// encryptRSARecord takes an RSA private key and encrypts it with // a password key func encryptRSARecord(newRec *PasswordRecord, rsaPriv *rsa.PrivateKey, passKey []byte) (err error) { if newRec.RSAKey.RSAExpIV, err = symcrypt.MakeRandom(16); err != nil { return } paddedExponent := padding.AddPadding(rsaPriv.D.Bytes()) if newRec.RSAKey.RSAExp, err = symcrypt.EncryptCBC(paddedExponent, newRec.RSAKey.RSAExpIV, passKey); err != nil { return } if newRec.RSAKey.RSAPrimePIV, err = symcrypt.MakeRandom(16); err != nil { return } paddedPrimeP := padding.AddPadding(rsaPriv.Primes[0].Bytes()) if newRec.RSAKey.RSAPrimeP, err = symcrypt.EncryptCBC(paddedPrimeP, newRec.RSAKey.RSAPrimePIV, passKey); err != nil { return } if newRec.RSAKey.RSAPrimeQIV, err = symcrypt.MakeRandom(16); err != nil { return } paddedPrimeQ := padding.AddPadding(rsaPriv.Primes[1].Bytes()) newRec.RSAKey.RSAPrimeQ, err = symcrypt.EncryptCBC(paddedPrimeQ, newRec.RSAKey.RSAPrimeQIV, passKey) return }
// Encrypt secures and authenticates its input using the public key // using ECDHE with AES-128-CBC-HMAC-SHA1. func Encrypt(pub *ecdsa.PublicKey, in []byte) (out []byte, err error) { ephemeral, err := ecdsa.GenerateKey(Curve(), rand.Reader) if err != nil { return } x, _ := pub.Curve.ScalarMult(pub.X, pub.Y, ephemeral.D.Bytes()) if x == nil { return nil, errors.New("Failed to generate encryption key") } shared := sha256.Sum256(x.Bytes()) iv, err := symcrypt.MakeRandom(16) if err != nil { return } paddedIn := padding.AddPadding(in) ct, err := symcrypt.EncryptCBC(paddedIn, iv, shared[:16]) if err != nil { return } ephPub := elliptic.Marshal(pub.Curve, ephemeral.PublicKey.X, ephemeral.PublicKey.Y) out = make([]byte, 1+len(ephPub)+16) out[0] = byte(len(ephPub)) copy(out[1:], ephPub) copy(out[1+len(ephPub):], iv) out = append(out, ct...) h := hmac.New(sha1.New, shared[16:]) h.Write(iv) h.Write(ct) out = h.Sum(out) return }
// encryptECCRecord takes an ECDSA private key and encrypts it with // a password key. func encryptECCRecord(newRec *PasswordRecord, ecPriv *ecdsa.PrivateKey, passKey []byte) (err error) { ecX509, err := x509.MarshalECPrivateKey(ecPriv) if err != nil { return } if newRec.ECKey.ECPrivIV, err = symcrypt.MakeRandom(16); err != nil { return } paddedX509 := padding.AddPadding(ecX509) newRec.ECKey.ECPriv, err = symcrypt.EncryptCBC(paddedX509, newRec.ECKey.ECPrivIV, passKey) return }
func TestUsesFlush(t *testing.T) { // Initialize passvault with one dummy user. records, err := passvault.InitFrom("memory") if err != nil { t.Fatalf("%v", err) } pr, err := records.AddNewRecord("user", "weakpassword", true, passvault.DefaultRecordType) if err != nil { t.Fatalf("%v", err) } // Initialize keycache and delegate the user's key to it. cache := NewCache() err = cache.AddKeyFromRecord(pr, "user", "weakpassword", nil, nil, 2, "", "1h") if err != nil { t.Fatalf("%v", err) } cache.Refresh() if len(cache.UserKeys) != 1 { t.Fatalf("Error in number of live keys") } // Generate a random symmetric key, encrypt a blank block with it, and encrypt // the key itself with the user's public key. dummy := make([]byte, 16) key, err := symcrypt.MakeRandom(16) if err != nil { t.Fatalf("%v", err) } encKey, err := symcrypt.EncryptCBC(dummy, dummy, key) if err != nil { t.Fatalf("%v", err) } pubEncryptedKey, err := pr.EncryptKey(key) if err != nil { t.Fatalf("%v", err) } key2, err := cache.DecryptKey(encKey, "user", "anybody", []string{}, pubEncryptedKey) if err != nil { t.Fatalf("%v", err) } if bytes.Equal(key, key2) { t.Fatalf("cache.DecryptKey didnt decrypt the right key!") } // Second decryption allowed. _, err = cache.DecryptKey(encKey, "user", "anybody else", []string{}, pubEncryptedKey) if err != nil { t.Fatalf("%v", err) } if len(cache.UserKeys) != 0 { t.Fatalf("Error in number of live keys %v", cache.UserKeys) } }