unauthorized.message=Access denied
 hub.unauthorized.description=Your device has not yet been authorized to access this vault. Ask the vault owner to authorize it.

From 93500a4efd3d5d00fa675939856c4c71063ebe74 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 7 Jul 2022 12:27:20 +0200
Subject: [PATCH 51/55] use try-with-resource

---
 .../ui/keyloading/hub/RegisterDeviceController.java         | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 7fdbf4b95..911eb741f 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -78,8 +78,10 @@ public class RegisterDeviceController implements FxController {
 	}
 
 	private String determineHostname() {
-		try {
-			return new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("hostname").getInputStream())).readLine();
+		try (var inputStream = Runtime.getRuntime().exec("hostname").getInputStream(); //
+			 var streamReader = new InputStreamReader(inputStream); //
+			 var bufferedReader = new BufferedReader(streamReader)) {
+			return bufferedReader.readLine();
 		} catch (IOException e) {
 			return String.valueOf(ThreadLocalRandom.current().nextInt());
 		}

From 0e853b25f7a8927c5a0e17ecd299422e395d64d5 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Thu, 7 Jul 2022 17:54:53 +0200
Subject: [PATCH 52/55] simplify the prefill of device registration name
 textbox

---
 .../keyloading/hub/RegisterDeviceController.java  | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 911eb741f..b63a8676a 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -25,9 +25,8 @@ import javafx.scene.Scene;
 import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
-import java.io.BufferedReader;
 import java.io.IOException;
-import java.io.InputStreamReader;
+import java.net.InetAddress;
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
@@ -36,7 +35,6 @@ import java.nio.charset.StandardCharsets;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.atomic.AtomicReference;
 
 @KeyLoadingScoped
@@ -74,16 +72,15 @@ public class RegisterDeviceController implements FxController {
 	}
 
 	public void initialize() {
-		deviceNameField.setText(System.getProperty("user.name") + "-" + determineHostname());
+		deviceNameField.setText(determineHostname());
 	}
 
 	private String determineHostname() {
-		try (var inputStream = Runtime.getRuntime().exec("hostname").getInputStream(); //
-			 var streamReader = new InputStreamReader(inputStream); //
-			 var bufferedReader = new BufferedReader(streamReader)) {
-			return bufferedReader.readLine();
+		try {
+			var hostName = InetAddress.getLocalHost().getHostName();
+			return Objects.requireNonNullElse(hostName, "");
 		} catch (IOException e) {
-			return String.valueOf(ThreadLocalRandom.current().nextInt());
+			return "";
 		}
 	}
 

From 5c31a34d5f30dec6c920bec164400461f2856821 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 8 Jul 2022 11:33:59 +0200
Subject: [PATCH 53/55] Show message in register dialog if device name is
 already in use

---
 .../hub/RegisterDeviceController.java         | 47 +++++++++++++++++--
 .../resources/fxml/hub_register_device.fxml   | 19 +++++++-
 src/main/resources/i18n/strings.properties    |  1 +
 3 files changed, 60 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index b63a8676a..3f45c89e8 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -20,8 +20,12 @@ import org.slf4j.LoggerFactory;
 import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Platform;
+import javafx.beans.property.BooleanProperty;
+import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
 import javafx.scene.Scene;
+import javafx.scene.control.Button;
+import javafx.scene.control.ContentDisplay;
 import javafx.scene.control.TextField;
 import javafx.stage.Stage;
 import javafx.stage.WindowEvent;
@@ -32,6 +36,7 @@ import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutorService;
@@ -42,6 +47,7 @@ public class RegisterDeviceController implements FxController {
 
 	private static final Logger LOG = LoggerFactory.getLogger(RegisterDeviceController.class);
 	private static final Gson GSON = new GsonBuilder().setLenient().create();
+	private static final List<Integer> EXPECTED_RESPONSE_CODES = List.of(201, 409);
 
 	private final Stage window;
 	private final HubConfig hubConfig;
@@ -53,8 +59,10 @@ public class RegisterDeviceController implements FxController {
 	private final CompletableFuture<JWEObject> result;
 	private final DecodedJWT jwt;
 	private final HttpClient httpClient;
+	private final BooleanProperty deviceNameAlreadyExists = new SimpleBooleanProperty(false);
 
 	public TextField deviceNameField;
+	public Button registerBtn;
 
