mirror of
https://github.com/moonD4rk/HackBrowserData.git
synced 2026-06-06 19:53:53 +02:00
refactor: extract master-key code into masterkey package (#604)
This commit is contained in:
Roger
@@ -6,9 +6,9 @@ import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/filemanager"
|
||||
"github.com/moond4rk/hackbrowserdata/log"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
"github.com/moond4rk/hackbrowserdata/utils/fileutil"
|
||||
)
|
||||
@@ -17,16 +17,15 @@ import (
|
||||
// that share a master key. The key is derived once and reused across profiles.
|
||||
type Browser struct {
|
||||
cfg types.BrowserConfig
|
||||
retrievers keyretriever.Retrievers
|
||||
retrievers masterkey.Retrievers
|
||||
profiles []*profile
|
||||
|
||||
keysOnce sync.Once
|
||||
keys keyretriever.MasterKeys
|
||||
keys masterkey.MasterKeys
|
||||
}
|
||||
|
||||
// NewBrowser discovers the Chromium profiles under cfg.UserDataDir and returns
|
||||
// the installation, or nil if no profile with resolvable sources exists. Call
|
||||
// SetKeyRetrievers before Extract to enable decryption of sensitive data.
|
||||
// NewBrowser discovers the profiles under cfg.UserDataDir, or returns nil if none resolve.
|
||||
// Call SetRetrievers before Extract to enable decryption.
|
||||
func NewBrowser(cfg types.BrowserConfig) (*Browser, error) {
|
||||
sources := sourcesForKind(cfg.Kind)
|
||||
extractors := extractorsForKind(cfg.Kind)
|
||||
@@ -51,9 +50,9 @@ func NewBrowser(cfg types.BrowserConfig) (*Browser, error) {
|
||||
return &Browser{cfg: cfg, profiles: profiles}, nil
|
||||
}
|
||||
|
||||
// SetKeyRetrievers wires the per-tier master-key retrievers (V10/V11/V20) used by
|
||||
// SetRetrievers wires the per-tier master-key retrievers (V10/V11/V20) used by
|
||||
// Extract; unused tiers stay nil.
|
||||
func (b *Browser) SetKeyRetrievers(r keyretriever.Retrievers) { b.retrievers = r }
|
||||
func (b *Browser) SetRetrievers(r masterkey.Retrievers) { b.retrievers = r }
|
||||
|
||||
func (b *Browser) BrowserName() string { return b.cfg.Name }
|
||||
func (b *Browser) UserDataDir() string { return b.cfg.UserDataDir }
|
||||
@@ -69,12 +68,12 @@ func (b *Browser) Profiles() []types.Profile {
|
||||
|
||||
// Extract derives the installation's master key once, then extracts every profile.
|
||||
func (b *Browser) Extract(categories []types.Category) ([]types.ExtractResult, error) {
|
||||
keys := b.masterKeys()
|
||||
masterKeys := b.masterKeys()
|
||||
results := make([]types.ExtractResult, 0, len(b.profiles))
|
||||
for _, p := range b.profiles {
|
||||
results = append(results, types.ExtractResult{
|
||||
Profile: types.Profile{Name: p.name(), Dir: p.profileDir},
|
||||
Data: p.extract(keys, categories),
|
||||
Data: p.extract(masterKeys, categories),
|
||||
})
|
||||
}
|
||||
return results, nil
|
||||
@@ -92,39 +91,34 @@ func (b *Browser) CountEntries(categories []types.Category) ([]types.CountResult
|
||||
return results, nil
|
||||
}
|
||||
|
||||
// ExportKeys derives the installation's master keys without extraction. Returns
|
||||
// whatever tiers succeeded plus a joined error describing any failed tiers;
|
||||
// callers preserve partial results because a Chrome 127+ installation mixes
|
||||
// v10 + v20 ciphertexts and a v20-only failure must not erase a usable v10 key.
|
||||
func (b *Browser) ExportKeys() (keyretriever.MasterKeys, error) {
|
||||
// ExportKeys derives the master keys without extracting. Returns the tiers that succeeded plus a
|
||||
// joined error for those that failed — partial results matter (a v20-only failure keeps the v10 key).
|
||||
func (b *Browser) ExportKeys() (masterkey.MasterKeys, error) {
|
||||
session, err := filemanager.NewSession()
|
||||
if err != nil {
|
||||
return keyretriever.MasterKeys{}, err
|
||||
return masterkey.MasterKeys{}, err
|
||||
}
|
||||
defer session.Cleanup()
|
||||
|
||||
return keyretriever.NewMasterKeys(b.retrievers, b.buildHints(session))
|
||||
return masterkey.NewMasterKeys(b.retrievers, b.buildHints(session))
|
||||
}
|
||||
|
||||
// masterKeys derives the installation's keys exactly once and caches them.
|
||||
// Because derivation happens a single time per installation, a failure is warned
|
||||
// exactly once — no cross-profile dedup state is needed.
