diff --git a/.golangci.yml b/.golangci.yml index 18039e4..e807e45 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -79,15 +79,21 @@ linters: funlen: lines: -1 statements: 50 + # goconst kept deliberately lenient (above the default min-occurrences: 3) — short, repeated + # literals like test fixtures and scheme strings aren't worth extracting into named constants. goconst: - min-len: 2 - min-occurrences: 3 + min-len: 5 + min-occurrences: 5 ignore-string-values: - "all" - "csv" - "json" - "https" - "http" + # browser registry keys/names — declarative table, not worth constants + - "chrome" + - "Chrome" + - "firefox" gocritic: enabled-tags: - diagnostic @@ -174,7 +180,7 @@ linters: - path: "cmd/hack-browser-data/main.go" linters: - lll - - path: "keys/gcoredump_darwin.go" + - path: "masterkey/gcoredump_darwin.go" linters: - gocognit diff --git a/CLAUDE.md b/CLAUDE.md index 84cd2b0..21c9ee4 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -63,7 +63,7 @@ make payload-clean # rm crypto/*.bin - **Error handling**: `fmt.Errorf("context: %w", err)` for wrapping, never `_ =` to ignore errors - **Logging**: `log.Debugf` for record-level diagnostics, `log.Infof` for user-facing progress/status, `log.Warnf` for unexpected conditions. Extract methods should return errors, not log them. - **Naming**: follow Go conventions — `Config` not `BrowserConfig`, `Extract` not `BrowsingData` -- **Comment width**: wrap comments at 120 columns (matches `.golangci.yml` `lll.line-length`) +- **Comment width**: wrap comments at 140 columns (matches `.golangci.yml` `lll.line-length`) - **Tests**: use `t.TempDir()` for filesystem tests, `go-sqlmock` for database tests - **Architecture**: see `rfcs/` for design documents diff --git a/browser/browser.go b/browser/browser.go index 62cd666..a3b689e 100644 --- a/browser/browser.go +++ b/browser/browser.go @@ -9,14 +9,12 @@ import ( "github.com/moond4rk/hackbrowserdata/browser/chromium" "github.com/moond4rk/hackbrowserdata/browser/firefox" "github.com/moond4rk/hackbrowserdata/browser/safari" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) -// Browser is one installation: a single resolved UserDataDir that holds its -// profiles and, for Chromium, owns the master key shared across them. It is -// implemented by chromium.Browser, firefox.Browser, and safari.Browser. +// Browser is one installation: a UserDataDir holding profiles that (for Chromium) share one master key. type Browser interface { BrowserName() string UserDataDir() string @@ -25,31 +23,18 @@ type Browser interface { CountEntries(categories []types.Category) ([]types.CountResult, error) } -// PickOptions configures which browsers to pick. -type PickOptions struct { - Name string // browser name filter: "all"|"chrome"|"firefox"|... - ProfilePath string // custom profile directory override +type DiscoverOptions struct { + Name string // "all"|"chrome"|"firefox"|... + ProfilePath string // custom profile dir override KeychainPassword string // macOS only — see browser_darwin.go } -// browserInjector wires decryption credentials (key retrievers and, on macOS, -// the Keychain password) into a discovered Browser. Its construction is -// platform-specific; see newCredentialInjector in browser_{darwin,linux,windows}.go. +// browserInjector injects decryption credentials into a Browser; built per-platform by newCredentialInjector. type browserInjector func(Browser) -// DiscoverBrowsersWithKeys returns installations that are fully wired up for Extract: the -// key retriever chain and (on macOS) the Keychain password are already -// injected, so the caller can call b.Extract directly. This is the entry -// point for extraction workflows like `dump`. -// -// On macOS this may trigger an interactive prompt for the login password -// when the target set includes a Chromium variant or Safari. Commands that -// only need metadata (name, profile path, per-category counts) should use -// DiscoverBrowsers instead to skip injection — and thereby the prompt. -// -// When Name is "all", all known browsers are tried. ProfilePath overrides -// the default user data directory (only when targeting a specific browser). -func DiscoverBrowsersWithKeys(opts PickOptions) ([]Browser, error) { +// DiscoverBrowsersWithKeys is DiscoverBrowsers plus credential injection, so the returned installations are ready for Extract. +// On macOS it may prompt for the login password — metadata-only callers should use DiscoverBrowsers to avoid the prompt. +func DiscoverBrowsersWithKeys(opts DiscoverOptions) ([]Browser, error) { browsers, err := DiscoverBrowsers(opts) if err != nil { return nil, err @@ -61,24 +46,14 @@ func DiscoverBrowsersWithKeys(opts PickOptions) ([]Browser, error) { return browsers, nil } -// DiscoverBrowsers returns installations for metadata-only workflows — listing, -// profile paths, per-category counts. Decryption dependencies are NOT -// injected, so calling b.Extract on the returned browsers will not -// successfully decrypt protected data (passwords, cookies, credit cards). -// CountEntries, BrowserName, and Profiles all work correctly without injection. -// -// Unlike DiscoverBrowsersWithKeys, DiscoverBrowsers never prompts for the macOS -// Keychain password, making it the correct choice for `list`-style -// commands that have no use for the credential. -func DiscoverBrowsers(opts PickOptions) ([]Browser, error) { - return pickFromConfigs(platformBrowsers(), opts) +// DiscoverBrowsers skips credential injection: metadata (Profiles, CountEntries) works, Extract won't decrypt protected data, +// and macOS never prompts. Use it for list-style commands. +func DiscoverBrowsers(opts DiscoverOptions) ([]Browser, error) { + return discoverFromConfigs(platformBrowsers(), opts) } -// pickFromConfigs is the testable core of DiscoverBrowsers: it filters the -// platform browser list and discovers each matching installation (one Browser -// per UserDataDir, holding its profiles). Dependency injection (key retrievers, -// keychain credentials) is intentionally NOT done here. -func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser, error) { +// discoverFromConfigs is the testable core of DiscoverBrowsers; it deliberately does no credential injection. +func discoverFromConfigs(configs []types.BrowserConfig, opts DiscoverOptions) ([]Browser, error) { name := strings.ToLower(opts.Name) if name == "" { name = "all" @@ -92,7 +67,6 @@ func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser continue } - // Override profile directory when targeting a specific browser. if opts.ProfilePath != "" && name != "all" { if cfg.Kind == types.Firefox { cfg.UserDataDir = filepath.Dir(filepath.Clean(opts.ProfilePath)) @@ -116,10 +90,10 @@ func pickFromConfigs(configs []types.BrowserConfig, opts PickOptions) ([]Browser return browsers, nil } -// KeyManager is implemented by installations that accept externally-provided master-key retrievers (Chromium family only). +// KeyManager is implemented by installations accepting external master-key retrievers (Chromium only). type KeyManager interface { - SetRetrievers(keys.Retrievers) - ExportKeys() (keys.MasterKeys, error) + SetRetrievers(masterkey.Retrievers) + ExportKeys() (masterkey.MasterKeys, error) } // KeychainPasswordReceiver is implemented by installations that need the macOS login password (Safari only). @@ -127,17 +101,8 @@ type KeychainPasswordReceiver interface { SetKeychainPassword(string) } -// resolveGlobs expands glob patterns in browser configs' UserDataDir. -// This supports MSIX/UWP browsers on Windows whose package directories -// contain a dynamic publisher hash suffix (e.g., "TheBrowserCompany.Arc_*"). -// -// For literal paths (no glob metacharacters), Glob returns the path itself -// when it exists, so the config passes through unchanged. When a path does -// not exist and contains no metacharacters, Glob returns nil and the -// original config is preserved — the main loop handles "not found" as usual. -// -// When a glob matches multiple directories, the config is duplicated so -// each resolved path is treated as a separate browser data directory. +// resolveGlobs expands UserDataDir glob patterns for Windows MSIX/UWP browsers whose package dirs carry a dynamic +// publisher-hash suffix (e.g. "TheBrowserCompany.Arc_*"). A glob matching N dirs yields N configs. func resolveGlobs(configs []types.BrowserConfig) []types.BrowserConfig { var out []types.BrowserConfig for _, cfg := range configs { @@ -155,8 +120,7 @@ func resolveGlobs(configs []types.BrowserConfig) []types.BrowserConfig { return out } -// newBrowser dispatches to the correct engine based on BrowserKind and returns -// one installation, or a nil Browser when no profile was found. +// newBrowser dispatches on BrowserKind, returning a nil Browser when no profile is found. func newBrowser(cfg types.BrowserConfig) (Browser, error) { switch cfg.Kind { case types.Chromium, types.ChromiumYandex, types.ChromiumOpera: diff --git a/browser/browser_darwin.go b/browser/browser_darwin.go index 6d73da5..1f258ba 100644 --- a/browser/browser_darwin.go +++ b/browser/browser_darwin.go @@ -9,8 +9,8 @@ import ( "github.com/moond4rk/keychainbreaker" "golang.org/x/term" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -108,13 +108,8 @@ func platformBrowsers() []types.BrowserConfig { } } -// resolveKeychainPassword returns the keychain password for macOS. -// If not provided via CLI flag, it prompts interactively when stdin is a TTY. -// After obtaining the password, it verifies against keychainbreaker; on any -// failure it returns "" so downstream code enters "no password" mode rather -// than propagating a known-bad credential. Safari then exports -// keychain-protected entries as metadata-only via keychainbreaker's partial -// extraction mode; Chromium falls back to SecurityCmdRetriever. +// resolveKeychainPassword resolves the macOS login password (CLI flag, else TTY prompt) and verifies it against +// keychainbreaker. On any failure it returns "" so callers fall back to no-password mode rather than a known-bad credential. func resolveKeychainPassword(flagPassword string) string { password := flagPassword if password == "" { @@ -137,10 +132,6 @@ func resolveKeychainPassword(flagPassword string) string { return "" } - // Verify early: try to unlock keychain with keychainbreaker. On failure - // return "" so KeychainPasswordRetriever and Safari both skip the credential - // and rely on their respective fallback paths (SecurityCmdRetriever for - // Chromium, metadata-only export for Safari). kc, err := keychainbreaker.Open() if err != nil { log.Warnf("keychain open failed: %v; keychain-protected data will be exported as metadata only", err) @@ -157,10 +148,10 @@ func resolveKeychainPassword(flagPassword string) string { // newCredentialInjector lazily wires retrievers (and the macOS keychain password) into each Browser; // `-b firefox` never triggers a keychain prompt because lazy resolution skips browsers that need neither. -func newCredentialInjector(opts PickOptions) browserInjector { +func newCredentialInjector(opts DiscoverOptions) browserInjector { var ( password string - retrievers keys.Retrievers + retrievers masterkey.Retrievers resolved bool ) return func(b Browser) { @@ -171,7 +162,7 @@ func newCredentialInjector(opts PickOptions) browserInjector { } if !resolved { password = resolveKeychainPassword(opts.KeychainPassword) - retrievers = keys.DefaultRetrievers(password) + retrievers = masterkey.DefaultRetrievers(password) resolved = true } if needsRetrievers { diff --git a/browser/browser_linux.go b/browser/browser_linux.go index 68745de..f7a5df9 100644 --- a/browser/browser_linux.go +++ b/browser/browser_linux.go @@ -3,7 +3,7 @@ package browser import ( - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -67,13 +67,10 @@ func platformBrowsers() []types.BrowserConfig { } } -// newCredentialInjector returns a closure that wires the Linux Chromium master-key retrievers into -// each Browser. Linux has two tiers: V10 uses the "peanuts" hardcoded password (kV10Key); V11 -// uses the D-Bus Secret Service keyring (kV11Key). V20 is nil — App-Bound Encryption is Windows- -// only. Both V10 and V11 run independently so a profile carrying mixed cipher prefixes decrypts -// both tiers. -func newCredentialInjector(_ PickOptions) browserInjector { - retrievers := keys.DefaultRetrievers() +// newCredentialInjector wires the Linux Chromium retrievers: V10 ("peanuts" hardcoded) and V11 (D-Bus Secret Service), +// run independently for mixed-cipher profiles. V20 is nil — App-Bound Encryption is Windows-only. +func newCredentialInjector(_ DiscoverOptions) browserInjector { + retrievers := masterkey.DefaultRetrievers() return func(b Browser) { if km, ok := b.(KeyManager); ok { km.SetRetrievers(retrievers) diff --git a/browser/browser_test.go b/browser/browser_test.go index 35be7a0..8049a86 100644 --- a/browser/browser_test.go +++ b/browser/browser_test.go @@ -28,7 +28,7 @@ func TestListBrowsers(t *testing.T) { type pickTest struct { name string configs []types.BrowserConfig - opts PickOptions + opts DiscoverOptions wantNames []string wantProfiles []string } @@ -37,7 +37,7 @@ func runPickTests(t *testing.T, tests []pickTest) { t.Helper() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - browsers, err := pickFromConfigs(tt.configs, tt.opts) + browsers, err := discoverFromConfigs(tt.configs, tt.opts) require.NoError(t, err) assertBrowsers(t, browsers, tt.wantNames, tt.wantProfiles) }) @@ -90,28 +90,28 @@ func TestPickFromConfigs(t *testing.T) { { name: "exact match", configs: nameFilterConfigs, - opts: PickOptions{Name: "chrome"}, + opts: DiscoverOptions{Name: "chrome"}, wantNames: []string{"Chrome"}, wantProfiles: []string{"Default"}, }, { name: "case insensitive", configs: nameFilterConfigs, - opts: PickOptions{Name: "Chrome"}, + opts: DiscoverOptions{Name: "Chrome"}, wantNames: []string{"Chrome"}, wantProfiles: []string{"Default"}, }, { name: "all returns both", configs: nameFilterConfigs, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Chrome", "Edge"}, wantProfiles: []string{"Default", "Default"}, }, { name: "unknown returns empty", configs: nameFilterConfigs, - opts: PickOptions{Name: "safari"}, + opts: DiscoverOptions{Name: "safari"}, }, }) }) @@ -123,7 +123,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: chromeDir}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Chrome", "Chrome"}, wantProfiles: []string{"Default", "Profile 1"}, }, @@ -132,7 +132,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "firefox", Name: "Firefox", Kind: types.Firefox, UserDataDir: firefoxDir}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Firefox"}, wantProfiles: []string{"abc123.default-release"}, }, @@ -141,7 +141,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "yandex", Name: "Yandex", Kind: types.ChromiumYandex, UserDataDir: yandexDir}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Yandex"}, wantProfiles: []string{"Default"}, }, @@ -150,7 +150,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: "/nonexistent"}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, }, }) }) @@ -162,7 +162,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: "/wrong"}, }, - opts: PickOptions{Name: "chrome", ProfilePath: filepath.Join(chromeDir, "Default")}, + opts: DiscoverOptions{Name: "chrome", ProfilePath: filepath.Join(chromeDir, "Default")}, wantNames: []string{"Chrome"}, wantProfiles: []string{"Default"}, }, @@ -171,7 +171,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "firefox", Name: "Firefox", Kind: types.Firefox, UserDataDir: "/wrong"}, }, - opts: PickOptions{Name: "firefox", ProfilePath: filepath.Join(firefoxDir, "abc123.default-release")}, + opts: DiscoverOptions{Name: "firefox", ProfilePath: filepath.Join(firefoxDir, "abc123.default-release")}, wantNames: []string{"Firefox"}, wantProfiles: []string{"abc123.default-release"}, }, @@ -180,7 +180,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: chromeDir}, }, - opts: PickOptions{Name: "all", ProfilePath: "/some/override"}, + opts: DiscoverOptions{Name: "all", ProfilePath: "/some/override"}, wantNames: []string{"Chrome", "Chrome"}, wantProfiles: []string{"Default", "Profile 1"}, }, @@ -194,7 +194,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "solo", Name: "Solo", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "Solo.Browser_*", "UserData")}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Solo"}, wantProfiles: []string{"Default"}, }, @@ -203,7 +203,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "App.Browser_*", "UserData")}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Arc", "Arc"}, wantProfiles: []string{"Default", "Default"}, }, @@ -212,7 +212,7 @@ func TestPickFromConfigs(t *testing.T) { configs: []types.BrowserConfig{ {Key: "missing", Name: "Missing", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "NoSuch_*", "UserData")}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, }, { name: "mixed with literal", @@ -220,7 +220,7 @@ func TestPickFromConfigs(t *testing.T) { {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: singleDir}, {Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "Solo.Browser_*", "UserData")}, }, - opts: PickOptions{Name: "all"}, + opts: DiscoverOptions{Name: "all"}, wantNames: []string{"Arc", "Chrome"}, wantProfiles: []string{"Default", "Default"}, }, @@ -230,7 +230,7 @@ func TestPickFromConfigs(t *testing.T) { {Key: "chrome", Name: "Chrome", Kind: types.Chromium, UserDataDir: singleDir}, {Key: "arc", Name: "Arc", Kind: types.Chromium, UserDataDir: filepath.Join(globBase, "App.Browser_*", "UserData")}, }, - opts: PickOptions{Name: "arc"}, + opts: DiscoverOptions{Name: "arc"}, wantNames: []string{"Arc", "Arc"}, wantProfiles: []string{"Default", "Default"}, }, diff --git a/browser/browser_windows.go b/browser/browser_windows.go index 0316ee3..7b2cd88 100644 --- a/browser/browser_windows.go +++ b/browser/browser_windows.go @@ -3,7 +3,7 @@ package browser import ( - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -125,12 +125,10 @@ func platformBrowsers() []types.BrowserConfig { } } -// newCredentialInjector returns a closure that wires the Windows v10 (DPAPI) and v20 (ABE) Chromium -// master-key retrievers into each Browser. Per issue #578 the two tiers are orthogonal — a single -// Chrome profile upgraded from pre-127 carries v20 cookies alongside v10 passwords — so both -// retrievers run independently rather than as a first-success chain. -func newCredentialInjector(_ PickOptions) browserInjector { - retrievers := keys.DefaultRetrievers() +// newCredentialInjector wires the Windows Chromium retrievers: v10 (DPAPI) and v20 (ABE). The two tiers are orthogonal +// — a pre-127-upgraded profile carries v20 cookies alongside v10 passwords — so both run independently, not as a chain. +func newCredentialInjector(_ DiscoverOptions) browserInjector { + retrievers := masterkey.DefaultRetrievers() return func(b Browser) { if km, ok := b.(KeyManager); ok { km.SetRetrievers(retrievers) diff --git a/browser/chromium/chromium.go b/browser/chromium/chromium.go index 0c66837..2848915 100644 --- a/browser/chromium/chromium.go +++ b/browser/chromium/chromium.go @@ -7,8 +7,8 @@ import ( "time" "github.com/moond4rk/hackbrowserdata/filemanager" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" "github.com/moond4rk/hackbrowserdata/utils/fileutil" ) @@ -17,11 +17,11 @@ import ( // that share a master key. The key is derived once and reused across profiles. type Browser struct { cfg types.BrowserConfig - retrievers keys.Retrievers + retrievers masterkey.Retrievers profiles []*profile keysOnce sync.Once - keys keys.MasterKeys + keys masterkey.MasterKeys } // NewBrowser discovers the profiles under cfg.UserDataDir, or returns nil if none resolve. @@ -52,7 +52,7 @@ func NewBrowser(cfg types.BrowserConfig) (*Browser, error) { // SetRetrievers wires the per-tier master-key retrievers (V10/V11/V20) used by // Extract; unused tiers stay nil. -func (b *Browser) SetRetrievers(r keys.Retrievers) { b.retrievers = r } +func (b *Browser) SetRetrievers(r masterkey.Retrievers) { b.retrievers = r } func (b *Browser) BrowserName() string { return b.cfg.Name } func (b *Browser) UserDataDir() string { return b.cfg.UserDataDir } @@ -93,19 +93,19 @@ func (b *Browser) CountEntries(categories []types.Category) ([]types.CountResult // ExportKeys derives the master keys without extracting. Returns the tiers that succeeded plus a // joined error for those that failed — partial results matter (a v20-only failure keeps the v10 key). -func (b *Browser) ExportKeys() (keys.MasterKeys, error) { +func (b *Browser) ExportKeys() (masterkey.MasterKeys, error) { session, err := filemanager.NewSession() if err != nil { - return keys.MasterKeys{}, err + return masterkey.MasterKeys{}, err } defer session.Cleanup() - return keys.NewMasterKeys(b.retrievers, b.buildHints(session)) + return masterkey.NewMasterKeys(b.retrievers, b.buildHints(session)) } // masterKeys derives and caches the installation's keys exactly once (sync.Once), so a failure is // warned once — no cross-profile dedup state needed. -func (b *Browser) masterKeys() keys.MasterKeys { +func (b *Browser) masterKeys() masterkey.MasterKeys { b.keysOnce.Do(func() { masterKeys, err := b.ExportKeys() if err != nil { @@ -118,7 +118,7 @@ func (b *Browser) masterKeys() keys.MasterKeys { // buildHints copies Local State into the session temp dir (so Windows DPAPI/ABE retrievers read it // from a process-owned path) and assembles the Hints. Local State sits at the installation root. -func (b *Browser) buildHints(session *filemanager.Session) keys.Hints { +func (b *Browser) buildHints(session *filemanager.Session) masterkey.Hints { var localStateDst string candidate := filepath.Join(b.cfg.UserDataDir, "Local State") if fileutil.FileExists(candidate) { @@ -134,7 +134,7 @@ func (b *Browser) buildHints(session *filemanager.Session) keys.Hints { if b.cfg.WindowsABE { abeKey = b.cfg.Key } - return keys.Hints{ + return masterkey.Hints{ KeychainLabel: b.cfg.KeychainLabel, WindowsABEKey: abeKey, LocalStatePath: localStateDst, diff --git a/browser/chromium/chromium_test.go b/browser/chromium/chromium_test.go index 51d2936..1a4fff8 100644 --- a/browser/chromium/chromium_test.go +++ b/browser/chromium/chromium_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -380,20 +380,20 @@ func TestLocalStatePath(t *testing.T) { // mockRetriever records the arguments passed to RetrieveKey. type mockRetriever struct { - hints keys.Hints + hints masterkey.Hints key []byte err error called bool } -func (m *mockRetriever) RetrieveKey(hints keys.Hints) ([]byte, error) { +func (m *mockRetriever) RetrieveKey(hints masterkey.Hints) ([]byte, error) { m.called = true m.hints = hints return m.key, m.err } func TestGetMasterKeys(t *testing.T) { - // getMasterKeys routes through keys.NewMasterKeys on every platform — the V10 mock + // getMasterKeys routes through masterkey.NewMasterKeys on every platform — the V10 mock // wired via SetRetrievers(Retrievers{V10: mock}) is consulted cross-platform. // Profile directory without Local State file. @@ -405,7 +405,7 @@ func TestGetMasterKeys(t *testing.T) { name string dir string keychainLabel string - retriever keys.Retriever // nil → don't call SetRetrievers + retriever masterkey.Retriever // nil → don't call SetRetrievers wantV10 []byte wantKeychainLabel string wantLocalState bool // whether localStatePath passed to retriever is non-empty @@ -442,7 +442,7 @@ func TestGetMasterKeys(t *testing.T) { require.NotNil(t, b) if tt.retriever != nil { - b.SetRetrievers(keys.Retrievers{V10: tt.retriever}) + b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever}) } mk := b.masterKeys() @@ -470,7 +470,7 @@ func TestGetMasterKeys(t *testing.T) { // Before the refactor a Windows-only bypass meant only one tier's retriever was consulted, so a // profile mixing prefixes silently lost the un-retrieved tier. After the refactor every // configured tier must be called exactly once and its key must land in the matching MasterKeys -// slot. This catches any future "bypass the keys package for a faster path" regression and covers the +// slot. This catches any future "bypass the masterkey package for a faster path" regression and covers the // analogous Linux v10/v11 case — no platform silently drops a tier any more. func TestGetMasterKeys_AllTiersInvoked(t *testing.T) { v10mock := &mockRetriever{key: []byte("fake-v10-key")} @@ -483,7 +483,7 @@ func TestGetMasterKeys_AllTiersInvoked(t *testing.T) { require.NoError(t, err) require.NotNil(t, b) - b.SetRetrievers(keys.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock}) + b.SetRetrievers(masterkey.