aboutsummaryrefslogtreecommitdiff
path: root/gocryptfs-xray
diff options
context:
space:
mode:
authorPavol Rusnak2020-09-05 22:42:15 +0200
committerJakob Unterwurzacher2020-09-12 18:06:54 +0200
commit1e624a4cc3aafa57b5fa213c88bcd3689cefd1c3 (patch)
treea6e4f51ecb2dc0bac4276b2f65b39a3b426bc4ee /gocryptfs-xray
parent6a9c49e9cf23c85622dd4b181cdc615abc72d6bb (diff)
Add support for FIDO2 tokens
Diffstat (limited to 'gocryptfs-xray')
-rw-r--r--gocryptfs-xray/xray_main.go21
1 files changed, 17 insertions, 4 deletions
diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index 7e928e7..dec803b 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -11,6 +11,7 @@ import (
"github.com/rfjakob/gocryptfs/internal/contentenc"
"github.com/rfjakob/gocryptfs/internal/cryptocore"
"github.com/rfjakob/gocryptfs/internal/exitcodes"
+ "github.com/rfjakob/gocryptfs/internal/fido2"
"github.com/rfjakob/gocryptfs/internal/readpassword"
"github.com/rfjakob/gocryptfs/internal/tlog"
)
@@ -67,12 +68,14 @@ func main() {
encryptPaths *bool
aessiv *bool
sep0 *bool
+ fido2 *string
}
args.dumpmasterkey = flag.Bool("dumpmasterkey", false, "Decrypt and dump the master key")
args.decryptPaths = flag.Bool("decrypt-paths", false, "Decrypt file paths using gocryptfs control socket")
args.encryptPaths = flag.Bool("encrypt-paths", false, "Encrypt file paths using gocryptfs control socket")
args.sep0 = flag.Bool("0", false, "Use \\0 instead of \\n as separator")
args.aessiv = flag.Bool("aessiv", false, "Assume AES-SIV mode instead of AES-GCM")
+ args.fido2 = flag.String("fido2", "", "Protect the masterkey using a FIDO2 token instead of a password")
flag.Usage = usage
flag.Parse()
s := sum(args.dumpmasterkey, args.decryptPaths, args.encryptPaths)
@@ -97,20 +100,30 @@ func main() {
}
defer fd.Close()
if *args.dumpmasterkey {
- dumpMasterKey(fn)
+ dumpMasterKey(fn, *args.fido2)
} else {
inspectCiphertext(fd, *args.aessiv)
}
}
-func dumpMasterKey(fn string) {
+func dumpMasterKey(fn string, fido2Path string) {
tlog.Info.Enabled = false
- pw := readpassword.Once(nil, nil, "")
- masterkey, _, err := configfile.LoadAndDecrypt(fn, pw)
+ cf, err := configfile.Load(fn)
if err != nil {
fmt.Fprintln(os.Stderr, err)
exitcodes.Exit(err)
}
+ var pw []byte
+ if cf.IsFeatureFlagSet(configfile.FlagFIDO2) {
+ if fido2Path == "" {
+ tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.")
+ os.Exit(exitcodes.Usage)
+ }
+ pw = fido2.Secret(fido2Path, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt)
+ } else {
+ pw = readpassword.Once(nil, nil, "")
+ }
+ masterkey, err := cf.DecryptMasterKey(pw)
fmt.Println(hex.EncodeToString(masterkey))
for i := range pw {
pw[i] = 0