mirror of
https://github.com/quexten/goldwarden.git
synced 2024-12-24 20:03:22 +03:00
Add no memguard mode
This commit is contained in:
parent
55b3383fb9
commit
be11f59ed8
@ -56,7 +56,16 @@ func sync(ctx context.Context, vault *vault.Vault, cfg *config.Config) bool {
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
|
||||
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||
if vault.Keyring.IsMemguard {
|
||||
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
} else {
|
||||
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
}
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true)
|
||||
if err != nil {
|
||||
|
@ -92,7 +92,12 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
|
||||
cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes())
|
||||
cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
|
||||
cfg.SetMasterKey([]byte(masterKey.GetBytes()))
|
||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
||||
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||
if vault.Keyring.IsMemguard {
|
||||
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
||||
} else {
|
||||
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes())
|
||||
}
|
||||
if err != nil {
|
||||
var payload = messages.ActionResponse{
|
||||
Success: false,
|
||||
|
@ -64,10 +64,17 @@ func handleUnlockVault(request messages.IPCMessage, cfg *config.Config, vault *v
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
safeUserSymmkey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmkey)
|
||||
|
||||
var safeUserSymmkey crypto.SymmetricEncryptionKey
|
||||
if vault.Keyring.IsMemguard {
|
||||
safeUserSymmkey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmkey)
|
||||
} else {
|
||||
safeUserSymmkey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmkey)
|
||||
}
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
|
||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true)
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
|
@ -127,7 +127,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul
|
||||
for i := 0; i < 25; i++ {
|
||||
accessCode += string(alphabet[rand.Intn(len(alphabet))])
|
||||
}
|
||||
publicKey, err := crypto.GenerateAsymmetric()
|
||||
publicKey, err := crypto.GenerateAsymmetric(vault.Keyring.IsMemguard)
|
||||
if err != nil {
|
||||
return LoginResponseToken{}, crypto.MasterKey{}, "", err
|
||||
}
|
||||
|
@ -18,24 +18,51 @@ import (
|
||||
|
||||
var b64enc = base64.StdEncoding.Strict()
|
||||
|
||||
type SymmetricEncryptionKey struct {
|
||||
type SymmetricEncryptionKey interface {
|
||||
Bytes() []byte
|
||||
EncryptionKeyBytes() ([]byte, error)
|
||||
MacKeyBytes() ([]byte, error)
|
||||
}
|
||||
|
||||
type MemorySymmetricEncryptionKey struct {
|
||||
encKey []byte
|
||||
macKey []byte
|
||||
}
|
||||
|
||||
type MemguardSymmetricEncryptionKey struct {
|
||||
encKey *memguard.Enclave
|
||||
macKey *memguard.Enclave
|
||||
}
|
||||
|
||||
type AsymmetricEncryptionKey struct {
|
||||
type AsymmetricEncryptionKey interface {
|
||||
PublicBytes() []byte
|
||||
PrivateBytes() ([]byte, error)
|
||||
}
|
||||
|
||||
type MemoryAsymmetricEncryptionKey struct {
|
||||
encKey []byte
|
||||
}
|
||||
|
||||
type MemguardAsymmetricEncryptionKey struct {
|
||||
encKey *memguard.Enclave
|
||||
}
|
||||
|
||||
func SymmetricEncryptionKeyFromBytes(key []byte) (SymmetricEncryptionKey, error) {
|
||||
func MemguardSymmetricEncryptionKeyFromBytes(key []byte) (MemguardSymmetricEncryptionKey, error) {
|
||||
if len(key) != 64 {
|
||||
memguard.WipeBytes(key)
|
||||
return SymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
||||
return MemguardSymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
||||
}
|
||||
return SymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil
|
||||
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil
|
||||
}
|
||||
|
||||
func (key SymmetricEncryptionKey) Bytes() []byte {
|
||||
func MemorySymmetricEncryptionKeyFromBytes(key []byte) (MemorySymmetricEncryptionKey, error) {
|
||||
if len(key) != 64 {
|
||||
return MemorySymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key))
