feat: Refactor crypto decryption functions for consistency and error handling (#302)

* feat: Refactor crypto decryption functions for consistency and error handling - Close #301 - Refactored and renamed decryption functions across multiple files for consistency - Updated cookie sorting method to sort in descending order - Added new encryption functions for AES in CBC and GCM modes and DES in CBC mode - Added error handling to decryption functions and created new error variables for invalid ciphertext length and decode failures - Test cases added for encryption and decryption functions - Removed unused code and imports. * chore: Add new words to .typos.toml dictionary - Add new terms to `.typos.toml` dictionary - Improve code formatting and readability - Refactor functions for better performance - Update comments and documentation - Resolve minor bugs and errors * refactor: Refactor crypto package for better structure and readability - Refactored and cleaned up crypto package code for better readability - Renamed `ToByteArray` method to `bytes` for consistency - Modified `DecryptWithDPAPI` method to use `outBlob.bytes()` for efficiency - Added comments and removed unused methods in `loginPBE` - Refactored `nssPBE` and `metaPBE` Decrypt methods to use `deriveKeyAndIV` helper method - Improved overall maintainability and organization of codebase * refactor: Refactor firefox password encryption and decryption. - Implement ASN1PBE interface with various PBE struct types and encryption/decryption methods - Fix naming and remove unused variables in browsingdata and crypto files - Add tests for ASN1PBE implementation using external assertion package - Refactor and improve error handling in firefox file functions related to master key retrieval - Add input validation and AES-GCM encryption function to crypto file
2026-05-19 18:58:03 +02:00 · 2024-01-27 22:30:28 +08:00
parent c150b22c1b
commit 591b97ce6d
13 changed files with 771 additions and 299 deletions
@@ -33,7 +33,7 @@ func (c *Chromium) GetMasterKey() ([]byte, error) {
 	if err != nil {
 		return nil, errDecodeMasterKeyFailed
 	}
-	c.masterKey, err = crypto.DPAPI(key[5:])
+	c.masterKey, err = crypto.DecryptWithDPAPI(key[5:])
 	if err != nil {
 		slog.Error("decrypt master key failed", "err", err)
 		return nil, err
@@ -86,7 +86,7 @@ func (f *Firefox) GetMasterKey() ([]byte, error) {
 	defer os.Remove(tempFilename)
 	defer keyDB.Close()

-	globalSalt, metaBytes, err := queryMetaData(keyDB)
+	metaItem1, metaItem2, err := queryMetaData(keyDB)
 	if err != nil {
 		return nil, fmt.Errorf("query metadata error: %w", err)
 	}
@@ -96,16 +96,16 @@ func (f *Firefox) GetMasterKey() ([]byte, error) {
 		return nil, fmt.Errorf("query NSS private error: %w", err)
 	}

-	return processMasterKey(globalSalt, metaBytes, nssA11, nssA102)
+	return processMasterKey(metaItem1, metaItem2, nssA11, nssA102)
 }

 func queryMetaData(db *sql.DB) ([]byte, []byte, error) {
 	const query = `SELECT item1, item2 FROM metaData WHERE id = 'password'`
-	var globalSalt, metaBytes []byte
-	if err := db.QueryRow(query).Scan(&globalSalt, &metaBytes); err != nil {
+	var metaItem1, metaItem2 []byte
+	if err := db.QueryRow(query).Scan(&metaItem1, &metaItem2); err != nil {
 		return nil, nil, err
 	}
-	return globalSalt, metaBytes, nil
+	return metaItem1, metaItem2, nil
 }

 func queryNssPrivate(db *sql.DB) ([]byte, []byte, error) {
@@ -119,37 +119,40 @@ func queryNssPrivate(db *sql.DB) ([]byte, []byte, error) {

 // processMasterKey process master key of Firefox.
 // Process the metaBytes and nssA11 with the corresponding cryptographic operations.
-func processMasterKey(globalSalt, metaBytes, nssA11, nssA102 []byte) ([]byte, error) {
-	metaPBE, err := crypto.NewASN1PBE(metaBytes)
+func processMasterKey(metaItem1, metaItem2, nssA11, nssA102 []byte) ([]byte, error) {
+	metaPBE, err := crypto.NewASN1PBE(metaItem2)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating ASN1PBE from metaItem2: %w", err)
 	}

-	k, err := metaPBE.Decrypt(globalSalt)
+	flag, err := metaPBE.Decrypt(metaItem1)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error decrypting master key: %w", err)
+	}
+	const passwordCheck = "password-check"
+
+	if !bytes.Contains(flag, []byte(passwordCheck)) {
+		return nil, errors.New("flag verification failed: password-check not found")
 	}

-	if !bytes.Contains(k, []byte("password-check")) {
-		return nil, errors.New("password-check not found")
-	}
-	keyLin := []byte{248, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+	var keyLin = []byte{248, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
 	if !bytes.Equal(nssA102, keyLin) {
-		return nil, errors.New("nssA102 not equal keyLin")
+		return nil, errors.New("master key verification failed: nssA102 not equal to expected value")
 	}
-	nssPBE, err := crypto.NewASN1PBE(nssA11)
+
+	nssA11PBE, err := crypto.NewASN1PBE(nssA11)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating ASN1PBE from nssA11: %w", err)
 	}
-	finallyKey, err := nssPBE.Decrypt(globalSalt)
+
+	finallyKey, err := nssA11PBE.Decrypt(metaItem1)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error decrypting final key: %w", err)
 	}
 	if len(finallyKey) < 24 {
-		return nil, errors.New("finallyKey length less than 24")
+		return nil, errors.New("length of final key is less than 24 bytes")
 	}
-	finallyKey = finallyKey[:24]
-	return finallyKey, nil
+	return finallyKey[:24], nil
 }

 func (f *Firefox) Name() string {