Init

Author: suside

.gitignore

@@ -0,0 +1,2 @@
+ssh-crypt*
+vendor

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Maciej Filipiak
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,16 @@
+CURRENT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+VERSION := $(shell git describe --tag --always --long)
+
+build: ssh-crypt ssh-crypt.exe ssh-crypt_darwin
+
+ssh-crypt: $(wildcard *.go) $(wildcard **/*.go)
+	go get ./...
+	go get github.com/stretchr/testify/assert
+	go test -v github.com/suside/ssh-crypt/lib
+	go build -o ssh-crypt -i -ldflags "-s -w -X main.version=${VERSION}"
+
+ssh-crypt.exe: ssh-crypt
+	env GOOS=windows go build -o ssh-crypt.exe -i -ldflags "-s -w -X main.version=${VERSION}"
+
+ssh-crypt_darwin: ssh-crypt
+	env GOOS=darwin go build -o ssh-crypt_darwin -i -ldflags "-s -w -X main.version=${VERSION}"

README.md

@@ -0,0 +1,28 @@
+# ssh-crypt 🔒 [![Build Status](https://travis-ci.org/suside/ssh-crypt.svg?branch=master)](https://travis-ci.org/suside/ssh-crypt) [![Coverage Status](https://coveralls.io/repos/github/suside/ssh-crypt/badge.svg?branch=master)](https://coveralls.io/github/suside/ssh-crypt?branch=master) [![Go Report Card](https://goreportcard.com/badge/github.com/suside/ssh-crypt)](https://goreportcard.com/report/github.com/suside/ssh-crypt) [![Say thanks!](https://img.shields.io/badge/SayThanks.io-%F0%9F%91%8D-1EAEDB.svg)](https://saythanks.io/to/suside)
+
+Share AES-256 encrypted vault file with your teammates using only ssh `authorized_keys`!
+
+## Usage
+```
+$ echo "secret :)" | ssh-crypt edit --stdin -a ~/.ssh/authorized_keys VAULT.txt
+$ cat VAULT.txt
+dRAALGdpdGh1Yi5jb20vc3Vza...
+$ ssh-crypt view VAULT.txt
+secret :)
+```
+
+## Install
+
+Download binary release https://github.com/suside/ssh-crypt/releases/latest
+or install with `go` from master branch:
+```
+go get github.com/suside/ssh-crypt
+```
+
+## Why
+  * Sharing Keepass with one master password is a no go...
+  * Not everyone have/want pgp keys...
+  * ...
+
+## Inspiration
+This is cheeky rewrite of great [ssh-vault](https://github.com/ssh-vault/ssh-vault) with less features **but** with support of multiple key pairs.

lib/key_read.go

@@ -0,0 +1,39 @@
+package lib
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"io/ioutil"
+	"strings"
+
+	ssh "github.com/ianmcmahon/encoding_ssh"
+)
+
+// ReadAuthorizedKeys file from path
+func (v *Vault) ReadAuthorizedKeys(path string) {
+	authorizedKeys, _ := ioutil.ReadFile(path)
+	authorizedKeysList := strings.Split(strings.TrimSpace(string(authorizedKeys)), "\n")
+	for _, authorizedKey := range authorizedKeysList {
+		if pubKey, err := ssh.DecodePublicKey(authorizedKey); err == nil {
+			// TODO handle other key types
+			v.publicKeys = append(v.publicKeys, pubKey.(*rsa.PublicKey))
+		}
+	}
+}
+
+func (v *Vault) readPrivateKey(path string) error {
+	pemData, err := ioutil.ReadFile(path)
+	if err != nil {
+		return err
+	}
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return errors.New("Unable to decode private key")
+	}
+	if v.privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
+		return err
+	}
+	return nil
+}

