hatter/tiny-encrypt-rs
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.2.0, support macos secure enclave

Browse Source
This commit is contained in:
Hatter Jiang
2023-12-09 13:58:30 +08:00
parent a8b2fc62b8
commit 42bc09fe07
9 changed files with 79 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/cmd_decrypt.rs
View File

@@ -32,6 +32,8 @@ use crate::util::SecVec;
use crate::util_digest::DigestWrite;
#[cfg(feature = "macos")]
use crate::util_keychainstatic;
#[cfg(feature = "secure-enclave")]
use crate::util_keychainkey;
use crate::util_progress::Progress;
use crate::wrap_key::WrapKey;
@@ -435,6 +437,8 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
#[cfg(feature = "macos")]
TinyEncryptEnvelopType::StaticX25519 => try_decrypt_key_ecdh_static_x25519(config, envelop),
TinyEncryptEnvelopType::Ecdh | TinyEncryptEnvelopType::EcdhP384 => try_decrypt_key_ecdh(config, envelop, pin, slot),
#[cfg(feature = "secure-enclave")]
TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
unknown_type => simple_error!("Unknown or unsupported type: {}", unknown_type.get_name()),
}
}
@@ -479,6 +483,39 @@ fn try_decrypt_key_ecdh(config: &Option<TinyEncryptConfig>,
Ok(decrypted_key)
}
#[cfg(feature = "secure-enclave")]
fn try_decrypt_se_key_ecdh(config: &Option<TinyEncryptConfig>,
envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {
let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
let cryptor = match wrap_key.header.enc.as_str() {
ENC_AES256_GCM_P256 => Cryptor::Aes256Gcm,
ENC_CHACHA20_POLY1305_P256 => Cryptor::ChaCha20Poly1305,
_ => return simple_error!("Unsupported header enc: {}", &wrap_key.header.enc),
};
let e_pub_key_bytes = wrap_key.header.get_e_pub_key_bytes()?;
let config = opt_value_result!(config, "Tiny encrypt config is not found");
let config_envelop = opt_value_result!(
config.find_by_kid(&envelop.kid), "Cannot find config for: {}", &envelop.kid);
let config_envelop_args = opt_value_result!(&config_envelop.args, "No arguments found for: {}", &envelop.kid);
if config_envelop_args.is_empty() {
return simple_error!("Not enough arguments for: {}", &envelop.kid);
}
let private_key_base64 = &config_envelop_args[0];
let shared_secret = opt_result!(util_keychainkey::decrypt_data(
private_key_base64,
&e_pub_key_bytes
), "Decrypt via secure enclave failed: {}");
let key = util::simple_kdf(shared_secret.as_slice());
let key_nonce = KeyNonce { k: &key, n: &wrap_key.nonce };
let decrypted_key = crypto_simple::decrypt(
cryptor, &key_nonce, &wrap_key.encrypted_data)?;
util::zeroize(key);
util::zeroize(shared_secret);
Ok(decrypted_key)
}
fn try_decrypt_key_ecdh_pgp_x25519(envelop: &TinyEncryptEnvelop, pin: &Option<String>) -> XResult<Vec<u8>> {
let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
let cryptor = match wrap_key.header.enc.as_str() {

2
src/cmd_encrypt.rs
View File

@@ -271,7 +271,7 @@ fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptConfig
TinyEncryptEnvelopType::PgpX25519 | TinyEncryptEnvelopType::StaticX25519 => {
encrypted_envelops.push(encrypt_envelop_ecdh_x25519(cryptor, key, envelop)?);
}
TinyEncryptEnvelopType::Ecdh => {
TinyEncryptEnvelopType::Ecdh | TinyEncryptEnvelopType::KeyP256 => {
encrypted_envelops.push(encrypt_envelop_ecdh(cryptor, key, envelop)?);
}
TinyEncryptEnvelopType::EcdhP384 => {

