diff --git a/agent/actions/actions.go b/agent/actions/actions.go index 961e30c..7fa2ab8 100644 --- a/agent/actions/actions.go +++ b/agent/actions/actions.go @@ -56,7 +56,16 @@ func sync(ctx context.Context, vault *vault.Vault, cfg *config.Config) bool { if err != nil { return false } - protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) + + var protectedUserSymetricKey crypto.SymmetricEncryptionKey + if vault.Keyring.IsMemguard { + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + } else { + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + } + if err != nil { + return false + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &protectedUserSymetricKey, true) if err != nil { diff --git a/agent/actions/login.go b/agent/actions/login.go index a751a15..4398036 100644 --- a/agent/actions/login.go +++ b/agent/actions/login.go @@ -92,7 +92,12 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault cfg.SetUserSymmetricKey(vault.Keyring.AccountKey.Bytes()) cfg.SetMasterPasswordHash([]byte(masterpasswordHash)) cfg.SetMasterKey([]byte(masterKey.GetBytes())) - protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) + var protectedUserSymetricKey crypto.SymmetricEncryptionKey + if vault.Keyring.IsMemguard { + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) + } else { + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(vault.Keyring.AccountKey.Bytes()) + } if err != nil { var payload = messages.ActionResponse{ Success: false, diff --git a/agent/actions/vault.go b/agent/actions/vault.go index a035f68..57bf923 100644 --- a/agent/actions/vault.go +++ b/agent/actions/vault.go @@ -64,10 +64,17 @@ func handleUnlockVault(request messages.IPCMessage, cfg *config.Config, vault *v if err != nil { fmt.Println(err) } - safeUserSymmkey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmkey) + + var safeUserSymmkey crypto.SymmetricEncryptionKey + if vault.Keyring.IsMemguard { + safeUserSymmkey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmkey) + } else { + safeUserSymmkey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmkey) + } if err != nil { fmt.Println(err) } + err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, cfg, &safeUserSymmkey, true) if err != nil { fmt.Println(err) diff --git a/agent/bitwarden/auth.go b/agent/bitwarden/auth.go index 15f3617..d7ee9f5 100644 --- a/agent/bitwarden/auth.go +++ b/agent/bitwarden/auth.go @@ -127,7 +127,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul for i := 0; i < 25; i++ { accessCode += string(alphabet[rand.Intn(len(alphabet))]) } - publicKey, err := crypto.GenerateAsymmetric() + publicKey, err := crypto.GenerateAsymmetric(vault.Keyring.IsMemguard) if err != nil { return LoginResponseToken{}, crypto.MasterKey{}, "", err } diff --git a/agent/bitwarden/crypto/crypto.go b/agent/bitwarden/crypto/crypto.go index 42437e5..e1f37e6 100644 --- a/agent/bitwarden/crypto/crypto.go +++ b/agent/bitwarden/crypto/crypto.go @@ -18,24 +18,51 @@ import ( var b64enc = base64.StdEncoding.Strict() -type SymmetricEncryptionKey struct { +type SymmetricEncryptionKey interface { + Bytes() []byte + EncryptionKeyBytes() ([]byte, error) + MacKeyBytes() ([]byte, error) +} + +type MemorySymmetricEncryptionKey struct { + encKey []byte + macKey []byte +} + +type MemguardSymmetricEncryptionKey struct { encKey *memguard.Enclave macKey *memguard.Enclave } -type AsymmetricEncryptionKey struct { +type AsymmetricEncryptionKey interface { + PublicBytes() []byte + PrivateBytes() ([]byte, error) +} + +type MemoryAsymmetricEncryptionKey struct { + encKey []byte +} + +type MemguardAsymmetricEncryptionKey struct { encKey *memguard.Enclave } -func SymmetricEncryptionKeyFromBytes(key []byte) (SymmetricEncryptionKey, error) { +func