refactor(windows): split Windows code into winapi (#575)

utils/winapi/dpapi_windows.go

@@ -0,0 +1,49 @@
+//go:build windows
+
+package winapi
+
+import (
+	"fmt"
+	"unsafe"
+)
+
+var (
+	procCryptUnprotectData = Crypt32.NewProc("CryptUnprotectData")
+	procLocalFree          = Kernel32.NewProc("LocalFree")
+)
+
+// dataBlob mirrors the DPAPI DATA_BLOB struct.
+type dataBlob struct {
+	cbData uint32
+	pbData *byte
+}
+
+func newBlob(d []byte) *dataBlob {
+	if len(d) == 0 {
+		return &dataBlob{}
+	}
+	return &dataBlob{pbData: &d[0], cbData: uint32(len(d))}
+}
+
+func (b *dataBlob) bytes() []byte {
+	d := make([]byte, b.cbData)
+	copy(d, (*[1 << 30]byte)(unsafe.Pointer(b.pbData))[:])
+	return d
+}
+
+// DecryptDPAPI decrypts a DPAPI-protected blob using the current user's
+// master key. It is the Windows counterpart to macOS/Linux os_crypt
+// fallbacks and is called by crypto.DecryptDPAPI.
+func DecryptDPAPI(ciphertext []byte) ([]byte, error) {
+	var out dataBlob
+	r, _, err := procCryptUnprotectData.Call(
+		uintptr(unsafe.Pointer(newBlob(ciphertext))),
+		0, 0, 0, 0, 0,
+		uintptr(unsafe.Pointer(&out)),
+	)
+	if r == 0 {
+		return nil, fmt.Errorf("CryptUnprotectData: %w", err)
+	}
+	defer procLocalFree.Call(uintptr(unsafe.Pointer(out.pbData)))
+	return out.bytes(), nil
+}