|
||||
func (b *Browser) masterKeys() keyretriever.MasterKeys {
|
||||
// masterKeys derives and caches the installation's keys exactly once (sync.Once), so a failure is
|
||||
// warned once — no cross-profile dedup state needed.
|
||||
func (b *Browser) masterKeys() masterkey.MasterKeys {
|
||||
b.keysOnce.Do(func() {
|
||||
keys, err := b.ExportKeys()
|
||||
masterKeys, err := b.ExportKeys()
|
||||
if err != nil {
|
||||
log.Warnf("%s: master key retrieval: %v", b.BrowserName(), err)
|
||||
}
|
||||
b.keys = keys
|
||||
b.keys = masterKeys
|
||||
})
|
||||
return b.keys
|
||||
}
|
||||
|
||||
// buildHints acquires Local State (into session.TempDir so Windows DPAPI/ABE
|
||||
// retrievers can read it from a path the process owns) and assembles per-tier
|
||||
// retriever hints. Local State lives at the installation root (cfg.UserDataDir)
|
||||
// in both the multi-profile and flat (Opera) layouts.
|
||||
func (b *Browser) buildHints(session *filemanager.Session) keyretriever.Hints {
|
||||
// buildHints copies Local State into the session temp dir (so Windows DPAPI/ABE retrievers read it
|
||||
// from a process-owned path) and assembles the Hints. Local State sits at the installation root.
|
||||
func (b *Browser) buildHints(session *filemanager.Session) masterkey.Hints {
|
||||
var localStateDst string
|
||||
candidate := filepath.Join(b.cfg.UserDataDir, "Local State")
|
||||
if fileutil.FileExists(candidate) {
|
||||
@@ -140,7 +134,7 @@ func (b *Browser) buildHints(session *filemanager.Session) keyretriever.Hints {
|
||||
if b.cfg.WindowsABE {
|
||||
abeKey = b.cfg.Key
|
||||
}
|
||||
return keyretriever.Hints{
|
||||
return masterkey.Hints{
|
||||
KeychainLabel: b.cfg.KeychainLabel,
|
||||
WindowsABEKey: abeKey,
|
||||
LocalStatePath: localStateDst,
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
)
|
||||
|
||||
@@ -380,21 +380,21 @@ func TestLocalStatePath(t *testing.T) {
|
||||
|
||||
// mockRetriever records the arguments passed to RetrieveKey.
|
||||
type mockRetriever struct {
|
||||
hints keyretriever.Hints
|
||||
hints masterkey.Hints
|
||||
key []byte
|
||||
err error
|
||||
called bool
|
||||
}
|
||||
|
||||
func (m *mockRetriever) RetrieveKey(hints keyretriever.Hints) ([]byte, error) {
|
||||
func (m *mockRetriever) RetrieveKey(hints masterkey.Hints) ([]byte, error) {
|
||||
m.called = true
|
||||
m.hints = hints
|
||||
return m.key, m.err
|
||||
}
|
||||
|
||||
func TestGetMasterKeys(t *testing.T) {
|
||||
// getMasterKeys routes through keyretriever.NewMasterKeys on every platform — the V10 mock
|
||||
// wired via SetKeyRetrievers(Retrievers{V10: mock}) is consulted cross-platform.
|
||||
// getMasterKeys routes through masterkey.NewMasterKeys on every platform — the V10 mock
|
||||
// wired via SetRetrievers(Retrievers{V10: mock}) is consulted cross-platform.
|
||||
|
||||
// Profile directory without Local State file.
|
||||
dirNoLocalState := t.TempDir()
|
||||
@@ -405,7 +405,7 @@ func TestGetMasterKeys(t *testing.T) {
|
||||
name string
|
||||
dir string
|
||||
keychainLabel string
|
||||
retriever keyretriever.KeyRetriever // nil → don't call SetKeyRetrievers
|
||||
retriever masterkey.Retriever // nil → don't call SetRetrievers
|
||||
wantV10 []byte
|
||||
wantKeychainLabel string
|
||||
wantLocalState bool // whether localStatePath passed to retriever is non-empty
|
||||
@@ -442,13 +442,13 @@ func TestGetMasterKeys(t *testing.T) {
|
||||
require.NotNil(t, b)
|
||||
|
||||
if tt.retriever != nil {
|
||||
b.SetKeyRetrievers(keyretriever.Retrievers{V10: tt.retriever})
|
||||
b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever})
|
||||
}
|
||||
|
||||
keys := b.masterKeys()
|
||||
assert.Equal(t, tt.wantV10, keys.V10)
|
||||
assert.Nil(t, keys.V11, "V11 stays nil when no v11 retriever is wired")
|
||||
assert.Nil(t, keys.V20, "V20 stays nil when no v20 retriever is wired")
|
||||
mk := b.masterKeys()
|
||||
assert.Equal(t, tt.wantV10, mk.V10)
|
||||
assert.Nil(t, mk.V11, "V11 stays nil when no v11 retriever is wired")
|
||||
assert.Nil(t, mk.V20, "V20 stays nil when no v20 retriever is wired")
|
||||
|
||||
if tt.retriever == nil {
|
||||
return
|
||||
@@ -470,7 +470,7 @@ func TestGetMasterKeys(t *testing.T) {
|
||||
// Before the refactor a Windows-only bypass meant only one tier's retriever was consulted, so a
|
||||
// profile mixing prefixes silently lost the un-retrieved tier. After the refactor every
|
||||
// configured tier must be called exactly once and its key must land in the matching MasterKeys
|
||||
// slot. This catches any future "bypass keyretriever for a faster path" regression and covers the
|
||||
// slot. This catches any future "bypass the masterkey package for a faster path" regression and covers the
|
||||
// analogous Linux v10/v11 case — no platform silently drops a tier any more.
