Merge pull request #22 from malnick/malnick/use-kms

Use KMS and AES256 with Cipher Block Chaining

Author: malnick

.gitignore

@@ -1 +1,3 @@
 cryptorious_*
+release
+**/*.test

Dockerfile

@@ -0,0 +1,4 @@
+FROM golang:1.10
+RUN mkdir -p /go/src/github.com/malnick/cryptorious
+WORKDIR /go/src/github.com/malnick/cryptorious
+COPY . .  

Makefile

@@ -1,22 +1,32 @@
-VERSION := $(shell git describe --tags)
-REVISION := $(shell git rev-parse --short HEAD)
+.PHONY: all build test clean
+THIS_FILE := $(lastword $(MAKEFILE_LIST))
 
-BINARY_NAME := cryptorious
+os?="darwin"
 
-LDFLAGS := -X github.com/malnick/cryptorious/config.VERSION=$(VERSION) -X github.com/malnick/cryptorious/config.REVISION=$(REVISION) 
+all: clean test build-all
 
-FILES := $(shell go list ./... | grep -v vendor)
+build-all:
+	@$(MAKE) -f $(THIS_FILE) build os=linux
+	@$(MAKE) -f $(THIS_FILE) build os=darwin
+	@$(MAKE) -f $(THIS_FILE) build os=freebsd
+	@$(MAKE) -f $(THIS_FILE) build os=windows
 
-all: test install
+build:
+	$(call i,building cryptorious for $(os))
+	@bash -c "scripts/build.sh $(os)"
 
 test:
-	@echo "+$@"
-	go test $(FILES)  -cover
+	bash -c "./scripts/test.sh libraries unit"
 
-build: 
-	@echo "+$@"
-	go build -v -o cryptorious_$(VERSION) -ldflags '$(LDFLAGS)' cryptorious.go
+docker-test:
+	bash -c "./scripts/docker-test.sh"
+
+clean:
+	rm -rf ./release
+
+# Helper Functions
+define i 
+	@tput setaf 6 && echo "[INFO] ==> $(1)"
+	@tput sgr0
+endef
 
-install:
-	@echo "+$@"
-	go install -v -ldflags '$(LDFLAGS)' $(FILES)

action/action_test.go

@@ -0,0 +1,29 @@
+package action
+
+import "github.com/malnick/cryptorious/vault"
+
+var (
+	expectedUsername   = "test-username"
+	expectedPassword   = "test-password"
+	expectedSecureNote = "test-secure-note"
+
+	testVaultSet = vault.Set{
+		Username: vault.EncryptedEntry{
+			Ciphertext: "AAAAAAAAAAAAAAAAAAAAALthIXEjHFp2BzZFaM2NzZI=",
+			Key:        "AQIBAHjjCeNKbXvpFm2HyIXoKqPvjyyCDoSbmOkO8uSNKqBm0wE/eSqj6B0NnrczvwcLSlzrAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMrzjLCH0Te9Egi1UsAgEQgDtiaSFOxBU3jpEU1+OBCg0fOMTCin1IO7uWMtPB5Rq+MArZiFDNNIl4V7P7WTGZk5p9nEVXZibi0evnKA==",
+			IV:         "4VvVxXdouSf+ANN+PJ5+tg==",
+		},
+
+		Password: vault.EncryptedEntry{
+			Ciphertext: "AAAAAAAAAAAAAAAAAAAAAGbAqmydcY5wALQOAz0/m28=",
+			IV:         "fbAcI8NkQbFYWHCtOkCm/Q==",
+			Key:        "AQIBAHjjCeNKbXvpFm2HyIXoKqPvjyyCDoSbmOkO8uSNKqBm0wFX/eO80576OpuMIJRk6ZvlAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMfYDlWalA7BKoXxJEAgEQgDvLKQigz+X1DDNGf0KAhWLcBXKh1DItzyZsPodwArUoU0wAj7tb3MWhQXJN4XcDFLfh4sln0ozr4vxtYA==",
+		},
+
+		SecureNote: vault.EncryptedEntry{
+			Ciphertext: "AAAAAAAAAAAAAAAAAAAAAD+/u65AUMH576+xZgGZexMmaWcbhxwSkHm0SMt1Xh4Z",
+			Key:        "AQIBAHjjCeNKbXvpFm2HyIXoKqPvjyyCDoSbmOkO8uSNKqBm0wG7UlVRaAOaTAbr9fqcochxAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMCupa+YgNV/EQizynAgEQgDuQ14WOf0gVBLYvjfXMAREMzygPGVfmNxRsx7SExpyHTRl0tQIE//7LztBvIFCjN7PNuDWACQuiHcW1Yw==`",
+			IV:         "DRE6jVdAjY/cIsVsl1/lug==",
+		},
+	}
+)

action/decrypt.go

@@ -1,13 +1,7 @@
 package action
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
 	"fmt"
-	"io/ioutil"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/atotto/clipboard"
@@ -16,34 +10,23 @@ import (
 	"github.com/skratchdot/open-golang/open"
 )
 
