hatter/tiny-encrypt-rs
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: v1.9.12, supports ext keys(p256, p384)

Browse Source
This commit is contained in:
Hatter Jiang
2025-09-13 23:17:00 +08:00
parent 813b8b1b24
commit b18a5ec3e2
6 changed files with 74 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/cmd_decrypt.rs
View File

@@ -38,6 +38,7 @@ use crate::crypto_cryptor::{Cryptor, KeyNonce};
use crate::spec::{EncEncryptedMeta, TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta};
use crate::util::SecVec;
use crate::util_digest::DigestWrite;
use crate::util_env::TINY_ENCRYPT_ENV_EXTERNAL_COMMAND;
use crate::util_keychainkey;
#[cfg(feature = "macos")]
use crate::util_keychainstatic;
@@ -467,6 +468,7 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
TinyEncryptEnvelopType::StaticX25519 => try_decrypt_key_ecdh_static_x25519(config, envelop),
TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::PivP384 => try_decrypt_piv_key_ecdh(config, envelop, pin, slot, silent),
TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
TinyEncryptEnvelopType::ExtP256 | TinyEncryptEnvelopType::ExtP384 => try_decrypt_ext_key_ecdh(config, envelop),
TinyEncryptEnvelopType::PivRsa => try_decrypt_piv_key_rsa(config, envelop, pin, slot, silent),
#[cfg(feature = "macos")]
TinyEncryptEnvelopType::StaticKyber1024 => try_decrypt_key_ecdh_static_kyber1204(config, envelop),
@@ -597,6 +599,45 @@ fn try_decrypt_se_key_ecdh(config: &Option<TinyEncryptConfig>,
Ok(decrypted_key)
}
fn try_decrypt_ext_key_ecdh(config: &Option<TinyEncryptConfig>,
envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {
let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
let cryptor = match wrap_key.header.enc.as_str() {
ENC_AES256_GCM_P256 | ENC_AES256_GCM_P384 => Cryptor::Aes256Gcm,
ENC_CHACHA20_POLY1305_P256 | ENC_CHACHA20_POLY1305_P384 => Cryptor::ChaCha20Poly1305,
_ => return simple_error!("Unsupported header enc: {}", &wrap_key.header.enc),
};
let e_pub_key_bytes = wrap_key.header.get_e_pub_key_bytes()?;
let config = opt_value_result!(config, "Tiny encrypt config is not found");
let config_envelop = opt_value_result!(
config.find_by_kid(&envelop.kid), "Cannot find config for: {}", &envelop.kid);
let config_envelop_args = opt_value_result!(&config_envelop.args, "No arguments found for: {}", &envelop.kid);
if config_envelop_args.len() < 2 {
return simple_error!("Not enough arguments for: {}", &envelop.kid);
}
let external_command = if config_envelop_args[0].is_empty() {
std::env::var(TINY_ENCRYPT_ENV_EXTERNAL_COMMAND).unwrap_or_else(|_| "card-cli".to_string())
} else {
config_envelop_args[0].clone()
};
let external_parameter = &config_envelop_args[1];
let shared_secret = opt_result!(external_command_rs::external_ecdh(
&external_command,
external_parameter,
&e_pub_key_bytes
), "Decrypt via secure enclave failed: {}");
let key = util::simple_kdf(shared_secret.as_slice());
let key_nonce = KeyNonce { k: &key, n: &wrap_key.nonce };
let decrypted_key = crypto_simple::decrypt(
cryptor, &key_nonce, &wrap_key.encrypted_data)?;
util::zeroize(key);
util::zeroize(shared_secret);
Ok(decrypted_key)
}
fn try_decrypt_key_ecdh_pgp_x25519(envelop: &TinyEncryptEnvelop, pin: &Option<String>) -> XResult<Vec<u8>> {
let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
let cryptor = match wrap_key.header.enc.as_str() {