|
||||
func TestGetMasterKeys_AllTiersInvoked(t *testing.T) {
|
||||
v10mock := &mockRetriever{key: []byte("fake-v10-key")}
|
||||
@@ -483,12 +483,12 @@ func TestGetMasterKeys_AllTiersInvoked(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, b)
|
||||
|
||||
b.SetKeyRetrievers(keyretriever.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock})
|
||||
b.SetRetrievers(masterkey.Retrievers{V10: v10mock, V11: v11mock, V20: v20mock})
|
||||
|
||||
keys := b.masterKeys()
|
||||
assert.Equal(t, []byte("fake-v10-key"), keys.V10, "V10 slot must be populated")
|
||||
assert.Equal(t, []byte("fake-v11-key"), keys.V11, "V11 slot must be populated")
|
||||
assert.Equal(t, []byte("fake-v20-key"), keys.V20, "V20 slot must be populated")
|
||||
mk := b.masterKeys()
|
||||
assert.Equal(t, []byte("fake-v10-key"), mk.V10, "V10 slot must be populated")
|
||||
assert.Equal(t, []byte("fake-v11-key"), mk.V11, "V11 slot must be populated")
|
||||
assert.Equal(t, []byte("fake-v20-key"), mk.V20, "V20 slot must be populated")
|
||||
assert.True(t, v10mock.called, "V10 retriever must be called — no silent bypass")
|
||||
assert.True(t, v11mock.called, "V11 retriever must be called — no silent bypass")
|
||||
assert.True(t, v20mock.called, "V20 retriever must be called — no silent bypass")
|
||||
@@ -521,7 +521,7 @@ func TestGetMasterKeys_WindowsABEThreading(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, b)
|
||||
|
||||
b.SetKeyRetrievers(keyretriever.Retrievers{V20: mock})
|
||||
b.SetRetrievers(masterkey.Retrievers{V20: mock})
|
||||
|
||||
b.masterKeys()
|
||||
assert.Equal(t, tt.wantABEKey, mock.hints.WindowsABEKey)
|
||||
@@ -540,8 +540,8 @@ func TestExtract(t *testing.T) {
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
retriever keyretriever.KeyRetriever // nil → don't call SetRetriever
|
||||
wantRetriever bool // whether retriever should be called
|
||||
retriever masterkey.Retriever // nil → don't call SetRetriever
|
||||
wantRetriever bool // whether retriever should be called
|
||||
}{
|
||||
{
|
||||
name: "without retriever extracts unencrypted data",
|
||||
@@ -562,7 +562,7 @@ func TestExtract(t *testing.T) {
|
||||
require.NotNil(t, b)
|
||||
|
||||
if tt.retriever != nil {
|
||||
b.SetKeyRetrievers(keyretriever.Retrievers{V10: tt.retriever})
|
||||
b.SetRetrievers(masterkey.Retrievers{V10: tt.retriever})
|
||||
}
|
||||
|
||||
results, err := b.Extract([]types.Category{types.History})
|
||||
@@ -629,13 +629,13 @@ func TestCountEntries_NoRetrieverNeeded(t *testing.T) {
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// SetKeyRetrievers: verify *Browser satisfies the interface used by
|
||||
// browser.pickFromConfigs for post-construction retriever injection.
|
||||
// SetRetrievers: verify *Browser satisfies the interface used by
|
||||
// browser.discoverFromConfigs for post-construction retriever injection.
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestSetKeyRetrievers_SatisfiesInterface(t *testing.T) {
|
||||
func TestSetRetrievers_SatisfiesInterface(t *testing.T) {
|
||||
var _ interface {
|
||||
SetKeyRetrievers(keyretriever.Retrievers)
|
||||
SetRetrievers(masterkey.Retrievers)
|
||||
} = (*Browser)(nil)
|
||||
}
|
||||
|
||||
|
||||
@@ -4,21 +4,21 @@ import (
|
||||
"fmt"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
// decryptValue decrypts a Chromium-encrypted value by dispatching on the ciphertext's version
|
||||
// prefix to the matching tier in keys:
|
||||
// prefix to the matching tier in masterKeys:
|
||||
//
|
||||
// - v10 → keys.V10 (Windows DPAPI / macOS Keychain / Linux peanuts kV10Key)
|
||||
// - v11 → keys.V11 (Linux keyring kV11Key; nil on Windows/macOS — Chromium doesn't emit v11 there)
|
||||
// - v20 → keys.V20 (Windows ABE; nil on non-Windows — Chromium doesn't emit v20 there)
|
||||
// - v10 → masterKeys.V10 (Windows DPAPI / macOS Keychain / Linux peanuts kV10Key)
|
||||
// - v11 → masterKeys.V11 (Linux keyring kV11Key; nil on Windows/macOS — Chromium doesn't emit v11 there)
|
||||
// - v20 → masterKeys.V20 (Windows ABE; nil on non-Windows — Chromium doesn't emit v20 there)
|
||||
//
|
||||
// A single profile can carry mixed prefixes (Chrome 127+ upgrades on Windows; Linux session-mode
|
||||
// changes), so every applicable key must be populated upstream for lossless extraction. Missing
|
||||
// tier keys surface as decrypt errors at the ciphertext level; the extract layer treats those as
|
||||
// empty plaintexts rather than fatal errors.
