diff --git a/api/auth.go b/api/auth.go index 406f81a..19da61b 100644 --- a/api/auth.go +++ b/api/auth.go @@ -7,9 +7,6 @@ import ( "net/http" "net/url" "strings" - - "github.com/ProtonMail/gopenpgp/v2/crypto" - "github.com/ProtonMail/gopenpgp/v2/helper" ) // Login is used for login @@ -33,15 +30,7 @@ func (c *Client) CheckSession(ctx context.Context) bool { func (c *Client) Login(ctx context.Context) error { c.csrfToken = http.Cookie{} - if c.userPrivateKey == "" { - return fmt.Errorf("Client has no Private Key") - } - - privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey) - if err != nil { - return fmt.Errorf("Parsing User Private Key: %w", err) - } - data := Login{&GPGAuth{KeyID: privateKeyObj.GetFingerprint()}} + data := Login{&GPGAuth{KeyID: c.userPrivateKey.GetFingerprint()}} res, _, err := c.DoCustomRequestAndReturnRawResponse(ctx, "POST", "/auth/login.json", "v2", data, nil) if err != nil && !strings.Contains(err.Error(), "Error API JSON Response Status: Message: The authentication failed.") { @@ -62,7 +51,7 @@ func (c *Client) Login(ctx context.Context) error { } encAuthToken = strings.ReplaceAll(encAuthToken, "\\ ", " ") - authToken, err := helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, encAuthToken) + authToken, err := c.DecryptMessage(encAuthToken) if err != nil { return fmt.Errorf("Decrypting User Auth Token: %w", err) } @@ -104,29 +93,13 @@ func (c *Client) Login(ctx context.Context) error { return fmt.Errorf("Getting CSRF Token: %w", err) } - // Get Users Own Public Key from Server + // Get Users ID from Server var user User err = json.Unmarshal(apiMsg.Body, &user) if err != nil { return fmt.Errorf("Parsing User 'Me' JSON from API Request: %w", err) } - // Validate that this Publickey that the Server gave us actually Matches our Privatekey - randomString := randStringBytesRmndr(50) - armor, err := helper.EncryptMessageArmored(user.GPGKey.ArmoredKey, randomString) - if err != nil { - return fmt.Errorf("Encryping PublicKey Validation Message: %w", err) - } - decrypted, err := helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, armor) - if err != nil { - return fmt.Errorf("Decrypting PublicKey Validation Message (you might be getting Hacked): %w", err) - } - if decrypted != randomString { - return fmt.Errorf("Decrypted PublicKey Validation Message does not Match Original (you might be getting Hacked): %w", err) - } - - // Insert PublicKey into Client after checking it to Prevent ignored errors leading to proceeding with a potentially Malicious PublicKey - c.userPublicKey = user.GPGKey.ArmoredKey c.userID = user.ID // after Login, fetch MetadataTypeSettings to finish the Client Setup diff --git a/api/client.go b/api/client.go index 001fce3..0ce0701 100644 --- a/api/client.go +++ b/api/client.go @@ -6,12 +6,11 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "net/http" "net/url" "path" - "github.com/ProtonMail/gopenpgp/v2/crypto" + "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/google/go-querystring/query" ) @@ -25,10 +24,10 @@ type Client struct { csrfToken http.Cookie mfaToken http.Cookie - // for some reason []byte is used for Passwords in gopenpgp instead of string like they do for keys... - userPassword []byte - userPrivateKey string - userPublicKey string + // userPublicKey has been removed since it can be gotten from the private userPrivateKey + + // be sure to make a copy since using ClearPrivateParams on a handler also wipes the key... + userPrivateKey *crypto.Key userID string // Server Settings Determining which Resource Types we can use @@ -39,6 +38,9 @@ type Client struct { // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa MFACallback func(ctx context.Context, c *Client, res *APIResponse) (http.Cookie, error) + // gopengpg Handler, allow for custom settings in the future + pgp *crypto.PGPHandle + // Enable Debug Logging Debug bool } @@ -67,23 +69,15 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User return nil, fmt.Errorf("Parsing Base URL: %w", err) } - // Verify