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock}) mk := b.masterKeys() assert.Equal(t, []byte("fake-v10-key"), mk.V10, "V10 slot must be populated") @@ -521,7 +521,7 @@ func TestGetMasterKeys_WindowsABEThreading(t *testing.T) { require.NoError(t, err) require.NotNil(t, b) - b.SetRetrievers(keys.Retrievers{V20: mock}) + b.SetRetrievers(masterkey.Retrievers{V20: mock}) b.masterKeys() assert.Equal(t, tt.wantABEKey, mock.hints.WindowsABEKey) @@ -540,8 +540,8 @@ func TestExtract(t *testing.T) { tests := []struct { name string - retriever keys.Retriever // nil → don't call SetRetriever - wantRetriever bool // whether retriever should be called + retriever masterkey.Retriever // nil → don't call SetRetriever + wantRetriever bool // whether retriever should be called }{ { name: "without retriever extracts unencrypted data", @@ -562,7 +562,7 @@ func TestExtract(t *testing.T) { require.NotNil(t, b) if tt.retriever != nil { - b.SetRetrievers(keys.Retrievers{V10: tt.retriever}) + b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever}) } results, err := b.Extract([]types.Category{types.History}) @@ -630,12 +630,12 @@ func TestCountEntries_NoRetrieverNeeded(t *testing.T) { // --------------------------------------------------------------------------- // SetRetrievers: verify *Browser satisfies the interface used by -// browser.pickFromConfigs for post-construction retriever injection. +// browser.discoverFromConfigs for post-construction retriever injection. // --------------------------------------------------------------------------- func TestSetRetrievers_SatisfiesInterface(t *testing.T) { var _ interface { - SetRetrievers(keys.Retrievers) + SetRetrievers(masterkey.Retrievers) } = (*Browser)(nil) } diff --git a/browser/chromium/decrypt.go b/browser/chromium/decrypt.go index 8d48d6e..b03bfc8 100644 --- a/browser/chromium/decrypt.go +++ b/browser/chromium/decrypt.go @@ -4,7 +4,7 @@ import ( "fmt" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) // decryptValue decrypts a Chromium-encrypted value by dispatching on the ciphertext's version @@ -18,7 +18,7 @@ import ( // changes), so every applicable key must be populated upstream for lossless extraction. Missing // tier keys surface as decrypt errors at the ciphertext level; the extract layer treats those as // empty plaintexts rather than fatal errors. -func decryptValue(masterKeys keys.MasterKeys, ciphertext []byte) ([]byte, error) { +func decryptValue(masterKeys masterkey.MasterKeys, ciphertext []byte) ([]byte, error) { if len(ciphertext) == 0 { return nil, nil } diff --git a/browser/chromium/decrypt_mixed_test.go b/browser/chromium/decrypt_mixed_test.go index aa9e582..23885af 100644 --- a/browser/chromium/decrypt_mixed_test.go +++ b/browser/chromium/decrypt_mixed_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/require" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) // TestDecryptValue_MixedTier is the regression test for mixed-cipher profiles (issue #578 on @@ -33,7 +33,7 @@ func TestDecryptValue_MixedTier(t *testing.T) { v20Ciphertext := append([]byte("v20"), append(nonce, gcmEnc...)...) t.Run("all tiers populated: v20 picks V20, decrypts", func(t *testing.T) { - got, err := decryptValue(keys.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext) require.NoError(t, err) assert.Equal(t, plaintext, got) }) @@ -41,20 +41,20 @@ func TestDecryptValue_MixedTier(t *testing.T) { t.Run("V20 holds wrong key: v20 still picks V20 slot (not V10/V11), errors", func(t *testing.T) { // If the dispatcher incorrectly fell back to V10 or V11 when V20 had a wrong key, this // would succeed. Proves the router uses prefix-based selection, not first-usable-key. - _, err := decryptValue(keys.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext) + _, err := decryptValue(masterkey.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext) require.Error(t, err) }) t.Run("only V20 populated: v20 still decrypts", func(t *testing.T) { // The pre-#578 symmetric regression: when DPAPI/keyring failed and only V20 was retrieved, // v20 cookies had to still decrypt. This asserts V10 and V11 being nil doesn't block v20. - got, err := decryptValue(keys.MasterKeys{V20: k20}, v20Ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V20: k20}, v20Ciphertext) require.NoError(t, err) assert.Equal(t, plaintext, got) }) t.Run("V20 slot unpopulated: v20 errors (no key to use)", func(t *testing.T) { - _, err := decryptValue(keys.MasterKeys{V10: k10, V11: k11}, v20Ciphertext) + _, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11}, v20Ciphertext) require.Error(t, err) }) } diff --git a/browser/chromium/decrypt_test.go b/browser/chromium/decrypt_test.go index 57fde96..03eb0e9 100644 --- a/browser/chromium/decrypt_test.go +++ b/browser/chromium/decrypt_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/require" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) func TestDecryptValue_V10(t *testing.T) { @@ -40,7 +40,7 @@ func TestDecryptValue_V10(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := decryptValue(keys.MasterKeys{V10: tt.key}, v10Ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V10: tt.key}, v10Ciphertext) if tt.wantErrMsg != "" { require.Error(t, err) assert.Contains(t, err.Error(), tt.wantErrMsg) @@ -61,7 +61,7 @@ func TestDecryptValue_V11(t *testing.T) { v11Ciphertext := append([]byte("v11"), cbcEncrypted...) // v11 ciphertexts route to the V11 slot (Linux's keyring-derived kV11Key) — not V10 (peanuts). - got, err := decryptValue(keys.MasterKeys{V11: testAESKey}, v11Ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V11: testAESKey}, v11Ciphertext) require.NoError(t, err) assert.Equal(t, plaintext, got) } @@ -87,7 +87,7 @@ func TestDecryptValue_V10_V11_SlotSeparation(t *testing.T) { require.NoError(t, err) v11Ciphertext := append([]byte("v11"), v11Enc...) - mk := keys.MasterKeys{V10: k10, V11: k11} + mk := masterkey.MasterKeys{V10: k10, V11: k11} t.Run("v10 ciphertext decrypts via V10 slot", func(t *testing.T) { got, err := decryptValue(mk, v10Ciphertext) @@ -102,7 +102,7 @@ func TestDecryptValue_V10_V11_SlotSeparation(t *testing.T) { }) t.Run("swapped keys fail both directions", func(t *testing.T) { - swapped := keys.MasterKeys{V10: k11, V11: k10} + swapped := masterkey.MasterKeys{V10: k11, V11: k10} _, err := decryptValue(swapped, v10Ciphertext) require.Error(t, err, "v10 with V11's key must fail") _, err = decryptValue(swapped, v11Ciphertext) diff --git a/browser/chromium/decrypt_v20_test.go b/browser/chromium/decrypt_v20_test.go index 9fa07d3..546ff10 100644 --- a/browser/chromium/decrypt_v20_test.go +++ b/browser/chromium/decrypt_v20_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/require" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) // TestDecryptValue_V20 is cross-platform because v20's ciphertext format @@ -24,13 +24,13 @@ func TestDecryptValue_V20(t *testing.T) { // v20 layout: "v20" (3B) + nonce (12B) + ciphertext+tag ciphertext := append([]byte("v20"), append(nonce, gcm...)...) - got, err := decryptValue(keys.MasterKeys{V20: testAESKey}, ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, ciphertext) require.NoError(t, err) assert.Equal(t, plaintext, got) } func TestDecryptValue_V20_ShortCiphertext(t *testing.T) { // Missing nonce (prefix only) must error, not panic. - _, err := decryptValue(keys.MasterKeys{V20: testAESKey}, []byte("v20")) + _, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, []byte("v20")) require.Error(t, err) } diff --git a/browser/chromium/decrypt_windows_test.go b/browser/chromium/decrypt_windows_test.go index 54157de..f2a4d5f 100644 --- a/browser/chromium/decrypt_windows_test.go +++ b/browser/chromium/decrypt_windows_test.go @@ -12,7 +12,7 @@ import ( "github.com/stretchr/testify/require" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) // encryptWithDPAPI encrypts data using Windows DPAPI (CryptProtectData). @@ -64,7 +64,7 @@ func TestDecryptValue_V10_Windows(t *testing.T) { // v10 format on Windows: "v10" + nonce(12) + encrypted ciphertext := append([]byte("v10"), append(nonce, gcmEncrypted...)