|
||||
func decryptValue(keys keyretriever.MasterKeys, ciphertext []byte) ([]byte, error) {
|
||||
func decryptValue(masterKeys masterkey.MasterKeys, ciphertext []byte) ([]byte, error) {
|
||||
if len(ciphertext) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
@@ -26,16 +26,16 @@ func decryptValue(keys keyretriever.MasterKeys, ciphertext []byte) ([]byte, erro
|
||||
version := crypto.DetectVersion(ciphertext)
|
||||
switch version {
|
||||
case crypto.CipherV10:
|
||||
return crypto.DecryptChromium(keys.V10, ciphertext)
|
||||
return crypto.DecryptChromium(masterKeys.V10, ciphertext)
|
||||
case crypto.CipherV11:
|
||||
// v11 is Linux-only and shares v10's AES-CBC path, but uses the keyring-derived kV11Key
|
||||
// rather than the peanuts-derived kV10Key — so a Linux profile with both prefixes needs
|
||||
// distinct per-tier keys to decrypt everything.
|
||||
return crypto.DecryptChromium(keys.V11, ciphertext)
|
||||
return crypto.DecryptChromium(masterKeys.V11, ciphertext)
|
||||
case crypto.CipherV20:
|
||||
// v20 is cross-platform AES-GCM; routed through a dedicated function so Linux/macOS CI can
|
||||
// exercise the same decryption path as Windows.
|
||||
return crypto.DecryptChromiumV20(keys.V20, ciphertext)
|
||||
return crypto.DecryptChromiumV20(masterKeys.V20, ciphertext)
|
||||
case crypto.CipherV12:
|
||||
// Chromium's SecretPortalKeyProvider (Flatpak / xdg-desktop-portal) — HKDF-SHA256 +
|
||||
// AES-256-GCM with a secret retrieved via org.freedesktop.portal.Desktop. Recognized here
|
||||
|
||||
@@ -8,7 +8,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
// TestDecryptValue_MixedTier is the regression test for mixed-cipher profiles (issue #578 on
|
||||
@@ -33,7 +33,7 @@ func TestDecryptValue_MixedTier(t *testing.T) {
|
||||
v20Ciphertext := append([]byte("v20"), append(nonce, gcmEnc...)...)
|
||||
|
||||
t.Run("all tiers populated: v20 picks V20, decrypts", func(t *testing.T) {
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11, V20: k20}, v20Ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
})
|
||||
@@ -41,20 +41,20 @@ func TestDecryptValue_MixedTier(t *testing.T) {
|
||||
t.Run("V20 holds wrong key: v20 still picks V20 slot (not V10/V11), errors", func(t *testing.T) {
|
||||
// If the dispatcher incorrectly fell back to V10 or V11 when V20 had a wrong key, this
|
||||
// would succeed. Proves the router uses prefix-based selection, not first-usable-key.
|
||||
_, err := decryptValue(keyretriever.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext)
|
||||
_, err := decryptValue(masterkey.MasterKeys{V10: k20, V11: k20, V20: k10}, v20Ciphertext)
|
||||
require.Error(t, err)
|
||||
})
|
||||
|
||||
t.Run("only V20 populated: v20 still decrypts", func(t *testing.T) {
|
||||
// The pre-#578 symmetric regression: when DPAPI/keyring failed and only V20 was retrieved,
|
||||
// v20 cookies had to still decrypt. This asserts V10 and V11 being nil doesn't block v20.
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V20: k20}, v20Ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V20: k20}, v20Ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
})
|
||||
|
||||
t.Run("V20 slot unpopulated: v20 errors (no key to use)", func(t *testing.T) {
|
||||
_, err := decryptValue(keyretriever.MasterKeys{V10: k10, V11: k11}, v20Ciphertext)
|
||||
_, err := decryptValue(masterkey.MasterKeys{V10: k10, V11: k11}, v20Ciphertext)
|
||||
require.Error(t, err)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
func TestDecryptValue_V10(t *testing.T) {
|
||||
@@ -40,7 +40,7 @@ func TestDecryptValue_V10(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V10: tt.key}, v10Ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V10: tt.key}, v10Ciphertext)
|
||||
if tt.wantErrMsg != "" {
|
||||
require.Error(t, err)
|
||||
assert.Contains(t, err.Error(), tt.wantErrMsg)
|
||||
@@ -61,7 +61,7 @@ func TestDecryptValue_V11(t *testing.T) {
|
||||
v11Ciphertext := append([]byte("v11"), cbcEncrypted...)
|
||||
|
||||
// v11 ciphertexts route to the V11 slot (Linux's keyring-derived kV11Key) — not V10 (peanuts).