+// Decrypt accepts a key and cryptorioius config and returns an error if found
+// during the decryption process
 func Decrypt(key string, c config.Config) error {
-	priv, err := createPrivateKey(c.PrivateKeyPath)
-	if err != nil {
-		return err
-	}
-
 	log.Debug("Retreiving encrypted values from vault...")
-	username, encryptedPassword, encryptedNote, err := lookUpVault(key, c)
-	if err != nil {
-		return err
-	}
-
-	log.Debug("Decrypting password...")
-	decryptedPassword, err := decryptValue(priv, encryptedPassword)
+	vs, err := lookUpVaultSet(key, c)
 	if err != nil {
-		log.Error(err.Error())
 		return err
 	}
 
-	log.Debug("Decrypting notes...")
-	decryptedNote, err := decryptValue(priv, encryptedNote)
+	clr, err := vs.Decrypt(c.KMSClient)
 	if err != nil {
 		return err
 	}
 
 	if c.Clipboard {
 		log.Info("Copying decrypted password to clipboard!")
-		if err := clipboard.WriteAll(string(decryptedPassword)); err != nil {
+		if err := clipboard.WriteAll(clr.Password); err != nil {
 			return err
 		}
 	}
@@ -55,52 +38,17 @@ func Decrypt(key string, c config.Config) error {
 		}
 	}
 
-	printDecrypted(key, username, string(decryptedPassword), string(decryptedNote), c.DecryptSessionTimeout)
+	printDecrypted(key, clr.Username, clr.Password, clr.SecureNote, c.DecryptSessionTimeout)
 
 	return nil
 }
 
-func createPrivateKey(path string) (*rsa.PrivateKey, error) {
-	privData, err := ioutil.ReadFile(path)
-	if err != nil {
-		log.Errorf("%s was not found. Try `generate` first.", path)
-		return nil, err
-	}
-	log.Debug("Private key file: ", path)
-
-	// Extract the PEM-encoded data block
-	block, _ := pem.Decode(privData)
-	if block == nil {
-		log.Error("bad key data: %s", "not PEM-encoded")
-		return nil, err
-	}
-	if got, want := block.Type, "RSA PRIVATE KEY"; got != want {
-		log.Error("unknown key type %q, want %q", got, want)
-		return nil, err
-	}
-	// Decode the RSA private key
-	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		log.Error("bad private key: %s", err)
-		return nil, err
-	}
-	return priv, nil
-}
-
-func decryptValue(privkey *rsa.PrivateKey, encryptedValue string) ([]byte, error) {
-	if encryptedValue == "" {
-		log.Warn("Encrypted value empty, skipping.")
-		return []byte(""), nil
-	}
-	return rsa.DecryptPKCS1v15(rand.Reader, privkey, []byte(encryptedValue))
-}
-
-func lookUpVault(key string, c config.Config) (string, string, string, error) {
+func lookUpVaultSet(key string, c config.Config) (*vault.Set, error) {
 	var vault = vault.Vault{}
 	vault.Path = c.VaultPath
 	vault.Load()
 	if _, ok := vault.Data[key]; !ok {
-		return "", "", "", errors.New(fmt.Sprintf("%s not found in %s", key, vault.Path))
+		return nil, fmt.Errorf("%s not found in %s", key, vault.Path)
 	}
-	return vault.Data[key].Username, vault.Data[key].Password, vault.Data[key].SecureNote, nil
+	return vault.Data[key], nil
 }

action/delete.go

@@ -5,6 +5,7 @@ import (
 	"github.com/malnick/cryptorious/vault"
 )
 
+// DeleteVaultEntry remove a key and its values from the vault
 func DeleteVaultEntry(key string, vaultPath string) error {
 	vault, err := vault.New(vaultPath)
 	if err != nil {

action/delete_test.go

@@ -9,11 +9,6 @@ import (
 	"github.com/malnick/cryptorious/vault"
 )
 
-var testVaultSet = &vault.VaultSet{
-	Username: "test",
-	Password: "notsafe",
-}
-
 func TestDeleteVaultEntry(t *testing.T) {
 	tmpfile, err := ioutil.TempFile("", "testVault")
 	if err != nil {
@@ -27,7 +22,7 @@ func TestDeleteVaultEntry(t *testing.T) {
 		t.Error(err)
 	}
 