18
src/cmd_initkeychainkey.rs
View File

@@ -2,9 +2,11 @@ use clap::Args;
use rust_util::{debugging, information, opt_result, opt_value_result, simple_error, success, XResult};
use security_framework::os::macos::keychain::SecKeychain;
use crate::{util_keychainkey, util_keychainstatic};
use crate::config::TinyEncryptConfigEnvelop;
use crate::spec::TinyEncryptEnvelopType;
#[cfg(feature = "secure-enclave")]
use crate::util_keychainkey;
use crate::util_keychainstatic;
#[derive(Debug, Args)]
pub struct CmdKeychainKey {
@@ -27,22 +29,28 @@ const DEFAULT_SERVICE_NAME: &str = "tiny-encrypt";
pub fn keychain_key(cmd_keychain_key: CmdKeychainKey) -> XResult<()> {
if cmd_keychain_key.secure_enclave {
keychain_key_se(cmd_keychain_key)
#[cfg(feature = "secure-enclave")]
return keychain_key_se(cmd_keychain_key);
#[cfg(not(feature = "secure-enclave"))]
return simple_error!("Feature secure-enclave is not built");
} else {
keychain_key_static(cmd_keychain_key)
}
}
#[cfg(feature = "secure-enclave")]
pub fn keychain_key_se(cmd_keychain_key: CmdKeychainKey) -> XResult<()> {
if !util_keychainkey::is_support_se() {
return simple_error!("Secure enclave is not supported.");
}
let (public_key_hex, private_key_base64) = util_keychainkey::generate_se_p256_keypair()?;
let public_key_compressed_hex = public_key_hex.chars()
.skip(2).take(public_key_hex.len() / 2 - 1).collect::<String>();
let config_envelop = TinyEncryptConfigEnvelop {
r#type: TinyEncryptEnvelopType::KeyP256,
sid: cmd_keychain_key.key_name.clone(),
kid: format!("keychain:{}", &public_key_hex),
kid: format!("keychain:02{}", &public_key_compressed_hex),
desc: Some("Keychain Secure Enclave".to_string()),
args: Some(vec![
private_key_base64
@@ -59,13 +67,13 @@ pub fn keychain_key_static(cmd_keychain_key: CmdKeychainKey) -> XResult<()> {
let service_name = cmd_keychain_key.server_name.as_deref().unwrap_or(DEFAULT_SERVICE_NAME);
let sec_keychain = opt_result!(SecKeychain::default(), "Get keychain failed: {}");
let key_name = opt_value_result!(&cmd_keychain_key.key_name, "Key name is required.");
if sec_keychain.find_generic_password(service_name, &key_name).is_ok() {
if sec_keychain.find_generic_password(service_name, key_name).is_ok() {
return simple_error!("Static x25519 exists: {}.{}", service_name, &key_name);
}
let (keychain_key, public_key) = util_keychainstatic::generate_static_x25519_secret();
opt_result!(
sec_keychain.set_generic_password(service_name, &key_name, keychain_key.as_bytes()),
sec_keychain.set_generic_password(service_name, key_name, keychain_key.as_bytes()),
"Write static x25519 failed: {}"
);

21
src/util_keychainkey.rs
View File

@@ -12,6 +12,25 @@ pub fn is_support_se() -> bool {
unsafe { is_support_secure_enclave() }
}
pub fn decrypt_data(private_key_base64: &str, ephemeral_public_key_bytes: &[u8]) -> XResult<Vec<u8>> {
let ephemera_public_key_base64 = util::encode_base64(ephemeral_public_key_bytes);
let result = unsafe {
compute_secure_enclave_p256_ecdh(
SRString::from(private_key_base64), SRString::from(ephemera_public_key_base64.as_str()),
)
};
let result = result.as_str();
if !result.starts_with("ok:SharedSecret:") {
return simple_error!("ECDH P256 in secure enclave failed: {}", result);
}
let shared_secret_hex = result.chars().skip("ok:SharedSecret:".len()).collect::<String>();
let shared_secret_hex = shared_secret_hex.trim();
Ok(opt_result!(hex::decode(shared_secret_hex), "Decrypt shared secret hex: {}, failed: {}", shared_secret_hex))
}
pub fn generate_se_p256_keypair() -> XResult<(String, String)> {
if !is_support_se() {
return simple_error!("Secure enclave is not supported.");
@@ -22,7 +41,7 @@ pub fn generate_se_p256_keypair() -> XResult<(String, String)> {
return simple_error!("Generate P256 in secure enclave failed: {}", result);
}
let public_key_and_private_key = result.chars().skip(3).collect::<String>();
let public_key_and_private_keys = public_key_and_private_key.split(",").collect::<Vec<_>>();
let public_key_and_private_keys = public_key_and_private_key.split(',').collect::<Vec<_>>();
if public_key_and_private_keys.len() != 2 {
return simple_error!("Generate P256 in secure enclave result is bad: {}", public_key_and_private_key);
}