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V11: testAESKey}, v11Ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V11: testAESKey}, v11Ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
}
|
||||
@@ -87,22 +87,22 @@ func TestDecryptValue_V10_V11_SlotSeparation(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
v11Ciphertext := append([]byte("v11"), v11Enc...)
|
||||
|
||||
keys := keyretriever.MasterKeys{V10: k10, V11: k11}
|
||||
mk := masterkey.MasterKeys{V10: k10, V11: k11}
|
||||
|
||||
t.Run("v10 ciphertext decrypts via V10 slot", func(t *testing.T) {
|
||||
got, err := decryptValue(keys, v10Ciphertext)
|
||||
got, err := decryptValue(mk, v10Ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, v10plain, got)
|
||||
})
|
||||
|
||||
t.Run("v11 ciphertext decrypts via V11 slot", func(t *testing.T) {
|
||||
got, err := decryptValue(keys, v11Ciphertext)
|
||||
got, err := decryptValue(mk, v11Ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, v11plain, got)
|
||||
})
|
||||
|
||||
t.Run("swapped keys fail both directions", func(t *testing.T) {
|
||||
swapped := keyretriever.MasterKeys{V10: k11, V11: k10}
|
||||
swapped := masterkey.MasterKeys{V10: k11, V11: k10}
|
||||
_, err := decryptValue(swapped, v10Ciphertext)
|
||||
require.Error(t, err, "v10 with V11's key must fail")
|
||||
_, err = decryptValue(swapped, v11Ciphertext)
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
// TestDecryptValue_V20 is cross-platform because v20's ciphertext format
|
||||
@@ -24,13 +24,13 @@ func TestDecryptValue_V20(t *testing.T) {
|
||||
// v20 layout: "v20" (3B) + nonce (12B) + ciphertext+tag
|
||||
ciphertext := append([]byte("v20"), append(nonce, gcm...)...)
|
||||
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V20: testAESKey}, ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
}
|
||||
|
||||
func TestDecryptValue_V20_ShortCiphertext(t *testing.T) {
|
||||
// Missing nonce (prefix only) must error, not panic.
|
||||
_, err := decryptValue(keyretriever.MasterKeys{V20: testAESKey}, []byte("v20"))
|
||||
_, err := decryptValue(masterkey.MasterKeys{V20: testAESKey}, []byte("v20"))
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
// encryptWithDPAPI encrypts data using Windows DPAPI (CryptProtectData).
|
||||
@@ -64,7 +64,7 @@ func TestDecryptValue_V10_Windows(t *testing.T) {
|
||||
// v10 format on Windows: "v10" + nonce(12) + encrypted
|
||||
ciphertext := append([]byte("v10"), append(nonce, gcmEncrypted...)...)
|
||||
|
||||
got, err := decryptValue(keyretriever.MasterKeys{V10: testAESKey}, ciphertext)
|
||||
got, err := decryptValue(masterkey.MasterKeys{V10: testAESKey}, ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
}
|
||||
@@ -78,7 +78,7 @@ func TestDecryptValue_DPAPI_Windows(t *testing.T) {
|
||||
require.NotEmpty(t, encrypted)
|
||||
|
||||
// No v10/v20 prefix → decryptValue routes to DPAPI path; no per-tier key needed.