|
||||
}
|
||||
return MemorySymmetricEncryptionKey{encKey: key[0:32], macKey: key[32:64]}, nil
|
||||
}
|
||||
|
||||
func (key MemguardSymmetricEncryptionKey) Bytes() []byte {
|
||||
k1, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
@ -50,12 +77,61 @@ func (key SymmetricEncryptionKey) Bytes() []byte {
|
||||
return keyBytes
|
||||
}
|
||||
|
||||
func AssymmetricEncryptionKeyFromBytes(key []byte) (AsymmetricEncryptionKey, error) {
|
||||
k := memguard.NewEnclave(key)
|
||||
return AsymmetricEncryptionKey{k}, nil
|
||||
func (key MemorySymmetricEncryptionKey) Bytes() []byte {
|
||||
keyBytes := make([]byte, 64)
|
||||
copy(keyBytes[0:32], key.encKey)
|
||||
copy(keyBytes[32:64], key.macKey)
|
||||
return keyBytes
|
||||
}
|
||||
|
||||
func (key AsymmetricEncryptionKey) PublicBytes() []byte {
|
||||
func (key MemorySymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
|
||||
return key.encKey, nil
|
||||
}
|
||||
|
||||
func (key MemguardSymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) {
|
||||
k, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
keyBytes := make([]byte, 32)
|
||||
copy(keyBytes, k.Bytes())
|
||||
return keyBytes, nil
|
||||
}
|
||||
|
||||
func (key MemorySymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
|
||||
return key.macKey, nil
|
||||
}
|
||||
|
||||
func (key MemguardSymmetricEncryptionKey) MacKeyBytes() ([]byte, error) {
|
||||
k, err := key.macKey.Open()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
keyBytes := make([]byte, 32)
|
||||
copy(keyBytes, k.Bytes())
|
||||
return keyBytes, nil
|
||||
}
|
||||
|
||||
func MemoryAssymmetricEncryptionKeyFromBytes(key []byte) (MemoryAsymmetricEncryptionKey, error) {
|
||||
return MemoryAsymmetricEncryptionKey{key}, nil
|
||||
}
|
||||
|
||||
func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEncryptionKey, error) {
|
||||
k := memguard.NewEnclave(key)
|
||||
return MemguardAsymmetricEncryptionKey{k}, nil
|
||||
}
|
||||
|
||||
func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte {
|
||||
privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey)
|
||||
pub := (privateKey.(*rsa.PrivateKey)).Public()
|
||||
publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return publicKeyBytes
|
||||
}
|
||||
|
||||
func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte {
|
||||
buffer, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
@ -69,6 +145,18 @@ func (key AsymmetricEncryptionKey) PublicBytes() []byte {
|
||||
return publicKeyBytes
|
||||
}
|
||||
|
||||
func (key MemoryAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
|
||||
return key.encKey, nil
|
||||
}
|
||||
|
||||
func (key MemguardAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) {
|
||||
buffer, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return buffer.Bytes(), nil
|
||||
}
|
||||
|
||||
func isMacValid(message, messageMAC, key []byte) bool {
|
||||
mac := hmac.New(sha256.New, key)
|
||||
mac.Write(message)
|
||||
|
@ -15,6 +15,8 @@ import (
|
||||
"fmt"
|
||||
"io"
|
||||
"strconv"
|
||||
|
||||
"github.com/awnumar/memguard"
|
||||
)
|
||||
|
||||
type EncString struct {
|
||||
@ -121,16 +123,13 @@ func b64encode(src []byte) []byte {
|
||||
}
|
||||
|
||||
func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
||||
encKeyData, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
macKeyData, err := key.macKey.Open()
|
||||
encKeyData, err := key.MacKeyBytes()
|
||||
macKeyData, err := key.MacKeyBytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
block, err := aes.NewCipher(encKeyData.Data())
|
||||
block, err := aes.NewCipher(encKeyData)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -143,13 +142,13 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
||||
}
|
||||
|
||||
if s.Type == AesCbc256_HmacSha256_B64 {
|
||||
if len(s.MAC) == 0 || len(macKeyData.Data()) == 0 {
|
||||
if len(s.MAC) == 0 || len(macKeyData) == 0 {
|
||||
return nil, fmt.Errorf("decrypt: cipher string type expects a MAC")
|
||||
}
|
||||
var msg []byte
|
||||
msg = append(msg, s.IV...)
|
||||
msg = append(msg, s.CT...)
