mirror of
https://github.com/quexten/goldwarden.git
synced 2024-12-25 20:33:29 +03:00
Add no memguard mode
This commit is contained in:
parent
55b3383fb9
commit
be11f59ed8
@ -56,7 +56,16 @@ func sync(ctx context.Context, vault *vault.Vault, cfg *config.Config) bool {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
|
||||||
|
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
} else {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true)
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -92,7 +92,12 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
|
|||||||
cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes())
|
cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes())
|
||||||
cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
|
cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
|
||||||
cfg.SetMasterKey([]byte(masterKey.GetBytes()))
|
cfg.SetMasterKey([]byte(masterKey.GetBytes()))
|
||||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
||||||
|
} else {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
var payload = messages.ActionResponse{
|
var payload = messages.ActionResponse{
|
||||||
Success: false,
|
Success: false,
|
||||||
|
@ -64,10 +64,17 @@ func handleUnlockVault(request messages.IPCMessage, cfg *config.Config, vault *v
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
safeUserSymmkey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmkey)
|
|
||||||
|
var safeUserSymmkey crypto.SymmetricEncryptionKey
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
safeUserSymmkey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmkey)
|
||||||
|
} else {
|
||||||
|
safeUserSymmkey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmkey)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true)
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
|
@ -127,7 +127,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul
|
|||||||
for i := 0; i < 25; i++ {
|
for i := 0; i < 25; i++ {
|
||||||
accessCode += string(alphabet[rand.Intn(len(alphabet))])
|
accessCode += string(alphabet[rand.Intn(len(alphabet))])
|
||||||
}
|
}
|
||||||
publicKey, err := crypto.GenerateAsymmetric()
|
publicKey, err := crypto.GenerateAsymmetric(vault.Keyring.IsMemguard)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return LoginResponseToken{}, crypto.MasterKey{}, "", err
|
return LoginResponseToken{}, crypto.MasterKey{}, "", err
|
||||||
}
|
}
|
||||||
|
@ -18,24 +18,51 @@ import (
|
|||||||
|
|
||||||
var b64enc = base64.StdEncoding.Strict()
|
var b64enc = base64.StdEncoding.Strict()
|
||||||
|
|
||||||
type SymmetricEncryptionKey struct {
|
type SymmetricEncryptionKey interface {
|
||||||
|
Bytes() []byte
|
||||||
|
EncryptionKeyBytes() ([]byte, error)
|
||||||
|
MacKeyBytes() ([]byte, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
type MemorySymmetricEncryptionKey struct {
|
||||||
|
encKey []byte
|
||||||
|
macKey []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type MemguardSymmetricEncryptionKey struct {
|
||||||
encKey *memguard.Enclave
|
encKey *memguard.Enclave
|
||||||
macKey *memguard.Enclave
|
macKey *memguard.Enclave
|
||||||
}
|
}
|
||||||
|
|
||||||
type AsymmetricEncryptionKey struct {
|
type AsymmetricEncryptionKey interface {
|
||||||
|
PublicBytes() []byte
|
||||||
|
PrivateBytes() ([]byte, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
type MemoryAsymmetricEncryptionKey struct {
|
||||||
|
encKey []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type MemguardAsymmetricEncryptionKey struct {
|
||||||
encKey *memguard.Enclave
|
encKey *memguard.Enclave
|
||||||
}
|
}
|
||||||
|
|
||||||
func SymmetricEncryptionKeyFromBytes(key []byte) (SymmetricEncryptionKey, error) {
|
func MemguardSymmetricEncryptionKeyFromBytes(key []byte) (MemguardSymmetricEncryptionKey, error) {
|
||||||
if len(key) != 64 {
|
if len(key) != 64 {
|
||||||
memguard.WipeBytes(key)
|
memguard.WipeBytes(key)
|
||||||
return SymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
return MemguardSymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
||||||
}
|
}
|
||||||
return SymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil
|
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (key SymmetricEncryptionKey) Bytes() []byte {
|
func MemorySymmetricEncryptionKeyFromBytes(key []byte) (MemorySymmetricEncryptionKey, error) {
|
||||||
|
if len(key) != 64 {
|
||||||
|
return MemorySymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
||||||
|
}
|
||||||
|