|
||||
got, err := decryptValue(keyretriever.MasterKeys{}, encrypted)
|
||||
got, err := decryptValue(masterkey.MasterKeys{}, encrypted)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, got)
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
"database/sql"
|
||||
"sort"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
|
||||
)
|
||||
@@ -18,7 +18,7 @@ const (
|
||||
countCookieQuery = `SELECT COUNT(*) FROM cookies`
|
||||
)
|
||||
|
||||
func extractCookies(keys keyretriever.MasterKeys, path string) ([]types.CookieEntry, error) {
|
||||
func extractCookies(masterKeys masterkey.MasterKeys, path string) ([]types.CookieEntry, error) {
|
||||
cookies, err := sqliteutil.QueryRows(path, false, defaultCookieQuery,
|
||||
func(rows *sql.Rows) (types.CookieEntry, error) {
|
||||
var (
|
||||
@@ -34,7 +34,7 @@ func extractCookies(keys keyretriever.MasterKeys, path string) ([]types.CookieEn
|
||||
return types.CookieEntry{}, err
|
||||
}
|
||||
|
||||
value, _ := decryptValue(keys, encryptedValue)
|
||||
value, _ := decryptValue(masterKeys, encryptedValue)
|
||||
value = stripCookieHash(value, host)
|
||||
return types.CookieEntry{
|
||||
Name: name,
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
func setupCookieDB(t *testing.T) string {
|
||||
@@ -21,7 +21,7 @@ func setupCookieDB(t *testing.T) string {
|
||||
func TestExtractCookies(t *testing.T) {
|
||||
path := setupCookieDB(t)
|
||||
|
||||
got, err := extractCookies(keyretriever.MasterKeys{}, path)
|
||||
got, err := extractCookies(masterkey.MasterKeys{}, path)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, got, 2)
|
||||
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"errors"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/log"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
|
||||
)
|
||||
@@ -36,7 +36,7 @@ type yandexPrivateData struct {
|
||||
SecretComment string `json:"secret_comment"`
|
||||
}
|
||||
|
||||
func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error) {
|
||||
func extractCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) {
|
||||
cards, err := sqliteutil.QueryRows(path, false, defaultCreditCardQuery,
|
||||
func(rows *sql.Rows) (types.CreditCardEntry, error) {
|
||||
var guid, name, month, year, nickname, address string
|
||||
@@ -44,7 +44,7 @@ func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.Cred
|
||||
if err := rows.Scan(&guid, &name, &month, &year, &encNumber, &nickname, &address); err != nil {
|
||||
return types.CreditCardEntry{}, err
|
||||
}
|
||||
number, _ := decryptValue(keys, encNumber)
|
||||
number, _ := decryptValue(masterKeys, encNumber)
|
||||
return types.CreditCardEntry{
|
||||
GUID: guid,
|
||||
Name: name,
|
||||
@@ -62,8 +62,8 @@ func extractCreditCards(keys keyretriever.MasterKeys, path string) ([]types.Cred
|
||||
}
|
||||
|
||||
// extractYandexCreditCards reads the records table (not Chromium's credit_cards). AAD = guid. See RFC-012 §4.
|
||||
func extractYandexCreditCards(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error) {
|
||||
dataKey, err := loadYandexDataKey(path, keys.V10)
|
||||
func extractYandexCreditCards(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error) {
|
||||
dataKey, err := loadYandexDataKey(path, masterKeys.V10)
|
||||
if err != nil {
|
||||
if errors.Is(err, errYandexMasterPasswordSet) {
|
||||
log.Warnf("%s: %v", path, err)
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
func setupCreditCardDB(t *testing.T) string {
|
||||
@@ -21,7 +21,7 @@ func setupCreditCardDB(t *testing.T) string {
|
||||
func TestExtractCreditCards(t *testing.T) {
|
||||
path := setupCreditCardDB(t)
|
||||
|
||||
got, err := extractCreditCards(keyretriever.MasterKeys{}, path)
|
||||
got, err := extractCreditCards(masterkey.MasterKeys{}, path)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, got, 2)
|
||||
|
||||
@@ -80,7 +80,7 @@ func TestExtractYandexCreditCards(t *testing.T) {
|
||||
},
|
||||
)
|
||||
|
||||
got, err := extractYandexCreditCards(keyretriever.MasterKeys{V10: masterKey}, path)
|
||||
got, err := extractYandexCreditCards(masterkey.MasterKeys{V10: masterKey}, path)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, got, 2)
|
||||
|
||||
@@ -128,7 +128,7 @@ func TestExtractYandexCreditCards_WrongMasterKey(t *testing.T) {
|
||||
yandexCreditCard{GUID: "g1", FullCardNumber: "4111"},
|
||||
)
|
||||
|
||||
_, err := extractYandexCreditCards(keyretriever.MasterKeys{V10: wrongKey}, path)
|
||||
_, err := extractYandexCreditCards(masterkey.MasterKeys{V10: wrongKey}, path)
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
|
||||
@@ -6,8 +6,8 @@ import (
|
||||
"sort"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto"
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/log"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
"github.com/moond4rk/hackbrowserdata/utils/sqliteutil"
|
||||
)
|
||||
@@ -20,11 +20,11 @@ const (
|
||||
password_element, password_value, signon_realm, date_created FROM logins`
|
||||
)
|
||||
|
||||
func extractPasswords(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error) {
|
||||
return extractPasswordsWithQuery(keys, path, defaultLoginQuery)
|
||||
func extractPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) {
|
||||
return extractPasswordsWithQuery(masterKeys, path, defaultLoginQuery)
|
||||
}
|
||||
|
||||
func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string) ([]types.LoginEntry, error) {
|
||||
func extractPasswordsWithQuery(masterKeys masterkey.MasterKeys, path, query string) ([]types.LoginEntry, error) {
|
||||
logins, err := sqliteutil.QueryRows(path, false, query,
|
||||
func(rows *sql.Rows) (types.LoginEntry, error) {
|
||||
var url, username string
|
||||
@@ -33,7 +33,7 @@ func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string)
|
||||
if err := rows.Scan(&url, &username, &pwd, &created); err != nil {
|
||||
return types.LoginEntry{}, err
|
||||
}
|
||||
password, _ := decryptValue(keys, pwd)
|
||||
password, _ := decryptValue(masterKeys, pwd)
|
||||
return types.LoginEntry{
|
||||
URL: url,
|
||||
Username: username,
|
||||
@@ -53,8 +53,8 @@ func extractPasswordsWithQuery(keys keyretriever.MasterKeys, path, query string)
|
||||
|
||||
// extractYandexPasswords walks Ya Passman Data; protocol in RFC-012 §4.