|
||||
if !isMacValid(msg, s.MAC, macKeyData.Data()) {
|
||||
if !isMacValid(msg, s.MAC, macKeyData) {
|
||||
return nil, fmt.Errorf("decrypt: MAC mismatch")
|
||||
}
|
||||
}
|
||||
@ -165,14 +164,8 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
|
||||
}
|
||||
|
||||
func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) {
|
||||
encKeyData, err := key.encKey.Open()
|
||||
if err != nil {
|
||||
return EncString{}, err
|
||||
}
|
||||
macKeyData, err := key.macKey.Open()
|
||||
if err != nil {
|
||||
return EncString{}, err
|
||||
}
|
||||
encKeyData, err := key.EncryptionKeyBytes()
|
||||
macKeyData, err := key.MacKeyBytes()
|
||||
|
||||
s := EncString{}
|
||||
switch typ {
|
||||
@ -183,7 +176,7 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
||||
s.Type = typ
|
||||
data = padPKCS7(data, aes.BlockSize)
|
||||
|
||||
block, err := aes.NewCipher(encKeyData.Bytes())
|
||||
block, err := aes.NewCipher(encKeyData)
|
||||
if err != nil {
|
||||
return s, err
|
||||
}
|
||||
@ -196,13 +189,13 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
||||
mode.CryptBlocks(s.CT, data)
|
||||
|
||||
if typ == AesCbc256_HmacSha256_B64 {
|
||||
if len(macKeyData.Bytes()) == 0 {
|
||||
if len(macKeyData) == 0 {
|
||||
return s, fmt.Errorf("encrypt: cipher string type expects a MAC")
|
||||
}
|
||||
var macMessage []byte
|
||||
macMessage = append(macMessage, s.IV...)
|
||||
macMessage = append(macMessage, s.CT...)
|
||||
mac := hmac.New(sha256.New, macKeyData.Bytes())
|
||||
mac := hmac.New(sha256.New, macKeyData)
|
||||
mac.Write(macMessage)
|
||||
s.MAC = mac.Sum(nil)
|
||||
}
|
||||
@ -210,27 +203,31 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En
|
||||
return s, nil
|
||||
}
|
||||
|
||||
func GenerateAsymmetric() (AsymmetricEncryptionKey, error) {
|
||||
func GenerateAsymmetric(useMemguard bool) (AsymmetricEncryptionKey, error) {
|
||||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
return AsymmetricEncryptionKey{}, err
|
||||
return MemoryAsymmetricEncryptionKey{}, err
|
||||
}
|
||||
|
||||
encKey, err := x509.MarshalPKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
return AsymmetricEncryptionKey{}, err
|
||||
return MemoryAsymmetricEncryptionKey{}, err
|
||||
}
|
||||
|
||||
return AssymmetricEncryptionKeyFromBytes(encKey)
|
||||
if useMemguard {
|
||||
return MemguardAsymmetricEncryptionKey{memguard.NewEnclave(encKey)}, nil
|
||||
} else {
|
||||
return MemoryAsymmetricEncryptionKey{encKey}, nil
|
||||
}
|
||||
}
|
||||
|
||||
func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
||||
key, err := asymmetrickey.encKey.Open()
|
||||
key, err := asymmetrickey.PrivateBytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
parsedKey, err := x509.ParsePKCS8PrivateKey(key.Bytes())
|
||||
parsedKey, err := x509.ParsePKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -248,12 +245,12 @@ func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]b
|
||||
}
|
||||
|
||||
func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) {
|
||||
key, err := asymmbetrickey.encKey.Open()
|
||||
key, err := asymmbetrickey.PrivateBytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
parsedKey, err := x509.ParsePKIXPublicKey(key.Bytes())
|
||||
parsedKey, err := x509.ParsePKIXPublicKey(key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -23,7 +23,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
|
||||
|
||||
switch accountKey.Type {
|
||||
case AesCbc256_HmacSha256_B64:
|
||||
stretchedMasterKey, err := stretchKey(masterKey)
|
||||
stretchedMasterKey, err := stretchKey(masterKey, keyring.IsMemguard)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -36,43 +36,56 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri
|
||||
return fmt.Errorf("unsupported account key type: %d", accountKey.Type)
|
||||
}
|
||||
|
||||
accountSymmetricKey, err := SymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
||||
var accountSymmetricKey SymmetricEncryptionKey
|
||||
var err error
|
||||
if keyring.IsMemguard {
|
||||
accountSymmetricKey, err = MemguardSymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