-	err = tv.Update("testKey", testVaultSet)
+	err = tv.Add("testKey", &testVaultSet)
 	if err != nil {
 		t.Error(err)
 	}

action/encrypt.go

@@ -1,95 +1,79 @@
 package action
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
 	"fmt"
-	"io/ioutil"
 
-	log "github.com/Sirupsen/logrus"
 	"github.com/malnick/cryptorious/config"
 	"github.com/malnick/cryptorious/vault"
+	gc "github.com/rthornton128/goncurses"
 )
 
-func Encrypt(key string, vs *vault.VaultSet, c config.Config) error {
-	pubkey, err := createPublicKey(c.PublicKeyPath)
+// Encrypt accepts a key and cryptorious config and returns an error
+// if found during the encryption process
+func Encrypt(key string, c config.Config) error {
+	thisVault, err := vault.New(c.VaultPath)
 	if err != nil {
 		return err
 	}
 
-	thisVault, err := vault.New(c.VaultPath)
+	clr, err := cleartextFromCurses()
 	if err != nil {
 		return err
 	}
 
-	if len(vs.Password) > 0 {
-		if encoded, err := encryptValue(pubkey, vs.Password); err == nil {
-			vs.Password = string(encoded)
-		} else {
-			return err
-		}
-	}
-
-	if len(vs.SecureNote) > 0 {
-		if encoded, err := encryptValue(pubkey, vs.SecureNote); err == nil {
-			vs.SecureNote = string(encoded)
-		} else {
-			return err
-		}
-	}
-
-	if len(vs.Username) > 0 {
-		vs.Username = vs.Username
-	}
-
-	if err := thisVault.Update(key, vs); err != nil {
+	vs, err := clr.Encrypt(c.KMSClient, c.KMSKeyARN)
+	if err != nil {
 		return err
 	}
 
-	return nil
+	return thisVault.Add(key, vs)
 }
 
-func encryptValue(pubkey interface{}, value string) ([]byte, error) {
-	// Encode the passed in value
-	log.Debugf("Encoding value: %s", value)
-	encodedValue, err := rsa.EncryptPKCS1v15(rand.Reader, pubkey.(*rsa.PublicKey), []byte(value))
-	return encodedValue, err
-}
+func cleartextFromCurses() (*vault.CleartextEntry, error) {
+	clr := &vault.CleartextEntry{}
 
-func createPublicKey(path string) (*rsa.PublicKey, error) {
-	pubData, err := ioutil.ReadFile(path)
+	username, err := getValuesFor("Username")
 	if err != nil {
-		return nil, err
+		return clr, err
 	}
-	log.Debug("using public key file: ", path)
-	log.Debug(string(pubData))
+	clr.Username = username
 
-	pubkey, err := createPublicKeyBlockCipher(pubData)
+	password, err := getValuesFor("Password")
 	if err != nil {
-		return nil, err
+		return clr, err
 	}
+	clr.Password = password
 
-	return pubkey.(*rsa.PublicKey), nil
+	note, err := getValuesFor("Secure Note")
+	if err != nil {
+		return clr, err
+	}
+	clr.SecureNote = note
+
+	return clr, nil
 }
 
-func createPublicKeyBlockCipher(pubData []byte) (interface{}, error) {
-	// Create block cipher from RSA key
-	block, _ := pem.Decode(pubData)
-	// Ensure key is PEM encoded
-	if block == nil {
-		return nil, errors.New(fmt.Sprintf("Bad key data: %s, not PEM encoded", string(pubData)))
-	}
-	// Ensure this is actually a RSA pub key
-	if got, want := block.Type, "RSA PUBLIC KEY"; got != want {
-		return nil, errors.New(fmt.Sprintf("Unknown key type %q, want %q", got, want))
-	}
-	// Lastly, create the public key using the new block
-	pubkey, err := x509.ParsePKIXPublicKey(block.Bytes)
+func getValuesFor(key string) (string, error) {
+	stdscr, _ := gc.Init()
+	defer gc.End()
+
+	prompt := fmt.Sprintf("Enter %s: ", key)
+	row, col := stdscr.MaxYX()
+	row, col = (row/2)-1, (col-len(prompt))/2
+	stdscr.MovePrint(row, col, prompt)
+
+	/* GetString will only retieve the specified number of characters. Any
+	attempts by the user to enter more characters will elicit an audiable
+		beep */
+	var value string
+	value, err := stdscr.GetString(10000)
 	if err != nil {
-		return nil, err
+		return value, err
 	}
-	return pubkey, nil
+
+	//	stdscr.Refresh()
+	stdscr.GetChar()
+	stdscr.Erase()
+
+	return value, nil
 }