return MemorySymmetricEncryptionKey{encKey: key[0:32], macKey: key[32:64]}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemguardSymmetricEncryptionKey) Bytes() []byte {
|
||||||
k1, err := key.encKey.Open()
|
k1, err := key.encKey.Open()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
@ -50,12 +77,61 @@ func (key SymmetricEncryptionKey) Bytes() []byte {
|
|||||||
return keyBytes
|
return keyBytes
|
||||||
}
|
}
|
||||||
|
|
||||||
func AssymmetricEncryptionKeyFromBytes(key []byte) (AsymmetricEncryptionKey, error) {
|
func (key MemorySymmetricEncryptionKey) Bytes() []byte {
|
||||||
k := memguard.NewEnclave(key)
|
keyBytes := make([]byte, 64)
|
||||||
return AsymmetricEncryptionKey{k}, nil
|
copy(keyBytes[0:32], key.encKey)
|
||||||
|
copy(keyBytes[32:64], key.macKey)
|
||||||
|
return keyBytes
|
||||||
}
|
}
|
||||||
|
|
||||||
func (key AsymmetricEncryptionKey) PublicBytes() []byte {
|
func (key MemorySymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
|
||||||
|
return key.encKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemguardSymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
|
||||||
|
k, err := key.encKey.Open()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
keyBytes := make([]byte, 32)
|
||||||
|
copy(keyBytes, k.Bytes())
|
||||||
|
return keyBytes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemorySymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
|
||||||
|
return key.macKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemguardSymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
|
||||||
|
k, err := key.macKey.Open()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
keyBytes := make([]byte, 32)
|
||||||
|
copy(keyBytes, k.Bytes())
|
||||||
|
return keyBytes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func MemoryAssymmetricEncryptionKeyFromBytes(key []byte) (MemoryAsymmetricEncryptionKey, error) {
|
||||||
|
return MemoryAsymmetricEncryptionKey{key}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEncryptionKey, error) {
|
||||||
|
k := memguard.NewEnclave(key)
|
||||||
|
return MemguardAsymmetricEncryptionKey{k}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte {
|
||||||
|
privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey)
|
||||||
|
pub := (privateKey.(*rsa.PrivateKey)).Public()
|
||||||
|
publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
return publicKeyBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte {
|
||||||
buffer, err := key.encKey.Open()
|
buffer, err := key.encKey.Open()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
@ -69,6 +145,18 @@ func (key AsymmetricEncryptionKey) PublicBytes() []byte {
|
|||||||
return publicKeyBytes
|
return publicKeyBytes
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (key MemoryAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
|
||||||
|
return key.encKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (key MemguardAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
|
||||||
|
buffer, err := key.encKey.Open()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return buffer.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
func isMacValid(message, messageMAC, key []byte) bool {
|
func isMacValid(message, messageMAC, key []byte) bool {
|
||||||
mac := hmac.New(sha256.New, key)
|
mac := hmac.New(sha256.New, key)
|
||||||
mac.Write(message)
|
mac.Write(message)
|
||||||
|
@ -15,6 +15,8 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/awnumar/memguard"
|
||||||
)
|
)
|
||||||
|
|
||||||
type EncString struct {
|
type EncString struct {
|
||||||
@ -121,16 +123,13 @@ func b64encode(src []byte) []byte {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
||||||
encKeyData, err := key.encKey.Open()
|
encKeyData, err := key.MacKeyBytes()
|
||||||
if err != nil {
|
macKeyData, err := key.MacKeyBytes()
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
macKeyData, err := key.macKey.Open()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
block, err := aes.NewCipher(encKeyData.Data())
|
block, err := aes.NewCipher(encKeyData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -143,13 +142,13 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if s.Type == AesCbc256_HmacSha256_B64 {
|
if s.Type == AesCbc256_HmacSha256_B64 {
|
||||||
if len(s.MAC) == 0 || len(macKeyData.Data()) == 0 {
|
if len(s.MAC) == 0 || len(macKeyData) == 0 {
|
||||||
return nil, fmt.Errorf("decrypt: cipher string type expects a MAC")
|
return nil, fmt.Errorf("decrypt: cipher string type expects a MAC")
|
||||||
}
|
}
|
||||||
var msg []byte
|
var msg []byte
|
||||||
msg = append(msg, s.IV...)