lib/serialize.go

@@ -0,0 +1,43 @@
+package lib
+
+import (
+	"bytes"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/gob"
+	"hash/crc32"
+)
+
+func init() {
+	gob.Register([]*rsa.PublicKey{})
+	gob.Register(rsa.PublicKey{})
+	gob.Register(rsa.PrivateKey{})
+	gob.Register(vaultSecured{})
+}
+
+func toBytes(v interface{}) []byte {
+	b := bytes.Buffer{}
+	e := gob.NewEncoder(&b)
+	e.Encode(&v)
+	return b.Bytes()
+}
+
+func toBase64(v interface{}) string {
+	return base64.StdEncoding.EncodeToString(toBytes(v))
+}
+
+func fromBase64(str string) (interface{}, error) {
+	var m interface{}
+	by, _ := base64.StdEncoding.DecodeString(str)
+	b := bytes.Buffer{}
+	b.Write(by)
+	d := gob.NewDecoder(&b)
+	if err := d.Decode(&m); err != nil {
+		return m, err
+	}
+	return m, nil
+}
+
+func crc32sum(v interface{}) uint32 {
+	return crc32.Checksum(toBytes(v), crc32.IEEETable)
+}

lib/vault.go

@@ -0,0 +1,16 @@
+package lib
+
+import "crypto/rsa"
+
+// Vault struct
+type Vault struct {
+	Plaintext  []byte
+	sessionKey []byte
+	publicKeys []*rsa.PublicKey
+	privateKey *rsa.PrivateKey
+}
+
+type vaultSecured struct {
+	EncryptedData        []byte
+	EncryptedSessionKeys map[uint32][]byte
+}

lib/vault_read.go

@@ -0,0 +1,54 @@
+package lib
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/ssh-vault/crypto/aead"
+)
+
+// DecryptVaultWithKey decrypts vault with private id_rsa key read from path
+func (v *Vault) DecryptVaultWithKey(vaultPath string, keyPath string) error {
+	var encryptedData []byte
+	var err error
+	var vsBase interface{}
+	if err = v.readPrivateKey(keyPath); err != nil {
+		return err
+	}
+	if _, err = os.Stat(vaultPath); os.IsNotExist(err) {
+		v.Plaintext = []byte("")
+		return nil
+	}
+	if encryptedData, err = ioutil.ReadFile(vaultPath); err != nil {
+		return err
+	}
+	vsBase, err = fromBase64(string(encryptedData))
+	if err != nil {
+		return fmt.Errorf("%s content does not look like base64", vaultPath)
+	}
+	vs, ok := vsBase.(vaultSecured)
+	if !ok {
+		return fmt.Errorf("%s does not look like a vault file", vaultPath)
+	}
+	sessionKey, _ := rsa.DecryptOAEP(
+		sha1.New(),
+		rand.Reader,
+		v.privateKey,
+		vs.EncryptedSessionKeys[crc32sum(v.privateKey.Public())],
+		[]byte(""),
+	)
+	if sessionKey != nil {
+		v.Plaintext, _ = aead.Decrypt(sessionKey, vs.EncryptedData, []byte(""))
+		return nil
+	}
+	return fmt.Errorf("Unable to read vault %s with key %s", vaultPath, keyPath)
+}
+
+// ReadStdIn content from stdin?
+func (v *Vault) ReadStdIn() {
+	v.Plaintext, _ = ioutil.ReadAll(os.Stdin)
+}