that the Given Privatekey and Password are valid and work Together if we were provieded one - if UserPrivateKey != "" { - privateKeyObj, err := crypto.NewKeyFromArmored(UserPrivateKey) - if err != nil { - return nil, fmt.Errorf("Unable to Create Key From UserPrivateKey string: %w", err) - } - unlockedKeyObj, err := privateKeyObj.Unlock([]byte(UserPassword)) - if err != nil { - return nil, fmt.Errorf("Unable to Unlock UserPrivateKey using UserPassword: %w", err) - } - privateKeyRing, err := crypto.NewKeyRing(unlockedKeyObj) - if err != nil { - return nil, fmt.Errorf("Unable to Create a new Key Ring using the unlocked UserPrivateKey: %w", err) - } + pgp := crypto.PGP() - // Cleanup Secrets - privateKeyRing.ClearPrivateParams() + var unlockedKey *crypto.Key = nil + if UserPrivateKey != "" { + key, err := GetPrivateKeyFromArmor(UserPrivateKey, []byte(UserPassword)) + if err != nil { + return nil, fmt.Errorf("Get Private Key: %w", err) + } + unlockedKey = key } // Create Client Object @@ -91,8 +85,8 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User httpClient: httpClient, baseURL: u, userAgent: UserAgent, - userPassword: []byte(UserPassword), - userPrivateKey: UserPrivateKey, + userPrivateKey: unlockedKey, + pgp: pgp, } return c, err } @@ -150,7 +144,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, v *APIResponse) (*ht resp.Body.Close() }() - bodyBytes, err := ioutil.ReadAll(resp.Body) + bodyBytes, err := io.ReadAll(resp.Body) if err != nil { return resp, fmt.Errorf("Error Reading Resopnse Body: %w", err) } @@ -202,11 +196,11 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) { } // Lets get the actual Fingerprint instead of trusting the Server - privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey) + serverKey, err := crypto.NewKeyFromArmored(body.Keydata) if err != nil { return "", "", fmt.Errorf("Parsing Server Key: %w", err) } - return body.Keydata, privateKeyObj.GetFingerprint(), nil + return body.Keydata, serverKey.GetFingerprint(), nil } // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use @@ -231,3 +225,8 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error { } return nil } + +// GetPGPHandle Gets the Gopgenpgp Handler +func (c *Client) GetPGPHandle() *crypto.PGPHandle { + return c.pgp +} diff --git a/api/encryption.go b/api/encryption.go index e87537e..c39eee3 100644 --- a/api/encryption.go +++ b/api/encryption.go @@ -3,33 +3,133 @@ package api import ( "fmt" - "github.com/ProtonMail/gopenpgp/v2/helper" + "github.com/ProtonMail/gopenpgp/v3/crypto" ) // EncryptMessage encrypts a message using the users public key and then signes the message using the users private key func (c *Client) EncryptMessage(message string) (string, error) { - if c.userPrivateKey == "" { - return "", fmt.Errorf("Client has no Private Key") - } else if c.userPublicKey == "" { - return "", fmt.Errorf("Client has no Public Key") + key, err := c.userPrivateKey.Copy() + if err != nil { + return "", fmt.Errorf("Get Private Key Copy: %w", err) } - return helper.EncryptSignMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message) + + encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(c.userPrivateKey).New() + if err != nil { + return "", fmt.Errorf("New Encryptor: %w", err) + } + + defer encHandle.ClearPrivateParams() + + encMessage, err := encHandle.Encrypt([]byte(message)) + if err != nil { + return "", fmt.Errorf("Encrypt Message: %w", err) + } + + encArmor, err := encMessage.Armor() + if err != nil { + return "", fmt.Errorf("Armor Message: %w", err) + } + return encArmor, nil } // EncryptMessageWithPublicKey encrypts a message using the provided public key and then signes the message using the users private key func (c *Client) EncryptMessageWithPublicKey(publickey, message string) (string, error) { - if c.userPrivateKey == "" { - return "", fmt.Errorf("Client has no Private Key") + publicKey, err := crypto.NewKeyFromArmored(publickey) + if err != nil { + return "", fmt.Errorf("Get Public Key: %w", err) } - return helper.EncryptSignMessageArmored(publickey, c.userPrivateKey, c.userPassword, message) + + key, err := c.userPrivateKey.Copy() + if err != nil { + return "", fmt.Errorf("Get Private Key Copy: %w", err) + } + + encHandle, err := c.pgp.Encryption().SigningKey(key).Recipient(publicKey).New() + if err != nil { + return "", fmt.Errorf("New Encryptor: %w", err) + } + + defer encHandle.ClearPrivateParams() + + encMessage, err := encHandle.Encrypt([]byte(message)) + if err != nil { + return "", fmt.Errorf("Encrypt Message: %w", err) + } + + encArmor, err := encMessage.Armor() + if err != nil { + return "", fmt.Errorf("Armor Message: %w", err) + } + return encArmor, nil } // DecryptMessage decrypts a message using the users Private Key -func (c *Client) DecryptMessage(message string) (string, error) { - if c.userPrivateKey == "" { - return "", fmt.Errorf("Client has no Private Key") +func (c *Client) DecryptMessage(armoredCiphertext string) (string, error) { + key, err := c.userPrivateKey.Copy() + if err != nil { + return "", fmt.Errorf("Get Private Key Copy: %w", err) } - // We cant Verify the signature as we don't store other users public keys locally and don't know which user did encrypt it - //return helper.DecryptVerifyMessageArmored(c.userPublicKey, c.userPrivateKey, c.userPassword, message) - return helper.DecryptMessageArmored(c.userPrivateKey, c.userPassword, message) + + message, _, err := c.DecryptMessageWithPrivateKeyAndReturnSessionKey(key, armoredCiphertext) + return message, err +} + +// DecryptMessageWithPrivateKey Decrypts a Message using the Provided Private Key +// Returns the Session key so that it can be saved in a cache +func (c *Client) DecryptMessageWithPrivateKeyAndReturnSessionKey(privateKey *crypto.Key, armoredCiphertext string) (string, *crypto.SessionKey, error) { + + decHandle, err := c.pgp.Decryption(). + DecryptionKey(privateKey). + RetrieveSessionKey(). + New() + if err != nil { + return "", nil, fmt.Errorf("New Decryptor: %w", err) + } + + defer decHandle.ClearPrivateParams() + + res, err := decHandle.Decrypt([]byte(armoredCiphertext), crypto.Armor) + if err != nil { + return "", nil, fmt.Errorf("Decrypt: %w", err) + } + + return res.String(), res.SessionKey(), nil +} + +func GetPrivateKeyFromArmor(privateKey string, passphrase []byte) (*crypto.Key, error) { + key, err := crypto.NewKeyFromArmored(privateKey) + if err != nil { + return nil, fmt.Errorf("Key From Armored: %w", err) + } + + locked, err := key.IsLocked() + if err != nil { + return nil, fmt.Errorf("Is Key Locked: %w", err) + } + + if locked { + unlocked, err := key.Unlock(passphrase) + if err != nil { + return nil, fmt.Errorf("Unlock Key: %w", err) + } + return unlocked, nil + } + return key, nil +} + +// DecryptMessageWithSessionKey Decrypts a Message using the Provided Session Key +func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, ciphertextArmored string) (string, error) { + decHandle, err := c.pgp.Decryption().SessionKey(sessionKey).New() + if err != nil { + return "", fmt.Errorf("New Decryptor: %w", err) + } + + defer decHandle.ClearPrivateParams() + + res, err := decHandle.Decrypt([]byte(ciphertextArmored), crypto.Armor) + if err != nil { + return "", fmt.Errorf("Decrypt: %w", err) + } + + return res.String(), nil } diff --git a/api/verify.go b/api/verify.go index 89a15b8..8ed16e2 100644 --- a/api/verify.go +++ b/api/verify.go @@ -5,7 +5,6 @@ import ( "fmt" "strings" - "github.com/ProtonMail/gopenpgp/v2/crypto" "github.com/google/uuid" ) @@ -44,15 +43,10 @@ func (c *Client) SetupServerVerification(ctx context.Context) (string, string, e // VerifyServer verifys that the Server is still the same one as during the Setup, Only works before login func (c *Client) VerifyServer(ctx context.Context, token, encToken string) error { - privateKeyObj, err := crypto.NewKeyFromArmored(c.userPrivateKey) - if err != nil { - return fmt.Errorf("Parsing User Private Key: %w", err) - } - data := GPGVerifyContainer{ Req: GPGVerify{ Token: encToken, - KeyID: privateKeyObj.GetFingerprint(), + KeyID: c.userPrivateKey.GetFingerprint(), }, } raw, _, err := c.DoCustomRequestAndReturnRawResponse(ctx, "POST", "/auth/verify.json", "v2", data, nil) diff --git a/go.mod b/go.mod index 64273dd..464635a 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/passbolt/go-passbolt go 1.23.0 require ( - github.com/ProtonMail/gopenpgp/v2 v2.8.3 + github.com/ProtonMail/gopenpgp/v3 v3.1.3 github.com/google/go-querystring v1.1.0 github.com/google/uuid v1.6.0 github.com/santhosh-tekuri/jsonschema v1.2.4 @@ -11,10 +11,8 @@ require ( require ( github.com/ProtonMail/go-crypto v1.1.6 // indirect - github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect github.com/cloudflare/circl v1.6.0 // indirect github.com/pkg/errors v0.9.1 // indirect golang.org/x/crypto v0.35.0 // indirect golang.org/x/sys v0.30.0 // indirect - golang.org/x/text v0.22.0 // indirect ) diff --git a/go.sum b/go.sum index 24212a3..be3dc48 100644 --- a/go.sum +++ b/go.sum @@ -1,24 +1,11 @@ -github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= -github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78= -github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= -github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k= -github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw= -github.com/ProtonMail/gopenpgp/v2 v2.7.5 h1:STOY3vgES59gNgoOt2w0nyHBjKViB/qSg7NjbQWPJkA= -github.com/ProtonMail/gopenpgp/v2 v2.7.5/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g= -github.com/ProtonMail/gopenpgp/v2 v2.8.3 h1:1jHlELwCR00qovx2B50DkL/FjYwt/P91RnlsqeOp2Hs= -github.com/ProtonMail/gopenpgp/v2 v2.8.3/go.mod h1:LiuOTbnJit8w9ZzOoLscj0kmdALY7hfoCVh5Qlb0bcg= -github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= -github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= -github.com/cloudflare/circl v1.3.9 h1:QFrlgFYf2Qpi8bSpVPK1HBvWpx16v/1TZivyo7pGuBE= -github.com/cloudflare/circl v1.3.9/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU= +github.com/ProtonMail/gopenpgp/v3 v3.1.3 h1:nxUd0Na4MeElx0sA1t6U8/IxmjmCv3MKnTJGhEUK+qY= +github.com/ProtonMail/gopenpgp/v3 v3.1.3/go.mod h1:Ve9JYzwGau9DT0F9C9gsuEBU/T3Zbk0j1/+mPpWBogc= github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk= github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -31,63 +18,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= -golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/helper/setup.go b/helper/setup.go index 7fdc006..37e202c 100644 --- a/helper/setup.go +++ b/helper/setup.go @@ -6,9 +6,6 @@ import ( "strings" "github.com/passbolt/go-passbolt/api" - - "github.com/ProtonMail/gopenpgp/v2/crypto" - "github.com/ProtonMail/gopenpgp/v2/helper" ) // ParseInviteUrl Parses a Passbolt Invite URL into a user id and token @@ -31,21 +28,34 @@ func SetupAccount(ctx context.Context, c *api.Client, userID, token, password st keyName := install.Profile.FirstName + " " + install.Profile.LastName + " " + install.Username - privateKey, err := helper.GenerateKey(keyName, install.Username, []byte(password), "rsa", 4096) + pgp := c.GetPGPHandle() + + keyHandler := pgp.KeyGeneration().AddUserId(keyName, install.Username).New() + + key, err := keyHandler.GenerateKey() if err != nil { return "", fmt.Errorf("Generating Private Key: %w", err) } - key, err := crypto.NewKeyFromArmoredReader(strings.NewReader(privateKey)) - if err != nil { - return "", fmt.Errorf("Reading Private Key: %w", err) - } + defer key.ClearPrivateParams() publicKey, err := key.GetArmoredPublicKey() if err != nil { return "", fmt.Errorf("Get Public Key: %w", err) } + lockedKey, err := pgp.LockKey(key, []byte(password)) + if err != nil { + return "", fmt.Errorf("Locking Private Key: %w", err) + } + + defer lockedKey.ClearPrivateParams() + + privateKey, err := lockedKey.Armor() + if err != nil { + return "", fmt.Errorf("Get Private Key: %w", err) + } + request := api.SetupCompleteRequest{ AuthenticationToken: api.AuthenticationToken{ Token: token,