|
msg = append(msg, s.IV...)
|
||||||
msg = append(msg, s.CT...)
|
msg = append(msg, s.CT...)
|
||||||
if !isMacValid(msg, s.MAC, macKeyData.Data()) {
|
if !isMacValid(msg, s.MAC, macKeyData) {
|
||||||
return nil, fmt.Errorf("decrypt: MAC mismatch")
|
return nil, fmt.Errorf("decrypt: MAC mismatch")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -165,14 +164,8 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) {
|
func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) {
|
||||||
encKeyData, err := key.encKey.Open()
|
encKeyData, err := key.EncryptionKeyBytes()
|
||||||
if err != nil {
|
macKeyData, err := key.MacKeyBytes()
|
||||||
return EncString{}, err
|
|
||||||
}
|
|
||||||
macKeyData, err := key.macKey.Open()
|
|
||||||
if err != nil {
|
|
||||||
return EncString{}, err
|
|
||||||
}
|
|
||||||
|
|
||||||
s := EncString{}
|
s := EncString{}
|
||||||
switch typ {
|
switch typ {
|
||||||
@ -183,7 +176,7 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
|||||||
s.Type = typ
|
s.Type = typ
|
||||||
data = padPKCS7(data, aes.BlockSize)
|
data = padPKCS7(data, aes.BlockSize)
|
||||||
|
|
||||||
block, err := aes.NewCipher(encKeyData.Bytes())
|
block, err := aes.NewCipher(encKeyData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return s, err
|
return s, err
|
||||||
}
|
}
|
||||||
@ -196,13 +189,13 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
|||||||
mode.CryptBlocks(s.CT, data)
|
mode.CryptBlocks(s.CT, data)
|
||||||
|
|
||||||
if typ == AesCbc256_HmacSha256_B64 {
|
if typ == AesCbc256_HmacSha256_B64 {
|
||||||
if len(macKeyData.Bytes()) == 0 {
|
if len(macKeyData) == 0 {
|
||||||
return s, fmt.Errorf("encrypt: cipher string type expects a MAC")
|
return s, fmt.Errorf("encrypt: cipher string type expects a MAC")
|
||||||
}
|
}
|
||||||
var macMessage []byte
|
var macMessage []byte
|
||||||
macMessage = append(macMessage, s.IV...)
|
macMessage = append(macMessage, s.IV...)
|
||||||
macMessage = append(macMessage, s.CT...)
|
macMessage = append(macMessage, s.CT...)