 	@Inject
 	public RegisterDeviceController(@KeyLoading Stage window, ExecutorService executor, HubConfig hubConfig, @Named("deviceId") String deviceId, DeviceKey deviceKey, CompletableFuture<JWEObject> result, @Named("bearerToken") AtomicReference<String> bearerToken, @FxmlScene(FxmlFile.HUB_REGISTER_SUCCESS) Lazy<Scene> registerSuccessScene, @FxmlScene(FxmlFile.HUB_REGISTER_FAILED) Lazy<Scene> registerFailedScene) {
@@ -86,6 +94,10 @@ public class RegisterDeviceController implements FxController {
 
 	@FXML
 	public void register() {
+		deviceNameAlreadyExists.set(false);
+		registerBtn.setContentDisplay(ContentDisplay.LEFT);
+		registerBtn.setDisable(true);
+
 		var keyUri = URI.create(hubConfig.devicesResourceUrl + deviceId);
 		var deviceKey = keyPair.getPublic().getEncoded();
 		var dto = new CreateDeviceDto();
@@ -98,9 +110,15 @@ public class RegisterDeviceController implements FxController {
 				.header("Content-Type", "application/json").PUT(HttpRequest.BodyPublishers.ofString(json, StandardCharsets.UTF_8)) //
 				.build();
 		httpClient.sendAsync(request, HttpResponse.BodyHandlers.discarding()) //
-				.handleAsync((response, throwable) -> {
+				.thenApply(response -> {
+					if (EXPECTED_RESPONSE_CODES.contains(response.statusCode())) {
+						return response;
+					} else {
+						throw new RuntimeException("Server answered with unexpected status code " + response.statusCode());
+					}
+				}).handleAsync((response, throwable) -> {
 					if (response != null) {
-						this.registrationSucceeded(response);
+						this.handleResponse(response);
 					} else {
 						this.registrationFailed(throwable);
 					}
@@ -108,9 +126,17 @@ public class RegisterDeviceController implements FxController {
 				}, Platform::runLater);
 	}
 
-	private void registrationSucceeded(HttpResponse<Void> voidHttpResponse) {
-		LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
-		window.setScene(registerSuccessScene.get());
+	private void handleResponse(HttpResponse<Void> voidHttpResponse) {
+		assert EXPECTED_RESPONSE_CODES.contains(voidHttpResponse.statusCode());
+
+		if (voidHttpResponse.statusCode() == 409) {
+			deviceNameAlreadyExists.set(true);
+			registerBtn.setContentDisplay(ContentDisplay.TEXT_ONLY);
+			registerBtn.setDisable(false);
+		} else {
+			LOG.debug("Device registration for hub instance {} successful.", hubConfig.authSuccessUrl);
+			window.setScene(registerSuccessScene.get());
+		}
 	}
 
 	private void registrationFailed(Throwable cause) {
@@ -135,4 +161,15 @@ public class RegisterDeviceController implements FxController {
 	}
 