|
||||
// Note: URL column is origin_url — it's what the per-row AAD is computed over (not action_url).
|
||||
func extractYandexPasswords(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error) {
|
||||
dataKey, err := loadYandexDataKey(path, keys.V10)
|
||||
func extractYandexPasswords(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error) {
|
||||
dataKey, err := loadYandexDataKey(path, masterKeys.V10)
|
||||
if err != nil {
|
||||
if errors.Is(err, errYandexMasterPasswordSet) {
|
||||
log.Warnf("%s: %v", path, err)
|
||||
|
||||
@@ -8,7 +8,7 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
)
|
||||
|
||||
func setupLoginDB(t *testing.T) string {
|
||||
@@ -22,7 +22,7 @@ func setupLoginDB(t *testing.T) string {
|
||||
func TestExtractPasswords(t *testing.T) {
|
||||
path := setupLoginDB(t)
|
||||
|
||||
got, err := extractPasswords(keyretriever.MasterKeys{}, path)
|
||||
got, err := extractPasswords(masterkey.MasterKeys{}, path)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, got, 2)
|
||||
|
||||
@@ -70,7 +70,7 @@ func TestExtractYandexPasswords(t *testing.T) {
|
||||
},
|
||||
)
|
||||
|
||||
got, err := extractYandexPasswords(keyretriever.MasterKeys{V10: masterKey}, path)
|
||||
got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, got, 2)
|
||||
|
||||
@@ -93,7 +93,7 @@ func TestExtractYandexPasswords_MasterPasswordSkipped(t *testing.T) {
|
||||
},
|
||||
)
|
||||
|
||||
got, err := extractYandexPasswords(keyretriever.MasterKeys{V10: masterKey}, path)
|
||||
got, err := extractYandexPasswords(masterkey.MasterKeys{V10: masterKey}, path)
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, got, "master-password profiles should be skipped in v1")
|
||||
}
|
||||
@@ -112,7 +112,7 @@ func TestExtractYandexPasswords_WrongMasterKey(t *testing.T) {
|
||||
|
||||
// A wrong master key fails at the intermediate step, surfacing as an error
|
||||
// from the extractor.
|
||||
_, err := extractYandexPasswords(keyretriever.MasterKeys{V10: wrongKey}, path)
|
||||
_, err := extractYandexPasswords(masterkey.MasterKeys{V10: wrongKey}, path)
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
|
||||
@@ -3,9 +3,9 @@ package chromium
|
||||
import (
|
||||
"path/filepath"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/filemanager"
|
||||
"github.com/moond4rk/hackbrowserdata/log"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
)
|
||||
|
||||
@@ -30,7 +30,7 @@ func (p *profile) label() string { return p.browserName + "/" + p.name() }
|
||||
|
||||
// extract copies the profile's source files to a temp directory and extracts the
|
||||
// requested categories, decrypting with the installation's master keys.
|
||||
func (p *profile) extract(keys keyretriever.MasterKeys, categories []types.Category) *types.BrowserData {
|
||||
func (p *profile) extract(masterKeys masterkey.MasterKeys, categories []types.Category) *types.BrowserData {
|
||||
session, err := filemanager.NewSession()
|
||||
if err != nil {
|
||||
log.Debugf("new session for %s: %v", p.label(), err)
|
||||
@@ -45,7 +45,7 @@ func (p *profile) extract(keys keyretriever.MasterKeys, categories []types.Categ
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
p.extractCategory(data, cat, keys, path)
|
||||
p.extractCategory(data, cat, masterKeys, path)
|
||||
}
|
||||
return data
|
||||
}
|
||||
@@ -91,9 +91,9 @@ func (p *profile) acquireFiles(session *filemanager.Session, categories []types.
|
||||
|
||||
// extractCategory calls the appropriate extract function for a category. A custom
|
||||
// extractor (registered via extractorsForKind) takes precedence over the switch.