|
||||||
mac := hmac.New(sha256.New, macKeyData.Bytes())
|
mac := hmac.New(sha256.New, macKeyData)
|
||||||
mac.Write(macMessage)
|
mac.Write(macMessage)
|
||||||
s.MAC = mac.Sum(nil)
|
s.MAC = mac.Sum(nil)
|
||||||
}
|
}
|
||||||
@ -210,27 +203,31 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
|||||||
return s, nil
|
return s, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func GenerateAsymmetric() (AsymmetricEncryptionKey, error) {
|
func GenerateAsymmetric(useMemguard bool) (AsymmetricEncryptionKey, error) {
|
||||||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return AsymmetricEncryptionKey{}, err
|
return MemoryAsymmetricEncryptionKey{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
encKey, err := x509.MarshalPKCS8PrivateKey(key)
|
encKey, err := x509.MarshalPKCS8PrivateKey(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return AsymmetricEncryptionKey{}, err
|
return MemoryAsymmetricEncryptionKey{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return AssymmetricEncryptionKeyFromBytes(encKey)
|
if useMemguard {
|
||||||
|
return MemguardAsymmetricEncryptionKey{memguard.NewEnclave(encKey)}, nil
|
||||||
|
} else {
|
||||||
|
return MemoryAsymmetricEncryptionKey{encKey}, nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
||||||
key, err := asymmetrickey.encKey.Open()
|
key, err := asymmetrickey.PrivateBytes()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
parsedKey, err := x509.ParsePKCS8PrivateKey(key.Bytes())
|
parsedKey, err := x509.ParsePKCS8PrivateKey(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -248,12 +245,12 @@ func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]b
|
|||||||
}
|
}
|
||||||
|
|
||||||
func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
||||||
key, err := asymmbetrickey.encKey.Open()
|
key, err := asymmbetrickey.PrivateBytes()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
parsedKey, err := x509.ParsePKIXPublicKey(key.Bytes())
|
parsedKey, err := x509.ParsePKIXPublicKey(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -23,7 +23,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
|
|||||||
|
|
||||||
switch accountKey.Type {
|
switch accountKey.Type {
|
||||||
case AesCbc256_HmacSha256_B64:
|
case AesCbc256_HmacSha256_B64:
|
||||||
stretchedMasterKey, err := stretchKey(masterKey)
|
stretchedMasterKey, err := stretchKey(masterKey, keyring.IsMemguard)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -36,43 +36,56 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
|
|||||||
return fmt.Errorf("unsupported account key type: %d", accountKey.Type)
|
return fmt.Errorf("unsupported account key type: %d", accountKey.Type)
|
||||||
}
|
}
|
||||||
|
|
||||||
accountSymmetricKey, err := SymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
var accountSymmetricKey SymmetricEncryptionKey
|
||||||
|
var err error
|
||||||
|
if keyring.IsMemguard {
|
||||||
|
accountSymmetricKey, err = MemguardSymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
||||||
|
} else {
|
||||||
|
accountSymmetricKey, err = MemorySymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
keyring.AccountKey = &accountSymmetricKey
|
keyring.AccountKey = accountSymmetricKey
|
||||||
|
|
||||||
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
if keyring.IsMemguard {
|
||||||
|
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||||
|
} else {
|
||||||
|
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
|
||||||
|
}
|
||||||
keyring.OrganizationKeys = orgKeys
|
keyring.OrganizationKeys = orgKeys
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error {
|
func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error {
|
||||||
keyring.AccountKey = &accountSymmetricKey
|
keyring.AccountKey = accountSymmetricKey
|
||||||
|
|
||||||
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
if keyring.IsMemguard {
|
||||||
|
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||||
|
} else {
|
||||||
|
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
|
||||||
|
}
|
||||||
keyring.OrganizationKeys = orgKeys
|
keyring.OrganizationKeys = orgKeys
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) {
|
func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, error) {
|
||||||
key := make([]byte, 32)
|
key := make([]byte, 32)
|
||||||
macKey := make([]byte, 32)
|
macKey := make([]byte, 32)
|
||||||
|
|
||||||
buffer, err := masterKey.encKey.Open()
|