||||
} else {
|
||||
accountSymmetricKey, err = MemorySymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
keyring.AccountKey = &accountSymmetricKey
|
||||
keyring.AccountKey = accountSymmetricKey
|
||||
|
||||
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||
if keyring.IsMemguard {
|
||||
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||
} else {
|
||||
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
|
||||
}
|
||||
keyring.OrganizationKeys = orgKeys
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error {
|
||||
keyring.AccountKey = &accountSymmetricKey
|
||||
|
||||
keyring.AccountKey = accountSymmetricKey
|
||||
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||
if keyring.IsMemguard {
|
||||
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
|
||||
} else {
|
||||
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
|
||||
}
|
||||
keyring.OrganizationKeys = orgKeys
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) {
|
||||
func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, error) {
|
||||
key := make([]byte, 32)
|
||||
macKey := make([]byte, 32)
|
||||
|
||||
buffer, err := masterKey.encKey.Open()
|
||||
if err != nil {
|
||||
return SymmetricEncryptionKey{}, err
|
||||
return MemorySymmetricEncryptionKey{}, err
|
||||
}
|
||||
|
||||
var r io.Reader
|
||||
@ -80,5 +93,10 @@ func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) {
|
||||
r.Read(key)
|
||||
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
|
||||
r.Read(macKey)
|
||||
return SymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
|
||||
|
||||
if useMemguard {
|
||||
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
|
||||
} else {
|
||||
return MemorySymmetricEncryptionKey{encKey: key, macKey: macKey}, nil
|
||||
}
|
||||
}
|
||||
|
@ -5,12 +5,19 @@ import (
|
||||
)
|
||||
|
||||
type Keyring struct {
|
||||
AccountKey *SymmetricEncryptionKey
|
||||
AccountKey SymmetricEncryptionKey
|
||||
AsymmetricEncyryptionKey AsymmetricEncryptionKey
|
||||
IsMemguard bool
|
||||
OrganizationKeys map[string]string
|
||||
}
|
||||
|
||||
func NewKeyring(accountKey *SymmetricEncryptionKey) Keyring {
|
||||
func NewMemoryKeyring(accountKey *MemorySymmetricEncryptionKey) Keyring {
|
||||
return Keyring{
|
||||
AccountKey: accountKey,
|
||||
}
|
||||
}
|
||||
|
||||
func NewMemguardKeyring(accountKey *MemguardSymmetricEncryptionKey) Keyring {
|
||||
return Keyring{
|
||||
AccountKey: accountKey,
|
||||
}
|
||||
@ -22,7 +29,7 @@ func (keyring Keyring) IsLocked() bool {
|
||||
|
||||
func (keyring *Keyring) Lock() {
|
||||
keyring.AccountKey = nil
|
||||
keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{}
|
||||
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{}
|
||||
keyring.OrganizationKeys = nil
|
||||
}
|
||||
|
||||
@ -30,10 +37,10 @@ func (keyring *Keyring) GetSymmetricKeyForOrganization(uuid string) (SymmetricEn
|
||||
if key, ok := keyring.OrganizationKeys[uuid]; ok {
|
||||
decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey)
|
||||
if err != nil {
|
||||
return SymmetricEncryptionKey{}, err
|
||||
return MemorySymmetricEncryptionKey{}, err
|
||||
}
|
||||
|
||||
return SymmetricEncryptionKeyFromBytes(decryptedOrgKey)
|
||||
return MemorySymmetricEncryptionKeyFromBytes(decryptedOrgKey)
|
||||
}
|
||||
return SymmetricEncryptionKey{}, errors.New("no key found for organization")
|
||||
return MemorySymmetricEncryptionKey{}, errors.New("no key found for organization")
|
||||
}
|
||||
|
@ -150,5 +150,5 @@ func (cipher Cipher) GetKeyForCipher(keyring crypto.Keyring) (crypto.SymmetricEn
|
||||
if cipher.OrganizationID != nil {
|
||||
return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String())
|
||||
}
|
||||
return *keyring.AccountKey, nil
|
||||
return keyring.AccountKey, nil
|
||||
}
|
||||
|
@ -69,7 +69,7 @@ func CreateAuthResponse(ctx context.Context, authRequest AuthRequestData, keyrin
|
||||
//}
|
||||
|
||||
publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey)
|
||||
requesterKey, err := crypto.AssymmetricEncryptionKeyFromBytes(publicKey)