|
||||
func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, keys keyretriever.MasterKeys, path string) {
|
||||
func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, masterKeys masterkey.MasterKeys, path string) {
|
||||
if ext, ok := p.extractors[cat]; ok {
|
||||
if err := ext.extract(keys, path, data); err != nil {
|
||||
if err := ext.extract(masterKeys, path, data); err != nil {
|
||||
log.Debugf("extract %s for %s: %v", cat, p.label(), err)
|
||||
}
|
||||
return
|
||||
@@ -102,9 +102,9 @@ func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, k
|
||||
var err error
|
||||
switch cat {
|
||||
case types.Password:
|
||||
data.Passwords, err = extractPasswords(keys, path)
|
||||
data.Passwords, err = extractPasswords(masterKeys, path)
|
||||
case types.Cookie:
|
||||
data.Cookies, err = extractCookies(keys, path)
|
||||
data.Cookies, err = extractCookies(masterKeys, path)
|
||||
case types.History:
|
||||
data.Histories, err = extractHistories(path)
|
||||
case types.Download:
|
||||
@@ -112,7 +112,7 @@ func (p *profile) extractCategory(data *types.BrowserData, cat types.Category, k
|
||||
case types.Bookmark:
|
||||
data.Bookmarks, err = extractBookmarks(path)
|
||||
case types.CreditCard:
|
||||
data.CreditCards, err = extractCreditCards(keys, path)
|
||||
data.CreditCards, err = extractCreditCards(masterKeys, path)
|
||||
case types.Extension:
|
||||
data.Extensions, err = extractExtensions(path)
|
||||
case types.LocalStorage:
|
||||
|
||||
@@ -8,8 +8,8 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/filemanager"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
)
|
||||
|
||||
@@ -32,7 +32,7 @@ func TestExtractCategory_CustomExtractor(t *testing.T) {
|
||||
}
|
||||
|
||||
data := &types.BrowserData{}
|
||||
p.extractCategory(data, types.Extension, keyretriever.MasterKeys{}, "unused-path")
|
||||
p.extractCategory(data, types.Extension, masterkey.MasterKeys{}, "unused-path")
|
||||
|
||||
assert.True(t, called, "custom extractor should be called")
|
||||
require.Len(t, data.Extensions, 1)
|
||||
@@ -51,7 +51,7 @@ func TestExtractCategory_DefaultFallback(t *testing.T) {
|
||||
}
|
||||
|
||||
data := &types.BrowserData{}
|
||||
p.extractCategory(data, types.History, keyretriever.MasterKeys{}, path)
|
||||
p.extractCategory(data, types.History, masterkey.MasterKeys{}, path)
|
||||
|
||||
require.Len(t, data.Histories, 1)
|
||||
assert.Equal(t, "Example", data.Histories[0].Title)
|
||||
|
||||
@@ -3,7 +3,7 @@ package chromium
|
||||
import (
|
||||
"path/filepath"
|
||||
|
||||
"github.com/moond4rk/hackbrowserdata/crypto/keyretriever"
|
||||
"github.com/moond4rk/hackbrowserdata/masterkey"
|
||||
"github.com/moond4rk/hackbrowserdata/types"
|
||||
)
|
||||
|
||||
@@ -51,17 +51,17 @@ func sourcesForKind(kind types.BrowserKind) map[types.Category][]sourcePath {
|
||||
// switch logic, enabling browser-specific parsing (e.g. Opera's opsettings
|
||||
// for extensions, Yandex's credit card table, QBCI-encrypted bookmarks).
|
||||
type categoryExtractor interface {
|
||||
extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error
|
||||
extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error
|
||||
}
|
||||
|
||||
// passwordExtractor wraps a custom password extract function.
|
||||
type passwordExtractor struct {
|
||||
fn func(keys keyretriever.MasterKeys, path string) ([]types.LoginEntry, error)
|
||||
fn func(masterKeys masterkey.MasterKeys, path string) ([]types.LoginEntry, error)
|
||||
}
|
||||
|
||||
func (e passwordExtractor) extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error {
|
||||
func (e passwordExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error {
|
||||
var err error
|
||||
data.Passwords, err = e.fn(keys, path)
|
||||
data.Passwords, err = e.fn(masterKeys, path)
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -70,7 +70,7 @@ type extensionExtractor struct {
|
||||
fn func(path string) ([]types.ExtensionEntry, error)
|
||||
}
|
||||
|
||||
func (e extensionExtractor) extract(_ keyretriever.MasterKeys, path string, data *types.BrowserData) error {
|
||||
func (e extensionExtractor) extract(_ masterkey.MasterKeys, path string, data *types.BrowserData) error {
|
||||
var err error
|
||||
data.Extensions, err = e.fn(path)
|
||||
return err
|
||||
@@ -79,12 +79,12 @@ func (e extensionExtractor) extract(_ keyretriever.MasterKeys, path string, data
|
||||
// creditCardExtractor wraps a custom credit-card extract function, used by Yandex whose Ya Credit Cards DB stores
|
||||
// rows as records(guid, public_data, private_data) with JSON blobs rather than Chromium's flat credit_cards table.
|
||||
type creditCardExtractor struct {
|
||||
fn func(keys keyretriever.MasterKeys, path string) ([]types.CreditCardEntry, error)
|
||||
fn func(masterKeys masterkey.MasterKeys, path string) ([]types.CreditCardEntry, error)
|
||||
}
|
||||
|
||||
func (e creditCardExtractor) extract(keys keyretriever.MasterKeys, path string, data *types.BrowserData) error {
|
||||
func (e creditCardExtractor) extract(masterKeys masterkey.MasterKeys, path string, data *types.BrowserData) error {
|
||||
var err error
|
||||
data.CreditCards, err = e.fn(keys, path)
|
||||
data.CreditCards, err = e.fn(masterKeys, path)
|
||||
return err
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user