buffer, err := masterKey.encKey.Open()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return SymmetricEncryptionKey{}, err
|
return MemorySymmetricEncryptionKey{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var r io.Reader
|
var r io.Reader
|
||||||
@ -80,5 +93,10 @@ func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) {
|
|||||||
r.Read(key)
|
r.Read(key)
|
||||||
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
|
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
|
||||||
r.Read(macKey)
|
r.Read(macKey)
|
||||||
return SymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
|
|
||||||
|
if useMemguard {
|
||||||
|
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
|
||||||
|
} else {
|
||||||
|
return MemorySymmetricEncryptionKey{encKey: key, macKey: macKey}, nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -5,12 +5,19 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type Keyring struct {
|
type Keyring struct {
|
||||||
AccountKey *SymmetricEncryptionKey
|
AccountKey SymmetricEncryptionKey
|
||||||
AsymmetricEncyryptionKey AsymmetricEncryptionKey
|
AsymmetricEncyryptionKey AsymmetricEncryptionKey
|
||||||
|
IsMemguard bool
|
||||||
OrganizationKeys map[string]string
|
OrganizationKeys map[string]string
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewKeyring(accountKey *SymmetricEncryptionKey) Keyring {
|
func NewMemoryKeyring(accountKey *MemorySymmetricEncryptionKey) Keyring {
|
||||||
|
return Keyring{
|
||||||
|
AccountKey: accountKey,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewMemguardKeyring(accountKey *MemguardSymmetricEncryptionKey) Keyring {
|
||||||
return Keyring{
|
return Keyring{
|
||||||
AccountKey: accountKey,
|
AccountKey: accountKey,
|
||||||
}
|
}
|
||||||
@ -22,7 +29,7 @@ func (keyring Keyring) IsLocked() bool {
|
|||||||
|
|
||||||
func (keyring *Keyring) Lock() {
|
func (keyring *Keyring) Lock() {
|
||||||
keyring.AccountKey = nil
|
keyring.AccountKey = nil
|
||||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{}
|
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{}
|
||||||
keyring.OrganizationKeys = nil
|
keyring.OrganizationKeys = nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -30,10 +37,10 @@ func (keyring *Keyring) GetSymmetricKeyForOrganization(uuid string) (SymmetricEn
|
|||||||
if key, ok := keyring.OrganizationKeys[uuid]; ok {
|
if key, ok := keyring.OrganizationKeys[uuid]; ok {
|
||||||
decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey)
|
decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return SymmetricEncryptionKey{}, err
|
return MemorySymmetricEncryptionKey{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return SymmetricEncryptionKeyFromBytes(decryptedOrgKey)
|
return MemorySymmetricEncryptionKeyFromBytes(decryptedOrgKey)
|
||||||
}
|
}
|
||||||
return SymmetricEncryptionKey{}, errors.New("no key found for organization")
|
return MemorySymmetricEncryptionKey{}, errors.New("no key found for organization")
|
||||||
}
|
}
|
||||||
|
@ -150,5 +150,5 @@ func (cipher Cipher) GetKeyForCipher(keyring crypto.Keyring) (crypto.SymmetricEn
|
|||||||
if cipher.OrganizationID != nil {
|
if cipher.OrganizationID != nil {
|
||||||
return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String())
|
return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String())
|
||||||
}
|
}
|
||||||
return *keyring.AccountKey, nil
|
return keyring.AccountKey, nil
|
||||||
}
|
}
|
||||||
|
@ -69,7 +69,7 @@ func CreateAuthResponse(ctx context.Context, authRequest AuthRequestData, keyrin
|
|||||||
//}
|
//}
|
||||||
|
|
||||||
publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey)
|
publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey)
|
||||||
requesterKey, err := crypto.AssymmetricEncryptionKeyFromBytes(publicKey)
|
requesterKey, err := crypto.MemoryAssymmetricEncryptionKeyFromBytes(publicKey)
|
||||||
|
|
||||||
encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey)
|
encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -43,6 +43,7 @@ type RuntimeConfig struct {
|
|||||||
User string
|
User string
|
||||||
Password string
|
Password string
|
||||||
Pin string
|
Pin string
|
||||||
|
UseMemguard bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type ConfigFile struct {
|
type ConfigFile struct {
|
||||||
@ -419,11 +420,17 @@ func (cfg *Config) TryUnlock(vault *vault.Vault) error {
|
|||||||
if cfg.IsLoggedIn() {
|
