diff --git a/agent/actions/login.go b/agent/actions/login.go index 4398036..dbe50de 100644 --- a/agent/actions/login.go +++ b/agent/actions/login.go @@ -89,14 +89,14 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault return } - cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes()) + cfg.SetUserSymmetricKey(vault.Keyring.GetAccountKey().Bytes()) cfg.SetMasterPasswordHash([]byte(masterpasswordHash)) cfg.SetMasterKey([]byte(masterKey.GetBytes())) var protectedUserSymetricKey crypto.SymmetricEncryptionKey if vault.Keyring.IsMemguard { - protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.GetAccountKey().Bytes()) } else { - protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.GetAccountKey().Bytes()) } if err != nil { var payload = messages.ActionResponse{ diff --git a/agent/bitwarden/crypto/keyhierarchy.go b/agent/bitwarden/crypto/keyhierarchy.go index 8ae472a..d0dc398 100644 --- a/agent/bitwarden/crypto/keyhierarchy.go +++ b/agent/bitwarden/crypto/keyhierarchy.go @@ -47,7 +47,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri return err } - keyring.AccountKey = accountSymmetricKey + keyring.UnlockWithAccountKey(accountSymmetricKey) pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) if err != nil { @@ -64,7 +64,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri } func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error { - keyring.AccountKey = accountSymmetricKey + keyring.UnlockWithAccountKey(accountSymmetricKey) pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) if err != nil { return err diff --git a/agent/bitwarden/crypto/keyring.go b/agent/bitwarden/crypto/keyring.go index f00b25f..58acd33 100644 --- a/agent/bitwarden/crypto/keyring.go +++ b/agent/bitwarden/crypto/keyring.go @@ -9,7 +9,8 @@ import ( var keyringLog = logging.GetLogger("Goldwarden", "Keyring") type Keyring struct { - AccountKey SymmetricEncryptionKey + isLocked bool + accountKey SymmetricEncryptionKey AsymmetricEncyryptionKey AsymmetricEncryptionKey IsMemguard bool OrganizationKeys map[string]string @@ -18,28 +19,41 @@ type Keyring struct { func NewMemoryKeyring(accountKey *MemorySymmetricEncryptionKey) Keyring { keyringLog.Info("Creating new memory keyring") return Keyring{ - AccountKey: accountKey, + isLocked: accountKey == nil, + accountKey: accountKey, } } func NewMemguardKeyring(accountKey *MemguardSymmetricEncryptionKey) Keyring { keyringLog.Info("Creating new memguard keyring") return Keyring{ - AccountKey: accountKey, + isLocked: accountKey == nil, + accountKey: accountKey, } } func (keyring Keyring) IsLocked() bool { - return keyring.AccountKey == nil + return keyring.isLocked } func (keyring *Keyring) Lock() { keyringLog.Info("Locking keyring") - keyring.AccountKey = nil + keyring.isLocked = true + keyring.accountKey = nil keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{} keyring.OrganizationKeys = nil } +func (keyring *Keyring) UnlockWithAccountKey(accountKey SymmetricEncryptionKey) { + keyringLog.Info("Unlocking keyring with account key") + keyring.isLocked = false + keyring.accountKey = accountKey +} + +func (keyring *Keyring) GetAccountKey() SymmetricEncryptionKey { + return keyring.accountKey +} + func (keyring *Keyring) GetSymmetricKeyForOrganization(uuid string) (SymmetricEncryptionKey, error) { if key, ok := keyring.OrganizationKeys[uuid]; ok { decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey) diff --git a/agent/bitwarden/models/models.go b/agent/bitwarden/models/models.go index 6bcc327..5e7075e 100644 --- a/agent/bitwarden/models/models.go +++ b/agent/bitwarden/models/models.go @@ -150,5 +150,5 @@ func (cipher Cipher) GetKeyForCipher(keyring crypto.Keyring) (crypto.SymmetricEn if cipher.OrganizationID != nil { return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String()) } - return keyring.AccountKey, nil + return keyring.GetAccountKey(), nil } diff --git a/agent/config/config.go b/agent/config/config.go index fe15453..d70dc14 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -441,7 +441,7 @@ func (cfg *Config) TryUnlock(vault *vault.Vault) error { if err != nil { return err } - vault.Keyring.AccountKey = key + vault.Keyring.UnlockWithAccountKey(key) } else { cfg.Lock() return err diff --git a/agent/ssh/keys.go b/agent/ssh/keys.go index ead979c..235a3f0 100644 --- a/agent/ssh/keys.go +++ b/agent/ssh/keys.go @@ -30,13 +30,13 @@ func NewSSHKeyCipher(name string, keyring *crypto.Keyring) (models.Cipher, strin privatePEM := pem.EncodeToMemory(&privBlock) publicKey, err := ssh.NewPublicKey(pub) - encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) - encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) + encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.GetAccountKey()) cipher := models.Cipher{ Type: models.CipherNote,