...) - got, err := decryptValue(keys.MasterKeys{V10: testAESKey}, ciphertext) + got, err := decryptValue(masterkey.MasterKeys{V10: testAESKey}, ciphertext) require.NoError(t, err) assert.Equal(t, plaintext, got) } @@ -78,7 +78,7 @@ func TestDecryptValue_DPAPI_Windows(t *testing.T) { require.NotEmpty(t, encrypted) // No v10/v20 prefix → decryptValue routes to DPAPI path; no per-tier key needed. - got, err := decryptValue(keys.MasterKeys{}, encrypted) + got, err := decryptValue(masterkey.MasterKeys{}, encrypted) require.NoError(t, err) assert.Equal(t, plaintext, got) } diff --git a/browser/chromium/extract_cookie.go b/browser/chromium/extract_cookie.go index 19d723b..4f2c04e 100644 --- a/browser/chromium/extract_cookie.go +++ b/browser/chromium/extract_cookie.go @@ -6,7 +6,7 @@ import ( "database/sql" "sort" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" "github.com/moond4rk/hackbrowserdata/utils/sqliteutil" ) @@ -18,7 +18,7 @@ const ( countCookieQuery = `SELECT COUNT(*) FROM cookies` ) -func extractCookies(masterKeys keys.MasterKeys, path string) ([]types.CookieEntry, error) { +func extractCookies(masterKeys masterkey.MasterKeys, path string) ([]types.CookieEntry, error) { cookies, err := sqliteutil.QueryRows(path, false, defaultCookieQuery, func(rows *sql.Rows) (types.CookieEntry, error) { var ( diff --git a/browser/chromium/extract_cookie_test.go b/browser/chromium/extract_cookie_test.go index 4e76c7c..a179166 100644 --- a/browser/chromium/extract_cookie_test.go +++ b/browser/chromium/extract_cookie_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) func setupCookieDB(t *testing.T) string { @@ -21,7 +21,7 @@ func setupCookieDB(t *testing.T) string { func TestExtractCookies(t *testing.T) { path := setupCookieDB(t) - got, err := extractCookies(keys.MasterKeys{}, path) + got, err := extractCookies(masterkey.MasterKeys{}, path) require.NoError(t, err) require.Len(t, got, 2) diff --git a/browser/chromium/extract_creditcard.go b/browser/chromium/extract_creditcard.go index cbd061d..62bb1ea 100644 --- a/browser/chromium/extract_creditcard.go +++ b/browser/chromium/extract_creditcard.go @@ -6,8 +6,8 @@ import ( "errors" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" "github.com/moond4rk/hackbrowserdata/utils/sqliteutil" ) @@ -36,7 +36,7 @@ type yandexPrivateData struct { SecretComment string `json:"secret_comment"` } -func extractCreditCards(masterKeys keys.MasterKeys, path string) ([]types.CreditCardEntry, error) { +func extractCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) { cards, err := sqliteutil.QueryRows(path, false, defaultCreditCardQuery, func(rows *sql.Rows) (types.CreditCardEntry, error) { var guid, name, month, year, nickname, address string @@ -62,7 +62,7 @@ func extractCreditCards(masterKeys keys.MasterKeys, path string) ([]types.Credit } // extractYandexCreditCards reads the records table (not Chromium's credit_cards). AAD = guid. See RFC-012 §4. -func extractYandexCreditCards(masterKeys keys.MasterKeys, path string) ([]types.CreditCardEntry, error) { +func extractYandexCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) { dataKey, err := loadYandexDataKey(path, masterKeys.V10) if err != nil { if errors.Is(err, errYandexMasterPasswordSet) { diff --git a/browser/chromium/extract_creditcard_test.go b/browser/chromium/extract_creditcard_test.go index 6014cc6..0dff488 100644 --- a/browser/chromium/extract_creditcard_test.go +++ b/browser/chromium/extract_creditcard_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) func setupCreditCardDB(t *testing.T) string { @@ -21,7 +21,7 @@ func setupCreditCardDB(t *testing.T) string { func TestExtractCreditCards(t *testing.T) { path := setupCreditCardDB(t) - got, err := extractCreditCards(keys.MasterKeys{}, path) + got, err := extractCreditCards(masterkey.MasterKeys{}, path) require.NoError(t, err) require.Len(t, got, 2) @@ -80,7 +80,7 @@ func TestExtractYandexCreditCards(t *testing.T) { }, ) - got, err := extractYandexCreditCards(keys.MasterKeys{V10: masterKey}, path) + got, err := extractYandexCreditCards(masterkey.MasterKeys{V10: masterKey}, path) require.NoError(t, err) require.Len(t, got, 2) @@ -128,7 +128,7 @@ func TestExtractYandexCreditCards_WrongMasterKey(t *testing.T) { yandexCreditCard{GUID: "g1", FullCardNumber: "4111"}, ) - _, err := extractYandexCreditCards(keys.MasterKeys{V10: wrongKey}, path) + _, err := extractYandexCreditCards(masterkey.MasterKeys{V10: wrongKey}, path) require.Error(t, err) } diff --git a/browser/chromium/extract_password.go b/browser/chromium/extract_password.go index 57d1b6e..4e40658 100644 --- a/browser/chromium/extract_password.go +++ b/browser/chromium/extract_password.go @@ -6,8 +6,8 @@ import ( "sort" "github.com/moond4rk/hackbrowserdata/crypto" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" "github.com/moond4rk/hackbrowserdata/utils/sqliteutil" ) @@ -20,11 +20,11 @@ const ( password_element, password_value, signon_realm, date_created FROM logins` ) -func extractPasswords(masterKeys keys.MasterKeys, path string) ([]types.LoginEntry, error) { +func extractPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) { return extractPasswordsWithQuery(masterKeys, path, defaultLoginQuery) } -func extractPasswordsWithQuery(masterKeys keys.MasterKeys, path, query string) ([]types.LoginEntry, error) { +func extractPasswordsWithQuery(masterKeys masterkey.MasterKeys, path, query string) ([]types.LoginEntry, error) { logins, err := sqliteutil.QueryRows(path, false, query, func(rows *sql.Rows) (types.LoginEntry, error) { var url, username string @@ -53,7 +53,7 @@ func extractPasswordsWithQuery(masterKeys keys.MasterKeys, path, query string) ( // extractYandexPasswords walks Ya Passman Data; protocol in RFC-012 §4. // Note: URL column is origin_url — it's what the per-row AAD is computed over (not action_url). -func extractYandexPasswords(masterKeys keys.MasterKeys, path string) ([]types.LoginEntry, error) { +func extractYandexPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) { dataKey, err := loadYandexDataKey(path, masterKeys.V10) if err != nil { if errors.Is(err, errYandexMasterPasswordSet) { diff --git a/browser/chromium/extract_password_test.go b/browser/chromium/extract_password_test.go index 51ea9e3..8d62711 100644 --- a/browser/chromium/extract_password_test.go +++ b/browser/chromium/extract_password_test.go @@ -8,7 +8,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" ) func setupLoginDB(t *testing.T) string { @@ -22,7 +22,7 @@ func setupLoginDB(t *testing.T) string { func TestExtractPasswords(t *testing.T) { path := setupLoginDB(t) - got, err := extractPasswords(keys.MasterKeys{}, path) + got, err := extractPasswords(masterkey.MasterKeys{}, path) require.NoError(t, err) require.Len(t, got, 2) @@ -70,7 +70,7 @@ func TestExtractYandexPasswords(t *testing.T) { }, ) - got, err := extractYandexPasswords(keys.MasterKeys{V10: masterKey}, path) + got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path) require.NoError(t, err) require.Len(t, got, 2) @@ -93,7 +93,7 @@ func TestExtractYandexPasswords_MasterPasswordSkipped(t *testing.T) { }, ) - got, err := extractYandexPasswords(keys.MasterKeys{V10: masterKey}, path) + got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path) require.NoError(t, err) assert.Empty(t, got, "master-password profiles should be skipped in v1") } @@ -112,7 +112,7 @@ func TestExtractYandexPasswords_WrongMasterKey(t *testing.T) { // A wrong master key fails at the intermediate step, surfacing as an error // from the extractor. - _, err := extractYandexPasswords(keys.MasterKeys{V10: wrongKey}, path) + _, err := extractYandexPasswords(masterkey.MasterKeys{V10: wrongKey}, path) require.Error(t, err) } diff --git a/browser/chromium/profile.go b/browser/chromium/profile.go index bc77a61..8f3d67b 100644 --- a/browser/chromium/profile.go +++ b/browser/chromium/profile.go @@ -4,8 +4,8 @@ import ( "path/filepath" "github.com/moond4rk/hackbrowserdata/filemanager" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -30,7 +30,7 @@ func (p *profile) label() string { return p.browserName + "/" + p.name() } // extract copies the profile's source files to a temp directory and extracts the // requested categories, decrypting with the installation's master keys. -func (p *profile) extract(masterKeys keys.MasterKeys, categories []types.Category) *types.BrowserData { +func (p *profile) extract(masterKeys masterkey.MasterKeys, categories []types.Category) *types.BrowserData { session, err := filemanager.NewSession() if err != nil { log.Debugf("new session for %s: %v", p.label(), err) @@ -91,7 +91,7 @@ func (p *profile) acquireFiles(session *filemanager.Session, categories []types. // extractCategory calls the appropriate extract function for a category. A custom // extractor (registered via extractorsForKind) takes precedence over the switch. -func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, masterKeys keys.MasterKeys, path string) { +func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, masterKeys masterkey.MasterKeys, path string) { if ext, ok := p.extractors[cat]; ok { if err := ext.extract(masterKeys, path, data); err != nil { log.Debugf("extract %s for %s: %v", cat, p.label(), err) diff --git a/browser/chromium/profile_test.go b/browser/chromium/profile_test.go index 990fc4c..fdfdab1 100644 --- a/browser/chromium/profile_test.go +++ b/browser/chromium/profile_test.go @@ -9,7 +9,7 @@ import ( "github.com/stretchr/testify/require" "github.com/moond4rk/hackbrowserdata/filemanager" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -32,7 +32,7 @@ func TestExtractCategory_CustomExtractor(t *testing.T) { } data := &types.BrowserData{} - p.extractCategory(data, types.Extension, keys.MasterKeys{}, "unused-path") + p.extractCategory(data, types.Extension, masterkey.MasterKeys{}, "unused-path") assert.True(t, called, "custom extractor should be called") require.Len(t, data.Extensions, 1) @@ -51,7 +51,7 @@ func TestExtractCategory_DefaultFallback(t *testing.T) { } data := &types.BrowserData{} - p.extractCategory(data, types.History, keys.MasterKeys{}, path) + p.extractCategory(data, types.History, masterkey.MasterKeys{}, path) require.Len(t, data.Histories, 1) assert.Equal(t, "Example", data.Histories[0].Title) diff --git a/browser/chromium/source.go b/browser/chromium/source.go index 0431fda..5c5baff 100644 --- a/browser/chromium/source.go +++ b/browser/chromium/source.go @@ -3,7 +3,7 @@ package chromium import ( "path/filepath" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -51,15 +51,15 @@ func sourcesForKind(kind types.BrowserKind) map[types.Category][]sourcePath { // switch logic, enabling browser-specific parsing (e.g. Opera's opsettings // for extensions, Yandex's credit card table, QBCI-encrypted bookmarks). type categoryExtractor interface { - extract(masterKeys keys.MasterKeys, path string, data *types.BrowserData) error + extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error } // passwordExtractor wraps a custom password extract function. type passwordExtractor struct { - fn func(masterKeys keys.MasterKeys, path string) ([]types.LoginEntry, error) + fn func(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) } -func (e passwordExtractor) extract(masterKeys keys.MasterKeys, path string, data *types.BrowserData) error { +func (e passwordExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error { var err error data.Passwords, err = e.fn(masterKeys, path) return err @@ -70,7 +70,7 @@ type extensionExtractor struct { fn func(path string) ([]types.ExtensionEntry, error) } -func (e extensionExtractor) extract(_ keys.MasterKeys, path string, data *types.BrowserData) error { +func (e extensionExtractor) extract(_ masterkey.MasterKeys, path string, data *types.BrowserData) error { var err error data.Extensions, err = e.fn(path) return err @@ -79,10 +79,10 @@ func (e extensionExtractor) extract(_ keys.MasterKeys, path string, data *types. // creditCardExtractor wraps a custom credit-card extract function, used by Yandex whose Ya Credit Cards DB stores // rows as records(guid, public_data, private_data) with JSON blobs rather than Chromium's flat credit_cards table. type creditCardExtractor struct { - fn func(masterKeys keys.MasterKeys, path string) ([]types.CreditCardEntry, error) + fn func(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) } -func (e creditCardExtractor) extract(masterKeys keys.MasterKeys, path string, data *types.BrowserData) error { +func (e creditCardExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error { var err error data.CreditCards, err = e.fn(masterKeys, path) return err diff --git a/browser/keydump.go b/browser/keydump.go index c26a07e..3e9c136 100644 --- a/browser/keydump.go +++ b/browser/keydump.go @@ -3,15 +3,15 @@ package browser import ( "runtime" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" ) // BuildDump exports one Vault per installation (Firefox/Safari, lacking KeyManager, are skipped). // Partial results are kept — a Chrome 127+ profile mixes v10+v20, so a v20-only failure must not // discard a usable v10 key. -func BuildDump(browsers []Browser) keys.Dump { - dump := keys.NewDump() +func BuildDump(browsers []Browser) masterkey.Dump { + dump := masterkey.NewDump() for _, b := range browsers { km, ok := b.(KeyManager) if !ok { @@ -28,7 +28,7 @@ func BuildDump(browsers []Browser) keys.Dump { if !mk.HasAny() { continue } - dump.Vaults = append(dump.Vaults, keys.Vault{ + dump.Vaults = append(dump.Vaults, masterkey.Vault{ Browser: b.BrowserName(), UserDataDir: b.UserDataDir(), Profiles: profileNames(b), @@ -51,13 +51,13 @@ func profileNames(b Browser) []string { // Match is by (BrowserName, UserDataDir); on miss — commonly a cross-host path mismatch (Windows vs // POSIX, or a relocated dir via -p) — it falls back to the sole vault for that browser name. No match // → warn and leave the platform retrievers in place. -func ApplyDump(browsers []Browser, dump keys.Dump) { +func ApplyDump(browsers []Browser, dump masterkey.Dump) { if dump.Host.OS != "" && dump.Host.OS != runtime.GOOS { log.Infof("apply-keys: dump created on %s/%s; current host is %s/%s", dump.Host.OS, dump.Host.Arch, runtime.GOOS, runtime.GOARCH) } - vaultIndex := make(map[string]*keys.Vault, len(dump.Vaults)) - vaultsByBrowser := make(map[string][]*keys.Vault) + vaultIndex := make(map[string]*masterkey.Vault, len(dump.Vaults)) + vaultsByBrowser := make(map[string][]*masterkey.Vault) for i := range dump.Vaults { v := &dump.Vaults[i] vaultIndex[v.Browser+"|"+v.UserDataDir] = v @@ -81,7 +81,7 @@ func ApplyDump(browsers []Browser, dump keys.Dump) { log.Warnf("apply-keys: %s no matching vault in dump", b.BrowserName()) continue } - km.SetRetrievers(keys.Retrievers{ + km.SetRetrievers(masterkey.Retrievers{ V10: maybeStaticRetriever(v.Keys.V10), V11: maybeStaticRetriever(v.Keys.V11), V20: maybeStaticRetriever(v.Keys.V20), @@ -91,9 +91,9 @@ func ApplyDump(browsers []Browser, dump keys.Dump) { // maybeStaticRetriever wraps non-empty key bytes as a StaticRetriever; an empty/nil key returns nil // to preserve the "tier not applicable" signal NewMasterKeys expects. -func maybeStaticRetriever(key []byte) keys.Retriever { +func maybeStaticRetriever(key []byte) masterkey.Retriever { if len(key) == 0 { return nil } - return keys.NewStaticRetriever(key) + return masterkey.NewStaticRetriever(key) } diff --git a/browser/keydump_test.go b/browser/keydump_test.go index c8da357..14d4971 100644 --- a/browser/keydump_test.go +++ b/browser/keydump_test.go @@ -6,7 +6,7 @@ import ( "runtime" "testing" - "github.com/moond4rk/hackbrowserdata/keys" + "github.com/moond4rk/hackbrowserdata/masterkey" "github.com/moond4rk/hackbrowserdata/types" ) @@ -44,25 +44,25 @@ func (m *mockBrowser) CountEntries(_ []types.Category) ([]types.CountResult, err type mockChromiumBrowser struct { mockBrowser - keys keys.MasterKeys + keys masterkey.MasterKeys exportErr error calls int - receivedRetrievers keys.Retrievers + receivedRetrievers masterkey.Retrievers } -func (m *mockChromiumBrowser) SetRetrievers(r keys.Retrievers) { +func (m *mockChromiumBrowser) SetRetrievers(r masterkey.Retrievers) { m.receivedRetrievers = r } -func (m *mockChromiumBrowser) ExportKeys() (keys.MasterKeys, error) { +func (m *mockChromiumBrowser) ExportKeys() (masterkey.MasterKeys, error) { m.calls++ return m.keys, m.exportErr } func TestBuildDump_Empty(t *testing.T) { dump := BuildDump(nil) - if dump.Version != keys.DumpVersion { - t.Errorf("Version = %q, want %q", dump.Version, keys.DumpVersion) + if dump.Version != masterkey.DumpVersion { + t.Errorf("Version = %q, want %q", dump.Version, masterkey.DumpVersion) } if dump.Host.OS != runtime.GOOS { t.Errorf("Host.OS = %q, want %q", dump.Host.OS, runtime.GOOS) @@ -75,7 +75,7 @@ func TestBuildDump_Empty(t *testing.T) { func TestBuildDump_SingleChromium(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte("v10-key")}, + keys: masterkey.MasterKeys{V10: []byte("v10-key")}, } dump := BuildDump([]Browser{b}) @@ -101,7 +101,7 @@ func TestBuildDump_SingleChromium(t *testing.T) { func TestBuildDump_MultipleProfilesOneVault(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault, testProfile1}}, - keys: keys.MasterKeys{V10: []byte("v10")}, + keys: masterkey.MasterKeys{V10: []byte("v10")}, } dump := BuildDump([]Browser{b}) @@ -120,7 +120,7 @@ func TestBuildDump_MultipleProfilesOneVault(t *testing.T) { func TestBuildDump_SkipsNonKeyManager(t *testing.T) { chrome := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: "/chrome", profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte("v10")}, + keys: masterkey.MasterKeys{V10: []byte("v10")}, } firefox := &mockBrowser{name: firefoxName, userDataDir: "/ff", profiles: []string{"default-release"}} @@ -137,7 +137,7 @@ func TestBuildDump_SkipsNonKeyManager(t *testing.T) { func TestBuildDump_SkipsExportError(t *testing.T) { good := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: "/chrome", profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte("v10")}, + keys: masterkey.MasterKeys{V10: []byte("v10")}, } failing := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: testEdgeName, userDataDir: "/edge", profiles: []string{testProfileDefault}}, @@ -157,7 +157,7 @@ func TestBuildDump_SkipsExportError(t *testing.T) { func TestBuildDump_JSONRoundTrip(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte{0x01, 0x02, 0x03}, V20: []byte{0xff, 0xee}}, + keys: masterkey.MasterKeys{V10: []byte{0x01, 0x02, 0x03}, V20: []byte{0xff, 0xee}}, } dump := BuildDump([]Browser{b}) @@ -167,7 +167,7 @@ func TestBuildDump_JSONRoundTrip(t *testing.T) { t.Fatalf("WriteJSON: %v", err) } - parsed, err := keys.ReadJSON(&buf) + parsed, err := masterkey.ReadJSON(&buf) if err != nil { t.Fatalf("ReadJSON: %v", err) } @@ -192,7 +192,7 @@ func TestBuildDump_JSONRoundTrip(t *testing.T) { func TestBuildDump_PartialKeys(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte("v10")}, + keys: masterkey.MasterKeys{V10: []byte("v10")}, exportErr: errors.New("v20: ABE failed"), } @@ -213,9 +213,9 @@ func TestApplyDump_Match(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, } - dump := keys.Dump{ - Vaults: []keys.Vault{ - {Browser: chromeName, UserDataDir: testUDD, Keys: keys.MasterKeys{V10: []byte("v10-from-dump")}}, + dump := masterkey.Dump{ + Vaults: []masterkey.Vault{ + {Browser: chromeName, UserDataDir: testUDD, Keys: masterkey.MasterKeys{V10: []byte("v10-from-dump")}}, }, } ApplyDump([]Browser{b}, dump) @@ -223,7 +223,7 @@ func TestApplyDump_Match(t *testing.T) { if b.receivedRetrievers.V10 == nil { t.Fatal("V10 retriever should be set from matching vault") } - got, err := b.receivedRetrievers.V10.RetrieveKey(keys.Hints{}) + got, err := b.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{}) if err != nil || string(got) != "v10-from-dump" { t.Errorf("V10.RetrieveKey() = %q, err = %v, want %q", got, err, "v10-from-dump") } @@ -236,9 +236,9 @@ func TestApplyDump_MissingVault(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, } - dump := keys.Dump{ - Vaults: []keys.Vault{ - {Browser: testEdgeName, UserDataDir: "/edge", Keys: keys.MasterKeys{V10: []byte("v10")}}, + dump := masterkey.Dump{ + Vaults: []masterkey.Vault{ + {Browser: testEdgeName, UserDataDir: "/edge", Keys: masterkey.MasterKeys{V10: []byte("v10")}}, }, } ApplyDump([]Browser{b}, dump) @@ -250,9 +250,9 @@ func TestApplyDump_MissingVault(t *testing.T) { func TestApplyDump_NonKeyManagerSkipped(t *testing.T) { firefox := &mockBrowser{name: firefoxName, userDataDir: "/ff", profiles: []string{"default-release"}} - dump := keys.Dump{ - Vaults: []keys.Vault{ - {Browser: firefoxName, UserDataDir: "/ff", Keys: keys.MasterKeys{V10: []byte("v10")}}, + dump := masterkey.Dump{ + Vaults: []masterkey.Vault{ + {Browser: firefoxName, UserDataDir: "/ff", Keys: masterkey.MasterKeys{V10: []byte("v10")}}, }, } // firefox does not implement KeyManager; ApplyDump must not panic and must not attempt injection. @@ -262,7 +262,7 @@ func TestApplyDump_NonKeyManagerSkipped(t *testing.T) { func TestApplyDump_RoundTrip(t *testing.T) { src := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: testUDD, profiles: []string{testProfileDefault}}, - keys: keys.MasterKeys{V10: []byte("v10-rt"), V20: []byte("v20-rt")}, + keys: masterkey.MasterKeys{V10: []byte("v10-rt"), V20: []byte("v20-rt")}, } dump := BuildDump([]Browser{src}) @@ -271,11 +271,11 @@ func TestApplyDump_RoundTrip(t *testing.T) { } ApplyDump([]Browser{dst}, dump) - v10, _ := dst.receivedRetrievers.V10.RetrieveKey(keys.Hints{}) + v10, _ := dst.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{}) if string(v10) != "v10-rt" { t.Errorf("V10 round-trip: got %q, want v10-rt", v10) } - v20, _ := dst.receivedRetrievers.V20.RetrieveKey(keys.Hints{}) + v20, _ := dst.receivedRetrievers.V20.RetrieveKey(masterkey.Hints{}) if string(v20) != "v20-rt" { t.Errorf("V20 round-trip: got %q, want v20-rt", v20) } @@ -291,12 +291,12 @@ func TestApplyDump_FallbackOnPathMismatch(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: "/local/chrome", profiles: []string{testProfileDefault}}, } - dump := keys.Dump{ - Vaults: []keys.Vault{ + dump := masterkey.Dump{ + Vaults: []masterkey.Vault{ { Browser: chromeName, UserDataDir: `C:\Users\foo\AppData\Local\Google\Chrome\User Data`, - Keys: keys.MasterKeys{V10: []byte("v10-fallback")}, + Keys: masterkey.MasterKeys{V10: []byte("v10-fallback")}, }, }, } @@ -305,7 +305,7 @@ func TestApplyDump_FallbackOnPathMismatch(t *testing.T) { if b.receivedRetrievers.V10 == nil { t.Fatal("V10 retriever should be set via single-vault fallback") } - got, err := b.receivedRetrievers.V10.RetrieveKey(keys.Hints{}) + got, err := b.receivedRetrievers.V10.RetrieveKey(masterkey.Hints{}) if err != nil || string(got) != "v10-fallback" { t.Errorf("V10.RetrieveKey() = %q, err = %v, want %q", got, err, "v10-fallback") } @@ -317,10 +317,10 @@ func TestApplyDump_NoFallbackWhenAmbiguous(t *testing.T) { b := &mockChromiumBrowser{ mockBrowser: mockBrowser{name: chromeName, userDataDir: "/local/chrome", profiles: []string{testProfileDefault}}, } - dump := keys.Dump{ - Vaults: []keys.Vault{ - {Browser: chromeName, UserDataDir: "/path/a", Keys: keys.MasterKeys{V10: []byte("a")}}, - {Browser: chromeName, UserDataDir: "/path/b", Keys: keys.MasterKeys{V10: []byte("b")}}, + dump := masterkey.Dump{ + Vaults: []masterkey.Vault{ + {Browser: chromeName, UserDataDir: "/path/a", Keys: masterkey.MasterKeys{V10: []byte("a")}}, + {Browser: chromeName, UserDataDir: "/path/b", Keys: masterkey.MasterKeys{V10: []byte("b")}}, }, } ApplyDump([]Browser{b}, dump) diff --git a/browser/safari/extract_password.go b/browser/safari/extract_password.go index b36afb4..aa791c2 100644 --- a/browser/safari/extract_password.go +++ b/browser/safari/extract_password.go @@ -45,16 +45,9 @@ func countPasswords(keychainPassword string) (int, error) { return len(passwords), nil } -// getInternetPasswords reads InternetPassword records directly from the -// macOS login keychain. See rfcs/006-key-retrieval-mechanisms.md §7 for why -// Safari owns this path instead of routing through the keys package. -// -// TryUnlock is always invoked — with the user-supplied password when one is -// available, otherwise with no options — to enable keychainbreaker's partial -// extraction mode. With a valid password we get fully decrypted entries; with -// empty or wrong password we still get metadata records (URL, account, -// timestamps) and PlainPassword left blank, which Safari can export as -// metadata-only output instead of failing with ErrLocked. +// getInternetPasswords reads InternetPassword records straight from the macOS login keychain (Safari owns its own key +// path, separate from the masterkey package). TryUnlock always runs — even without a password — so a locked keychain +// still yields metadata-only records (URL, account, blank password) instead of failing with ErrLocked. func getInternetPasswords(keychainPassword string) ([]keychainbreaker.InternetPassword, error) { kc, err := keychainbreaker.Open() if err != nil { @@ -82,8 +75,7 @@ func