 
+	//--- Getters & Setters
+
+	public BooleanProperty deviceNameAlreadyExistsProperty() {
+		return deviceNameAlreadyExists;
+	}
+
+	public boolean getDeviceNameAlreadyExists() {
+		return deviceNameAlreadyExists.get();
+	}
+
+
 }
diff --git a/src/main/resources/fxml/hub_register_device.fxml b/src/main/resources/fxml/hub_register_device.fxml
index ff361e60b..8db67c272 100644
--- a/src/main/resources/fxml/hub_register_device.fxml
+++ b/src/main/resources/fxml/hub_register_device.fxml
@@ -12,6 +12,7 @@
 <?import javafx.scene.layout.StackPane?>
 <?import javafx.scene.layout.VBox?>
 <?import javafx.scene.shape.Circle?>
+<?import org.cryptomator.ui.controls.FontAwesome5Spinner?>
 <HBox xmlns:fx="http://javafx.com/fxml"
 	  xmlns="http://javafx.com/javafx"
 	  fx:controller="org.cryptomator.ui.keyloading.hub.RegisterDeviceController"
@@ -48,12 +49,26 @@
 				<Label text="%hub.register.nameLabel" labelFor="$deviceNameField"/>
 				<TextField fx:id="deviceNameField" HBox.hgrow="ALWAYS"/>
 			</HBox>
+			<HBox alignment="TOP_RIGHT">
+				<Label text="%hub.register.occupiedMsg" textAlignment="RIGHT" alignment="CENTER_RIGHT" visible="${controller.deviceNameAlreadyExists}" graphicTextGap="6">
+					<padding>
+						<Insets top="6"/>
+					</padding>
+					<graphic>
+						<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
+					</graphic>
+				</Label>
+			</HBox>
 
 			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
 			<ButtonBar buttonMinWidth="120" buttonOrder="+CU">
 				<buttons>
-					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
-					<Button text="%hub.register.registerBtn" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register"/>
+					<Button text="%generic.button.cancel" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#close"/>
+					<Button fx:id="registerBtn" text="%hub.register.registerBtn" ButtonBar.buttonData="OTHER" defaultButton="true" onAction="#register" contentDisplay="TEXT_ONLY" >
+						<graphic>
+							<FontAwesome5Spinner glyphSize="12" />
+						</graphic>
+					</Button>
 				</buttons>
 			</ButtonBar>
 		</VBox>
diff --git a/src/main/resources/i18n/strings.properties b/src/main/resources/i18n/strings.properties
index a7f59b63d..4b8db7eda 100644
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -136,6 +136,7 @@ hub.receive.description=Cryptomator is receiving and processing the response fro
 hub.register.message=Device name required
 hub.register.description=This seems to be the first Hub access from this device. In order to identify it for access authorization, you need to name this device.
 hub.register.nameLabel=Device Name
+hub.register.occupiedMsg=Name already in use
 hub.register.registerBtn=Confirm
 ### Registration Success
 hub.registerSuccess.message=Device named

From a7fc8d6fc4e695833d69dbfb553469c56ebfdcee Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 8 Jul 2022 12:03:38 +0200
Subject: [PATCH 54/55] hide alreadyExistingLabel when deviceName changed by
 user

---
 .../cryptomator/ui/keyloading/hub/RegisterDeviceController.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
index 3f45c89e8..bd997d994 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/RegisterDeviceController.java
@@ -81,6 +81,7 @@ public class RegisterDeviceController implements FxController {
 
 	public void initialize() {
 		deviceNameField.setText(determineHostname());
+		deviceNameField.textProperty().addListener(observable -> deviceNameAlreadyExists.set(false));
 	}
 
 	private String determineHostname() {

From 422077ac08cc289bf347289bdaa8f930cf835912 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 20 Jul 2022 17:01:29 +0200
Subject: [PATCH 55/55] adjust pom

---
 pom.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 43db1ff55..1aee92cdd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,6 +45,7 @@
 		<gson.version>2.9.0</gson.version>
 		<javafx.version>18.0.1</javafx.version>
 		<jwt.version>4.0.0</jwt.version>
+		<nimbus-jose.version>9.23</nimbus-jose.version>
 		<logback.version>1.2.11</logback.version>
 		<slf4j.version>1.7.36</slf4j.version>
 		<tinyoauth2.version>0.5.1</tinyoauth2.version>
@@ -154,7 +155,7 @@
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>9.23</version>
+			<version>${nimbus-jose.version}</version>
 		</dependency>
 
 		<!-- EasyBind -->