Silverfish/proton-bridge
1
0
Fork 1
mirror of https://github.com/ProtonMail/proton-bridge.git synced 2025-12-17 23:56:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(GODT-2387): Ensure vault can be unlocked after factory reset

Browse Source 
When performing a factory reset, we don't want to wipe all keychain
entries. The only keychain entry should be the vault's passphrase,
and we need this to be able to decrypt the vault at next startup
(to avoid it being reported as corrupt).
This commit is contained in:
James Houlahan
2023-02-22 13:39:59 +01:00
parent 8534da98ea
commit e9f20aee7a
7 changed files with 68 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
internal/vault/helper.go
View File

@ -18,13 +18,21 @@
package vault
import (
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io/fs"
"os"
"path/filepath"
"github.com/ProtonMail/gopenpgp/v2/crypto"
"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
"golang.org/x/exp/slices"
)
const vaultSecretName = "bridge-vault-key"
type Keychain struct {
Helper string
}
@ -60,3 +68,43 @@ func SetHelper(vaultDir, helper string) error {
return os.WriteFile(getKeychainPrefPath(vaultDir), b, 0o600)
}
func HasVaultKey(kc *keychain.Keychain) (bool, error) {
secrets, err := kc.List()
if err != nil {
return false, fmt.Errorf("could not list keychain: %w", err)
}
return slices.Contains(secrets, vaultSecretName), nil
}
func GetVaultKey(kc *keychain.Keychain) ([]byte, error) {
_, keyEnc, err := kc.Get(vaultSecretName)
if err != nil {
return nil, fmt.Errorf("could not get keychain item: %w", err)
}
keyDec, err := base64.StdEncoding.DecodeString(keyEnc)
if err != nil {
return nil, fmt.Errorf("could not decode keychain item: %w", err)
}
return keyDec, nil
}
func SetVaultKey(kc *keychain.Keychain, key []byte) error {
return kc.Put(vaultSecretName, base64.StdEncoding.EncodeToString(key))
}
func NewVaultKey(kc *keychain.Keychain) ([]byte, error) {
tok, err := crypto.RandomToken(32)
if err != nil {
return nil, fmt.Errorf("could not generate random token: %w", err)
}
if err := kc.Put(vaultSecretName, base64.StdEncoding.EncodeToString(tok)); err != nil {
return nil, fmt.Errorf("could not put keychain item: %w", err)
}
return tok, nil
}

4
internal/vault/vault.go
View File

@ -191,6 +191,10 @@ func (vault *Vault) Reset(gluonDir string) error {
})
}
func (vault *Vault) Path() string {
return vault.path
}
func (vault *Vault) Close() error {
vault.refLock.Lock()
defer vault.refLock.Unlock()