buildURL(protocol, server string, port uint32, path string) string { return "" } - // Convert macOS Keychain FourCC protocol code to URL scheme. - // Only "htps" needs special mapping; others just need space trimming. + // macOS Keychain stores the protocol as a FourCC code; only "htps" needs remapping, others just trim padding. scheme := strings.TrimRight(protocol, " ") if scheme == "" || scheme == "htps" { scheme = "https" diff --git a/cmd/hack-browser-data/dump.go b/cmd/hack-browser-data/dump.go index daf24ad..ee30220 100644 --- a/cmd/hack-browser-data/dump.go +++ b/cmd/hack-browser-data/dump.go @@ -31,7 +31,7 @@ func dumpCmd() *cobra.Command { hack-browser-data dump -f cookie-editor hack-browser-data dump --zip`, RunE: func(cmd *cobra.Command, args []string) error { - browsers, err := browser.DiscoverBrowsersWithKeys(browser.PickOptions{ + browsers, err := browser.DiscoverBrowsersWithKeys(browser.DiscoverOptions{ Name: browserName, ProfilePath: profilePath, KeychainPassword: keychainPw, diff --git a/cmd/hack-browser-data/keys.go b/cmd/hack-browser-data/keys.go index c65d6fd..8e346e2 100644 --- a/cmd/hack-browser-data/keys.go +++ b/cmd/hack-browser-data/keys.go @@ -9,8 +9,8 @@ import ( "github.com/spf13/cobra" "github.com/moond4rk/hackbrowserdata/browser" - "github.com/moond4rk/hackbrowserdata/keys" "github.com/moond4rk/hackbrowserdata/log" + "github.com/moond4rk/hackbrowserdata/masterkey" ) func keysCmd() *cobra.Command { @@ -35,7 +35,7 @@ func keysExportCmd() *cobra.Command { Example: ` hack-browser-data keys export -o dump.json hack-browser-data keys export -b chrome`, RunE: func(cmd *cobra.Command, args []string) error { - browsers, err := browser.DiscoverBrowsersWithKeys(browser.PickOptions{ + browsers, err := browser.DiscoverBrowsersWithKeys(browser.DiscoverOptions{ Name: browserName, KeychainPassword: keychainPw, }) @@ -135,12 +135,12 @@ func loadAndApplyKeys(browserName, profilePath, keysPath string) ([]browser.Brow defer f.Close() r = f } - dump, err := keys.ReadJSON(r) + dump, err := masterkey.ReadJSON(r) if err != nil { return nil, fmt.Errorf("read keys file %q: %w", keysPath, err) } - browsers, err := browser.DiscoverBrowsers(browser.PickOptions{ + browsers, err := browser.DiscoverBrowsers(browser.DiscoverOptions{ Name: browserName, ProfilePath: profilePath, }) diff --git a/cmd/hack-browser-data/list.go b/cmd/hack-browser-data/list.go index 5a20070..c4b6f53 100644 --- a/cmd/hack-browser-data/list.go +++ b/cmd/hack-browser-data/list.go @@ -20,7 +20,7 @@ func listCmd() *cobra.Command { Example: ` hack-browser-data list hack-browser-data list --detail`, RunE: func(cmd *cobra.Command, args []string) error { - browsers, err := browser.DiscoverBrowsers(browser.PickOptions{Name: "all"}) + browsers, err := browser.DiscoverBrowsers(browser.DiscoverOptions{Name: "all"}) if err != nil { return err } diff --git a/keys/abe_windows.go b/masterkey/abe_windows.go similarity index 99% rename from keys/abe_windows.go rename to masterkey/abe_windows.go index 65371c5..e095267 100644 --- a/keys/abe_windows.go +++ b/masterkey/abe_windows.go @@ -1,6 +1,6 @@ //go:build windows -package keys +package masterkey import ( "encoding/base64" diff --git a/keys/dump.go b/masterkey/dump.go similarity index 99% rename from keys/dump.go rename to masterkey/dump.go index a230fb8..13fa924 100644 --- a/keys/dump.go +++ b/masterkey/dump.go @@ -1,4 +1,4 @@ -package keys +package masterkey import ( "encoding/json" diff --git a/keys/dump_test.go b/masterkey/dump_test.go similarity index 98% rename from keys/dump_test.go rename to masterkey/dump_test.go index f92ab78..c442184 100644 --- a/keys/dump_test.go +++ b/masterkey/dump_test.go @@ -1,4 +1,4 @@ -package keys +package masterkey import ( "bytes" diff --git a/keys/gcoredump_darwin.go b/masterkey/gcoredump_darwin.go similarity index 99% rename from keys/gcoredump_darwin.go rename to masterkey/gcoredump_darwin.go index 8fe26b5..ef7e2f3 100644 --- a/keys/gcoredump_darwin.go +++ b/masterkey/gcoredump_darwin.go @@ -1,6 +1,6 @@ //go:build darwin -package keys +package masterkey // CVE-2025-24204: gcore holds the com.apple.system-task-ports.read entitlement, so a root process can // dump securityd memory without a TCC prompt; we scan the dump for the 24-byte keychain master key. diff --git a/keys/masterkeys.go b/masterkey/masterkeys.go similarity index 98% rename from keys/masterkeys.go rename to masterkey/masterkeys.go index 3f4870a..4fc4e30 100644 --- a/keys/masterkeys.go +++ b/masterkey/masterkeys.go @@ -1,4 +1,4 @@ -package keys +package masterkey import ( "errors" diff --git a/keys/masterkeys_test.go b/masterkey/masterkeys_test.go similarity index 99% rename from keys/masterkeys_test.go rename to masterkey/masterkeys_test.go index 5c465c5..069aac6 100644 --- a/keys/masterkeys_test.go +++ b/masterkey/masterkeys_test.go @@ -1,4 +1,4 @@ -package keys +package masterkey import ( "bytes" diff --git a/keys/params.go b/masterkey/params.go similarity index 96% rename from keys/params.go rename to masterkey/params.go index 35641c2..c1077d3 100644 --- a/keys/params.go +++ b/masterkey/params.go @@ -1,6 +1,6 @@ //go:build darwin || linux -package keys +package masterkey import ( "hash" diff --git a/keys/retriever.go b/masterkey/retriever.go similarity index 98% rename from keys/retriever.go rename to masterkey/retriever.go index c099f5d..910435b 100644 --- a/keys/retriever.go +++ b/masterkey/retriever.go @@ -1,6 +1,6 @@ // Package keys retrieves Chromium master keys (per-platform retrievers + a cross-host Dump format). // Firefox and Safari own their own key paths and don't route through here. -package keys +package masterkey import ( "errors" diff --git a/keys/retriever_darwin.go b/masterkey/retriever_darwin.go similarity index 99% rename from keys/retriever_darwin.go rename to masterkey/retriever_darwin.go index b6e1cec..8f7711f 100644 --- a/keys/retriever_darwin.go +++ b/masterkey/retriever_darwin.go @@ -1,6 +1,6 @@ //go:build darwin -package keys +package masterkey import ( "bytes" diff --git a/keys/retriever_darwin_test.go b/masterkey/retriever_darwin_test.go similarity index 98% rename from keys/retriever_darwin_test.go rename to masterkey/retriever_darwin_test.go index 79d88ac..2982108 100644 --- a/keys/retriever_darwin_test.go +++ b/masterkey/retriever_darwin_test.go @@ -1,6 +1,6 @@ //go:build darwin -package keys +package masterkey import ( "testing" diff --git a/keys/retriever_linux.go b/masterkey/retriever_linux.go similarity index 99% rename from keys/retriever_linux.go rename to masterkey/retriever_linux.go index ebf12df..407b0ec 100644 --- a/keys/retriever_linux.go +++ b/masterkey/retriever_linux.go @@ -1,6 +1,6 @@ //go:build linux -package keys +package masterkey import ( "crypto/sha1" diff --git a/keys/retriever_linux_test.go b/masterkey/retriever_linux_test.go similarity index 99% rename from keys/retriever_linux_test.go rename to masterkey/retriever_linux_test.go index 22bbfe3..402767f 100644 --- a/keys/retriever_linux_test.go +++ b/masterkey/retriever_linux_test.go @@ -1,6 +1,6 @@ //go:build linux -package keys +package masterkey import ( "testing" diff --git a/keys/retriever_test.go b/masterkey/retriever_test.go similarity index 99% rename from keys/retriever_test.go rename to masterkey/retriever_test.go index b63e80c..c9c2a41 100644 --- a/keys/retriever_test.go +++ b/masterkey/retriever_test.go @@ -1,4 +1,4 @@ -package keys +package masterkey import ( "errors" diff --git a/keys/retriever_windows.go b/masterkey/retriever_windows.go similarity index 98% rename from keys/retriever_windows.go rename to masterkey/retriever_windows.go index ff65124..5a7c50a 100644 --- a/keys/retriever_windows.go +++ b/masterkey/retriever_windows.go @@ -1,6 +1,6 @@ //go:build windows -package keys +package masterkey import ( "encoding/base64" diff --git a/keys/static.go b/masterkey/static.go similarity index 97% rename from keys/static.go rename to masterkey/static.go index d1b6dfa..315f001 100644 --- a/keys/static.go +++ b/masterkey/static.go @@ -1,4 +1,4 @@ -package keys +package masterkey // StaticRetriever returns pre-supplied key bytes (from a Dump) instead of platform retrieval, ignoring // Hints. An empty key returns (nil, nil) — the "tier not applicable" signal NewMasterKeys expects.