MemguardSymmetricEncryptionKeyFromBytes(key []byte) (MemguardSymmetricEncryptionKey, error) { if len(key) != 64 { memguard.WipeBytes(key) - return SymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key)) + return MemguardSymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key)) } - return SymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil + return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key[0:32]), memguard.NewEnclave(key[32:64])}, nil } -func (key SymmetricEncryptionKey) Bytes() []byte { +func MemorySymmetricEncryptionKeyFromBytes(key []byte) (MemorySymmetricEncryptionKey, error) { + if len(key) != 64 { + return MemorySymmetricEncryptionKey{}, fmt.Errorf("invalid key length: %d", len(key)) + } + return MemorySymmetricEncryptionKey{encKey: key[0:32], macKey: key[32:64]}, nil +} + +func (key MemguardSymmetricEncryptionKey) Bytes() []byte { k1, err := key.encKey.Open() if err != nil { panic(err) @@ -50,12 +77,61 @@ func (key SymmetricEncryptionKey) Bytes() []byte { return keyBytes } -func AssymmetricEncryptionKeyFromBytes(key []byte) (AsymmetricEncryptionKey, error) { - k := memguard.NewEnclave(key) - return AsymmetricEncryptionKey{k}, nil +func (key MemorySymmetricEncryptionKey) Bytes() []byte { + keyBytes := make([]byte, 64) + copy(keyBytes[0:32], key.encKey) + copy(keyBytes[32:64], key.macKey) + return keyBytes } -func (key AsymmetricEncryptionKey) PublicBytes() []byte { +func (key MemorySymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) { + return key.encKey, nil +} + +func (key MemguardSymmetricEncryptionKey) EncryptionKeyBytes() ([]byte, error) { + k, err := key.encKey.Open() + if err != nil { + return nil, err + } + keyBytes := make([]byte, 32) + copy(keyBytes, k.Bytes()) + return keyBytes, nil +} + +func (key MemorySymmetricEncryptionKey) MacKeyBytes() ([]byte, error) { + return key.macKey, nil +} + +func (key MemguardSymmetricEncryptionKey) MacKeyBytes() ([]byte, error) { + k, err := key.macKey.Open() + if err != nil { + return nil, err + } + keyBytes := make([]byte, 32) + copy(keyBytes, k.Bytes()) + return keyBytes, nil +} + +func MemoryAssymmetricEncryptionKeyFromBytes(key []byte) (MemoryAsymmetricEncryptionKey, error) { + return MemoryAsymmetricEncryptionKey{key}, nil +} + +func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEncryptionKey, error) { + k := memguard.NewEnclave(key) + return MemguardAsymmetricEncryptionKey{k}, nil +} + +func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte { + privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey) + pub := (privateKey.(*rsa.PrivateKey)).Public() + publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub) + if err != nil { + panic(err) + } + return publicKeyBytes +} + +func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte { buffer, err := key.encKey.Open() if err != nil { panic(err) @@ -69,6 +145,18 @@ func (key AsymmetricEncryptionKey) PublicBytes() []byte { return publicKeyBytes } +func (key MemoryAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) { + return key.encKey, nil +} + +func (key MemguardAsymmetricEncryptionKey) PrivateBytes() ([]byte, error) { + buffer, err := key.encKey.Open() + if err != nil { + return nil, err + } + return buffer.Bytes(), nil +} + func isMacValid(message, messageMAC, key []byte) bool { mac := hmac.New(sha256.New, key) mac.Write(message) diff --git a/agent/bitwarden/crypto/encstring.go b/agent/bitwarden/crypto/encstring.go index b25cb1c..3c297a1 100644 --- a/agent/bitwarden/crypto/encstring.go +++ b/agent/bitwarden/crypto/encstring.go @@ -15,6 +15,8 @@ import ( "fmt" "io" "strconv" + + "github.com/awnumar/memguard" ) type EncString struct { @@ -121,16 +123,13 @@ func b64encode(src []byte) []byte { } func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) { - encKeyData, err := key.encKey.Open() - if err != nil { - return nil, err - } - macKeyData, err := key.macKey.Open() + encKeyData, err := key.MacKeyBytes() + macKeyData, err := key.MacKeyBytes() if err != nil { return nil, err } - block, err := aes.NewCipher(encKeyData.Data()) + block, err := aes.NewCipher(encKeyData) if err != nil { return nil, err } @@ -143,13 +142,13 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) { } if s.Type == AesCbc256_HmacSha256_B64 { - if len(s.MAC) == 0 || len(macKeyData.Data()) == 0 { + if len(s.MAC) == 0 || len(macKeyData) == 0 { return nil, fmt.Errorf("decrypt: cipher string type expects a MAC") } var msg []byte msg = append(msg, s.IV...) msg = append(msg, s.CT...) - if !isMacValid(msg, s.MAC, macKeyData.Data()) { + if !isMacValid(msg, s.MAC, macKeyData) { return nil, fmt.Errorf("decrypt: MAC mismatch") } } @@ -165,14 +164,8 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) { } func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (EncString, error) { - encKeyData, err := key.encKey.Open() - if err != nil { - return EncString{}, err - } - macKeyData, err := key.macKey.Open() - if err != nil { - return EncString{}, err - } + encKeyData, err := key.EncryptionKeyBytes() + macKeyData, err := key.MacKeyBytes() s := EncString{} switch typ { @@ -183,7 +176,7 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En s.Type = typ data = padPKCS7(data, aes.BlockSize) - block, err := aes.NewCipher(encKeyData.Bytes()) + block, err := aes.NewCipher(encKeyData) if err != nil { return s, err } @@ -196,13 +189,13 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En mode.CryptBlocks(s.CT, data) if typ == AesCbc256_HmacSha256_B64 { - if len(macKeyData.Bytes()) == 0 { + if len(macKeyData) == 0 { return s, fmt.Errorf("encrypt: cipher string type expects a MAC") } var macMessage []byte macMessage = append(macMessage, s.IV...) macMessage = append(macMessage, s.CT...) - mac := hmac.New(sha256.New, macKeyData.Bytes()) + mac := hmac.New(sha256.New, macKeyData) mac.Write(macMessage) s.MAC = mac.Sum(nil) } @@ -210,27 +203,31 @@ func EncryptWith(data []byte, typ EncStringType, key SymmetricEncryptionKey) (En return s, nil } -func GenerateAsymmetric() (AsymmetricEncryptionKey, error) { +func GenerateAsymmetric(useMemguard bool) (AsymmetricEncryptionKey, error) { key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { - return AsymmetricEncryptionKey{}, err + return MemoryAsymmetricEncryptionKey{}, err } encKey, err := x509.MarshalPKCS8PrivateKey(key) if err != nil { - return AsymmetricEncryptionKey{}, err + return MemoryAsymmetricEncryptionKey{}, err } - return AssymmetricEncryptionKeyFromBytes(encKey) + if useMemguard { + return MemguardAsymmetricEncryptionKey{memguard.NewEnclave(encKey)}, nil + } else { + return MemoryAsymmetricEncryptionKey{encKey}, nil + } } func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]byte, error) { - key, err := asymmetrickey.encKey.Open() + key, err := asymmetrickey.PrivateBytes() if err != nil { return nil, err } - parsedKey, err := x509.ParsePKCS8PrivateKey(key.Bytes()) + parsedKey, err := x509.ParsePKCS8PrivateKey(key) if err != nil { return nil, err } @@ -248,12 +245,12 @@ func DecryptWithAsymmetric(s []byte, asymmetrickey AsymmetricEncryptionKey) ([]b } func EncryptWithAsymmetric(s []byte, asymmbetrickey AsymmetricEncryptionKey) ([]byte, error) { - key, err := asymmbetrickey.encKey.Open() + key, err := asymmbetrickey.PrivateBytes() if err != nil { return nil, err } - parsedKey, err := x509.ParsePKIXPublicKey(key.Bytes()) + parsedKey, err := x509.ParsePKIXPublicKey(key) if err != nil { return nil, err } diff --git a/agent/bitwarden/crypto/keyhierarchy.go b/agent/bitwarden/crypto/keyhierarchy.go