goldwarden-vaultwarden-bitw.../agent/bitwarden/crypto/keyhierarchy.go

109 lines
3.1 KiB
Go
Raw Normal View History

2023-07-17 03:23:26 +02:00
package crypto
import (
"crypto/sha256"
"fmt"
"io"
"github.com/awnumar/memguard"
"golang.org/x/crypto/hkdf"
)
2023-12-22 12:01:21 +01:00
func InitKeyringFromMasterPassword(keyring *Keyring, accountKey EncString, accountPrivateKey EncString, orgKeys map[string]string, password []byte, email string, kdfConfig KDFConfig) error {
2023-07-17 03:23:26 +02:00
masterKey, err := DeriveMasterKey(password, email, kdfConfig)
if err != nil {
return err
}
return InitKeyringFromMasterKey(keyring, accountKey, accountPrivateKey, orgKeys, masterKey)
}
func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPrivateKey EncString, orgKeys map[string]string, masterKey MasterKey) error {
var accountSymmetricKeyByteArray []byte
switch accountKey.Type {
case AesCbc256_HmacSha256_B64:
2023-12-22 08:02:23 +01:00
stretchedMasterKey, err := stretchKey(masterKey, keyring.IsMemguard)
2023-07-17 03:23:26 +02:00
if err != nil {
return err
}
accountSymmetricKeyByteArray, err = DecryptWith(accountKey, stretchedMasterKey)
if err != nil {
return err
}
default:
return fmt.Errorf("unsupported account key type: %d", accountKey.Type)
}
2023-12-22 08:02:23 +01:00
var accountSymmetricKey SymmetricEncryptionKey
var err error
if keyring.IsMemguard {
accountSymmetricKey, err = MemguardSymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
} else {
accountSymmetricKey, err = MemorySymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray)
}
2023-07-17 03:23:26 +02:00
if err != nil {
return err
}
2023-12-22 12:43:38 +01:00
keyring.UnlockWithAccountKey(accountSymmetricKey)
2023-07-17 03:23:26 +02:00
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
if err != nil {
return err
}
2023-12-22 08:02:23 +01:00
if keyring.IsMemguard {
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
} else {
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
}
2023-07-17 03:23:26 +02:00
keyring.OrganizationKeys = orgKeys
return nil
}
func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error {
2023-12-22 12:43:38 +01:00
keyring.UnlockWithAccountKey(accountSymmetricKey)
2023-07-17 03:23:26 +02:00
pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey)
if err != nil {
return err
}
2023-12-22 08:02:23 +01:00
if keyring.IsMemguard {
keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)}
} else {
keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey}
}
2023-07-17 03:23:26 +02:00
keyring.OrganizationKeys = orgKeys
return nil
}
2023-12-22 08:02:23 +01:00
func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, error) {
2023-07-17 03:23:26 +02:00
key := make([]byte, 32)
macKey := make([]byte, 32)
buffer, err := masterKey.encKey.Open()
if err != nil {
2023-12-22 08:02:23 +01:00
return MemorySymmetricEncryptionKey{}, err
2023-07-17 03:23:26 +02:00
}
var r io.Reader
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("enc"))
2024-03-03 01:38:11 +01:00
_, err = r.Read(key)
if err != nil {
return nil, err
}
2023-07-17 03:23:26 +02:00
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
2024-03-03 01:38:11 +01:00
_, err = r.Read(macKey)
if err != nil {
return nil, err
}
2023-12-22 08:02:23 +01:00
if useMemguard {
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil
} else {
return MemorySymmetricEncryptionKey{encKey: key, macKey: macKey}, nil
}
2023-07-17 03:23:26 +02:00
}