|
||||
requesterKey, err := crypto.MemoryAssymmetricEncryptionKeyFromBytes(publicKey)
|
||||
|
||||
encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey)
|
||||
if err != nil {
|
||||
|
@ -43,6 +43,7 @@ type RuntimeConfig struct {
|
||||
User string
|
||||
Password string
|
||||
Pin string
|
||||
UseMemguard bool
|
||||
}
|
||||
|
||||
type ConfigFile struct {
|
||||
@ -419,11 +420,17 @@ func (cfg *Config) TryUnlock(vault *vault.Vault) error {
|
||||
if cfg.IsLoggedIn() {
|
||||
userKey, err := cfg.GetUserSymmetricKey()
|
||||
if err == nil {
|
||||
key, err := crypto.SymmetricEncryptionKeyFromBytes(userKey)
|
||||
var key crypto.SymmetricEncryptionKey
|
||||
var err error
|
||||
if vault.Keyring.IsMemguard {
|
||||
key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
|
||||
} else {
|
||||
key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
vault.Keyring.AccountKey = &key
|
||||
vault.Keyring.AccountKey = key
|
||||
} else {
|
||||
cfg.Lock()
|
||||
return err
|
||||
|
@ -1,4 +1,4 @@
|
||||
//go:build !windows && !darwin && !linux
|
||||
//go:build (!windows && !darwin && !linux) || noautofill
|
||||
|
||||
package agent
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
//go:build windows || darwin || linux
|
||||
//go:build (windows || darwin || linux) && !noautofill
|
||||
|
||||
package agent
|
||||
|
||||
|
@ -30,13 +30,13 @@ func NewSSHKeyCipher(name string, keyring *crypto.Keyring) (models.Cipher, strin
|
||||
privatePEM := pem.EncodeToMemory(&privBlock)
|
||||
publicKey, err := ssh.NewPublicKey(pub)
|
||||
|
||||
encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey)
|
||||
encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey)
|
||||
|
||||
cipher := models.Cipher{
|
||||
Type: models.CipherNote,
|
||||
|
@ -99,8 +99,13 @@ type AgentState struct {
|
||||
func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
||||
ctx := context.Background()
|
||||
|
||||
// check if exists
|
||||
keyring := crypto.NewKeyring(nil)
|
||||
var keyring crypto.Keyring
|
||||
if runtimeConfig.UseMemguard {
|
||||
keyring = crypto.NewMemguardKeyring(nil)
|
||||
} else {
|
||||
keyring = crypto.NewMemoryKeyring(nil)
|
||||
}
|
||||
|
||||
var vault = vault.NewVault(&keyring)
|
||||
cfg, err := config.ReadConfig(runtimeConfig)
|
||||
if err != nil {
|
||||
@ -137,7 +142,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
||||
time.Sleep(60 * time.Second)
|
||||
continue
|
||||
}
|
||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||
if vault.Keyring.IsMemguard {
|
||||
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
} else {
|
||||
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
}
|
||||
|
||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||
if err != nil {
|
||||
@ -170,7 +180,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||
if vault.Keyring.IsMemguard {
|
||||
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
} else {
|
||||
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
}
|
||||
|
||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||
if err != nil {
|
||||
|
@ -74,8 +74,13 @@ func serveVirtualAgent(recv chan []byte, send chan []byte, ctx context.Context,
|
||||
func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) {
|
||||
ctx := context.Background()
|
||||
|
||||
// check if exists
|
||||
keyring := crypto.NewKeyring(nil)
|
||||
var keyring crypto.Keyring
|
||||
if runtimeConfig.UseMemguard {
|
||||
keyring = crypto.NewMemguardKeyring(nil)
|
||||
} else {
|
||||
keyring = crypto.NewMemoryKeyring(nil)
|
||||
}
|
||||
|
||||
var vault = vault.NewVault(&keyring)
|
||||
cfg, err := config.ReadConfig(runtimeConfig)
|
||||
if err != nil {
|
||||
@ -106,7 +111,12 @@ func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
|
||||
if keyring.IsMemguard {
|
||||
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
} else {
|
||||
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
||||
}
|
||||
|
||||
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
||||
if err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user