if cfg.IsLoggedIn() {
|
||||||
userKey, err := cfg.GetUserSymmetricKey()
|
userKey, err := cfg.GetUserSymmetricKey()
|
||||||
if err == nil {
|
if err == nil {
|
||||||
key, err := crypto.SymmetricEncryptionKeyFromBytes(userKey)
|
var key crypto.SymmetricEncryptionKey
|
||||||
|
var err error
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
|
||||||
|
} else {
|
||||||
|
key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
vault.Keyring.AccountKey = &key
|
vault.Keyring.AccountKey = key
|
||||||
} else {
|
} else {
|
||||||
cfg.Lock()
|
cfg.Lock()
|
||||||
return err
|
return err
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
//go:build !windows && !darwin && !linux
|
//go:build (!windows && !darwin && !linux) || noautofill
|
||||||
|
|
||||||
package agent
|
package agent
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
//go:build windows || darwin || linux
|
//go:build (windows || darwin || linux) && !noautofill
|
||||||
|
|
||||||
package agent
|
package agent
|
||||||
|
|
||||||
|
@ -30,13 +30,13 @@ func NewSSHKeyCipher(name string, keyring *crypto.Keyring) (models.Cipher, strin
|
|||||||
privatePEM := pem.EncodeToMemory(&privBlock)
|
privatePEM := pem.EncodeToMemory(&privBlock)
|
||||||
publicKey, err := ssh.NewPublicKey(pub)
|
publicKey, err := ssh.NewPublicKey(pub)
|
||||||
|
|
||||||
encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||||
|
|
||||||
cipher := models.Cipher{
|
cipher := models.Cipher{
|
||||||
Type: models.CipherNote,
|
Type: models.CipherNote,
|
||||||
|
@ -99,8 +99,13 @@ type AgentState struct {
|
|||||||
func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
|
|
||||||
// check if exists
|
var keyring crypto.Keyring
|
||||||
keyring := crypto.NewKeyring(nil)
|
if runtimeConfig.UseMemguard {
|
||||||
|
keyring = crypto.NewMemguardKeyring(nil)
|
||||||
|
} else {
|
||||||
|
keyring = crypto.NewMemoryKeyring(nil)
|
||||||
|
}
|
||||||
|
|
||||||
var vault = vault.NewVault(&keyring)
|
var vault = vault.NewVault(&keyring)
|
||||||
cfg, err := config.ReadConfig(runtimeConfig)
|
cfg, err := config.ReadConfig(runtimeConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -137,7 +142,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
|||||||
time.Sleep(60 * time.Second)
|
time.Sleep(60 * time.Second)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
} else {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
}
|
||||||
|
|
||||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -170,7 +180,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||||
|
if vault.Keyring.IsMemguard {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
} else {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
}
|
||||||
|
|
||||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -74,8 +74,13 @@ func serveVirtualAgent(recv chan []byte, send chan []byte, ctx context.Context,
|
|||||||
func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) {
|
func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) {
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
|
|
||||||
// check if exists
|
var keyring crypto.Keyring
|
||||||
keyring := crypto.NewKeyring(nil)
|
if runtimeConfig.UseMemguard {
|
||||||
|
keyring = crypto.NewMemguardKeyring(nil)
|
||||||
|
} else {
|
||||||
|
keyring = crypto.NewMemoryKeyring(nil)
|
||||||
|
}
|
||||||
|
|
||||||
var vault = vault.NewVault(&keyring)
|
var vault = vault.NewVault(&keyring)
|
||||||
cfg, err := config.ReadConfig(runtimeConfig)
|
cfg, err := config.ReadConfig(runtimeConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -106,7 +111,12 @@ func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||||
|
if keyring.IsMemguard {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
} else {
|
||||||
|
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||||
|
}
|
||||||
|
|
||||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
1
main.go
1
main.go
@ -38,6 +38,7 @@ func main() {
|
|||||||
User: os.Getenv("GOLDWARDEN_AUTH_USER"),
|
User: os.Getenv("GOLDWARDEN_AUTH_USER"),
|
||||||
Password: os.Getenv("GOLDWARDEN_AUTH_PASSWORD"),
|
Password: os.Getenv("GOLDWARDEN_AUTH_PASSWORD"),
|
||||||
Pin: os.Getenv("GOLDWARDEN_PIN"),
|
Pin: os.Getenv("GOLDWARDEN_PIN"),
|
||||||
|
UseMemguard: os.Getenv("GOLDWARDEN_NO_MEMGUARD") != "true",
|
||||||
|
|
||||||
ConfigDirectory: configPath,
|
ConfigDirectory: configPath,
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user