index 170fbcf..7deb82f 100644 --- a/agent/bitwarden/crypto/keyhierarchy.go +++ b/agent/bitwarden/crypto/keyhierarchy.go @@ -23,7 +23,7 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri switch accountKey.Type { case AesCbc256_HmacSha256_B64: - stretchedMasterKey, err := stretchKey(masterKey) + stretchedMasterKey, err := stretchKey(masterKey, keyring.IsMemguard) if err != nil { return err } @@ -36,43 +36,56 @@ func InitKeyringFromMasterKey(keyring *Keyring, accountKey EncString, accountPri return fmt.Errorf("unsupported account key type: %d", accountKey.Type) } - accountSymmetricKey, err := SymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray) + var accountSymmetricKey SymmetricEncryptionKey + var err error + if keyring.IsMemguard { + accountSymmetricKey, err = MemguardSymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray) + } else { + accountSymmetricKey, err = MemorySymmetricEncryptionKeyFromBytes(accountSymmetricKeyByteArray) + } if err != nil { return err } - keyring.AccountKey = &accountSymmetricKey + keyring.AccountKey = accountSymmetricKey pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) if err != nil { return err } - keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} + if keyring.IsMemguard { + keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} + } else { + keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey} + } keyring.OrganizationKeys = orgKeys return nil } func InitKeyringFromUserSymmetricKey(keyring *Keyring, accountSymmetricKey SymmetricEncryptionKey, accountPrivateKey EncString, orgKeys map[string]string) error { - keyring.AccountKey = &accountSymmetricKey - + keyring.AccountKey = accountSymmetricKey pkcs8PrivateKey, err := DecryptWith(accountPrivateKey, accountSymmetricKey) if err != nil { return err } - keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} + if keyring.IsMemguard { + keyring.AsymmetricEncyryptionKey = MemguardAsymmetricEncryptionKey{memguard.NewEnclave(pkcs8PrivateKey)} + } else { + keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{pkcs8PrivateKey} + } keyring.OrganizationKeys = orgKeys return nil } -func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) { +func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, error) { key := make([]byte, 32) macKey := make([]byte, 32) buffer, err := masterKey.encKey.Open() if err != nil { - return SymmetricEncryptionKey{}, err + return MemorySymmetricEncryptionKey{}, err } var r io.Reader @@ -80,5 +93,10 @@ func stretchKey(masterKey MasterKey) (SymmetricEncryptionKey, error) { r.Read(key) r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac")) r.Read(macKey) - return SymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil + + if useMemguard { + return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil + } else { + return MemorySymmetricEncryptionKey{encKey: key, macKey: macKey}, nil + } } diff --git a/agent/bitwarden/crypto/keyring.go b/agent/bitwarden/crypto/keyring.go index 34aae83..73d8d6d 100644 --- a/agent/bitwarden/crypto/keyring.go +++ b/agent/bitwarden/crypto/keyring.go @@ -5,12 +5,19 @@ import ( ) type Keyring struct { - AccountKey *SymmetricEncryptionKey + AccountKey SymmetricEncryptionKey AsymmetricEncyryptionKey AsymmetricEncryptionKey + IsMemguard bool OrganizationKeys map[string]string } -func NewKeyring(accountKey *SymmetricEncryptionKey) Keyring { +func NewMemoryKeyring(accountKey *MemorySymmetricEncryptionKey) Keyring { + return Keyring{ + AccountKey: accountKey, + } +} + +func NewMemguardKeyring(accountKey *MemguardSymmetricEncryptionKey) Keyring { return Keyring{ AccountKey: accountKey, } @@ -22,7 +29,7 @@ func (keyring Keyring) IsLocked() bool { func (keyring *Keyring) Lock() { keyring.AccountKey = nil - keyring.AsymmetricEncyryptionKey = AsymmetricEncryptionKey{} + keyring.AsymmetricEncyryptionKey = MemoryAsymmetricEncryptionKey{} keyring.OrganizationKeys = nil } @@ -30,10 +37,10 @@ func (keyring *Keyring) GetSymmetricKeyForOrganization(uuid string) (SymmetricEn if key, ok := keyring.OrganizationKeys[uuid]; ok { decryptedOrgKey, err := DecryptWithAsymmetric([]byte(key), keyring.AsymmetricEncyryptionKey) if err != nil { - return SymmetricEncryptionKey{}, err + return MemorySymmetricEncryptionKey{}, err } - return SymmetricEncryptionKeyFromBytes(decryptedOrgKey) + return MemorySymmetricEncryptionKeyFromBytes(decryptedOrgKey) } - return SymmetricEncryptionKey{}, errors.New("no key found for organization") + return MemorySymmetricEncryptionKey{}, errors.New("no key found for organization") } diff --git a/agent/bitwarden/models/models.go b/agent/bitwarden/models/models.go index 231d23e..6bcc327 100644 --- a/agent/bitwarden/models/models.go +++ b/agent/bitwarden/models/models.go @@ -150,5 +150,5 @@ func (cipher Cipher) GetKeyForCipher(keyring crypto.Keyring) (crypto.SymmetricEn if cipher.OrganizationID != nil { return keyring.GetSymmetricKeyForOrganization(cipher.OrganizationID.String()) } - return *keyring.AccountKey, nil + return keyring.AccountKey, nil } diff --git a/agent/bitwarden/passwordless.go b/agent/bitwarden/passwordless.go index 40c7062..5029211 100644 --- a/agent/bitwarden/passwordless.go +++ b/agent/bitwarden/passwordless.go @@ -69,7 +69,7 @@ func CreateAuthResponse(ctx context.Context, authRequest AuthRequestData, keyrin //} publicKey, err := base64.StdEncoding.DecodeString(authRequest.PublicKey) - requesterKey, err := crypto.AssymmetricEncryptionKeyFromBytes(publicKey) + requesterKey, err := crypto.MemoryAssymmetricEncryptionKeyFromBytes(publicKey) encryptedUserSymmetricKey, err := crypto.EncryptWithAsymmetric(userSymmetricKey, requesterKey) if err != nil { diff --git a/agent/config/config.go b/agent/config/config.go index c3e0400..a1c5064 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -43,6 +43,7 @@ type RuntimeConfig struct { User string Password string Pin string + UseMemguard bool } type ConfigFile struct { @@ -419,11 +420,17 @@ func (cfg *Config) TryUnlock(vault *vault.Vault) error { if cfg.IsLoggedIn() { userKey, err := cfg.GetUserSymmetricKey() if err == nil { - key, err := crypto.SymmetricEncryptionKeyFromBytes(userKey) + var key crypto.SymmetricEncryptionKey + var err error + if vault.Keyring.IsMemguard { + key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey) + } else { + key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey) + } if err != nil { return err } - vault.Keyring.AccountKey = &key + vault.Keyring.AccountKey = key } else { cfg.Lock() return err diff --git a/agent/defaultmainloop.go b/agent/defaultmainloop.go index c90ef4e..ace84b0 100644 --- a/agent/defaultmainloop.go +++ b/agent/defaultmainloop.go @@ -1,4 +1,4 @@ -//go:build !windows && !darwin && !linux +//go:build (!windows && !darwin && !linux) || noautofill package agent diff --git a/agent/giouimainloop.go b/agent/giouimainloop.go index ee802bc..678e024 100644 --- a/agent/giouimainloop.go +++ b/agent/giouimainloop.go @@ -1,4 +1,4 @@ -//go:build windows || darwin || linux +//go:build (windows || darwin || linux) && !noautofill package agent diff --git a/agent/ssh/keys.go b/agent/ssh/keys.go index f1f1c33..ead979c 100644 --- a/agent/ssh/keys.go +++ b/agent/ssh/keys.go @@ -30,13 +30,13 @@ func NewSSHKeyCipher(name string, keyring *crypto.Keyring) (models.Cipher, strin privatePEM := pem.EncodeToMemory(&privBlock) publicKey, err := ssh.NewPublicKey(pub) - encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) - encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, *keyring.AccountKey) + encryptedName, _ := crypto.EncryptWith([]byte(name), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedPublicKeyKey, _ := crypto.EncryptWith([]byte("public-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedPublicKeyValue, _ := crypto.EncryptWith([]byte(string(ssh.MarshalAuthorizedKey(publicKey))), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedCustomTypeKey, _ := crypto.EncryptWith([]byte("custom-type"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedCustomTypeValue, _ := crypto.EncryptWith([]byte("ssh-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedPrivateKeyKey, _ := crypto.EncryptWith([]byte("private-key"), crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) + encryptedPrivateKeyValue, _ := crypto.EncryptWith(privatePEM, crypto.AesCbc256_HmacSha256_B64, keyring.AccountKey) cipher := models.Cipher{ Type: models.CipherNote, diff --git a/agent/unixsocketagent.go b/agent/unixsocketagent.go index b4e48e1..1ee9232 100644 --- a/agent/unixsocketagent.go +++ b/agent/unixsocketagent.go @@ -99,8 +99,13 @@ type AgentState struct { func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { ctx := context.Background() - // check if exists - keyring := crypto.NewKeyring(nil) + var keyring crypto.Keyring + if runtimeConfig.UseMemguard { + keyring = crypto.NewMemguardKeyring(nil) + } else { + keyring = crypto.NewMemoryKeyring(nil) + } + var vault = vault.NewVault(&keyring) cfg, err := config.ReadConfig(runtimeConfig) if err != nil { @@ -137,7 +142,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { time.Sleep(60 * time.Second) continue } - protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) + var protectedUserSymetricKey crypto.SymmetricEncryptionKey + if vault.Keyring.IsMemguard { + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + } else { + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) if err != nil { @@ -170,7 +180,12 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { if err != nil { fmt.Println(err) } - protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) + var protectedUserSymetricKey crypto.SymmetricEncryptionKey + if vault.Keyring.IsMemguard { + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + } else { + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) if err != nil { diff --git a/agent/virtualagent.go b/agent/virtualagent.go index f8b3e33..642a457 100644 --- a/agent/virtualagent.go +++ b/agent/virtualagent.go @@ -74,8 +74,13 @@ func serveVirtualAgent(recv chan []byte, send chan []byte, ctx context.Context, func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan []byte) { ctx := context.Background() - // check if exists - keyring := crypto.NewKeyring(nil) + var keyring crypto.Keyring + if runtimeConfig.UseMemguard { + keyring = crypto.NewMemguardKeyring(nil) + } else { + keyring = crypto.NewMemoryKeyring(nil) + } + var vault = vault.NewVault(&keyring) cfg, err := config.ReadConfig(runtimeConfig) if err != nil { @@ -106,7 +111,12 @@ func StartVirtualAgent(runtimeConfig config.RuntimeConfig) (chan []byte, chan [] if err != nil { fmt.Println(err) } - protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey) + var protectedUserSymetricKey crypto.SymmetricEncryptionKey + if keyring.IsMemguard { + protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + } else { + protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) if err != nil { diff --git a/main.go b/main.go index e65aa5f..495c347 100644 --- a/main.go +++ b/main.go @@ -38,6 +38,7 @@ func main() { User: os.Getenv("GOLDWARDEN_AUTH_USER"), Password: os.Getenv("GOLDWARDEN_AUTH_PASSWORD"), Pin: os.Getenv("GOLDWARDEN_PIN"), + UseMemguard: os.Getenv("GOLDWARDEN_NO_MEMGUARD") != "true", ConfigDirectory: configPath, }