lib/vault_test.go

@@ -0,0 +1,90 @@
+package lib
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_readAuthorizedKeys(t *testing.T) {
+	v := Vault{}
+	v.ReadAuthorizedKeys("../test/authorized_keys")
+	assert.Equal(t, uint32(0x752098b2), crc32sum(v.publicKeys[0]))
+	assert.Equal(t, uint32(0xbc02a9b3), crc32sum(v.publicKeys[1]))
+}
+
+func Test_readPrivateKey(t *testing.T) {
+	v := Vault{}
+	v.readPrivateKey("../test/t1_id_rsa")
+	assert.Equal(t, uint32(0xaa0afb16), crc32sum(v.privateKey))
+}
+
+func Test_storeAndReadVault(t *testing.T) {
+	tmpfile, _ := ioutil.TempFile("", "ssh-crypt-test")
+	defer os.Remove(tmpfile.Name())
+	v1 := Vault{Plaintext: []byte("my secret")}
+	v1.ReadAuthorizedKeys("../test/authorized_keys")
+	v1.StoreSecuredVault(tmpfile.Name())
+
+	v2 := Vault{}
+	v2.DecryptVaultWithKey(tmpfile.Name(), "../test/t1_id_rsa")
+	v3 := Vault{}
+	v3.DecryptVaultWithKey(tmpfile.Name(), "../test/t2_id_rsa")
+	assert.Equal(t, v2.Plaintext, v3.Plaintext)
+}
+
+func Test_storeAndReadVaultWithNotUsedKey(t *testing.T) {
+	tmpfile, _ := ioutil.TempFile("", "ssh-crypt-test")
+	defer os.Remove(tmpfile.Name())
+	v1 := Vault{Plaintext: []byte("my secret")}
+	v1.ReadAuthorizedKeys("../test/authorized_keys")
+	v1.StoreSecuredVault(tmpfile.Name())
+
+	v3 := Vault{}
+	err := v3.DecryptVaultWithKey(tmpfile.Name(), "../test/t3_id_rsa")
+	assert.Equal(t, "Unable to read vault "+tmpfile.Name()+" with key ../test/t3_id_rsa", err.Error())
+}
+
+func Test_EncodingVaultSecured(t *testing.T) {
+	v := vaultSecured{}
+	v1, err := fromBase64(toBase64(v))
+	assert.Equal(t, v, v1)
+	assert.Nil(t, err)
+}
+
+func Test_ReadWithKeyEmptyVault(t *testing.T) {
+	v := Vault{}
+	v.DecryptVaultWithKey("/tmp/newvault123123", "../test/t1_id_rsa")
+	assert.Equal(t, []byte(""), v.Plaintext)
+}
+
+func Test_ReadWithKeyNotBase64(t *testing.T) {
+	v := Vault{}
+	assert.Equal(
+		t,
+		"../test/authorized_keys content does not look like base64",
+		v.DecryptVaultWithKey("../test/authorized_keys", "../test/t1_id_rsa").Error(),
+	)
+}
+
+func Test_ReadWithKeyNoKey(t *testing.T) {
+	v := Vault{}
+	assert.Equal(
+		t,
+		"no such file",
+		v.DecryptVaultWithKey("../test/authorized_keys", "no such file").(*os.PathError).Path,
+	)
+}
+
+func Test_readPrivateKeyNoKey(t *testing.T) {
+	v := Vault{}
+	assert.Equal(t, "no such file", v.readPrivateKey("no such file").(*os.PathError).Path)
+}
+
+func Test_readPrivateKeyFail2(t *testing.T) {
+	v := Vault{}
+	assert.Equal(t, errors.New("Unable to decode private key"), v.readPrivateKey("../test/authorized_keys"))
+}

lib/vault_write.go

@@ -0,0 +1,53 @@
+package lib
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"io/ioutil"
+	"os"
+
+	"os/exec"
+
+	"github.com/ssh-vault/crypto/aead"
+)
+
+// StoreSecuredVault encrypts Vault and stores it on vaultPath
+func (v *Vault) StoreSecuredVault(vaultPath string) error {
+	var err error
+	v.sessionKey = make([]byte, 32)
+	rand.Read(v.sessionKey)
+	vs := vaultSecured{EncryptedSessionKeys: make(map[uint32][]byte)}
+	for _, key := range v.publicKeys {
+		sessionKeySecure, _ := rsa.EncryptOAEP(
+			sha1.New(),
+			rand.Reader,
+			key,
+			v.sessionKey,
+			[]byte(""),
+		)
+		vs.EncryptedSessionKeys[crc32sum(&key)] = sessionKeySecure
+	}
+	vs.EncryptedData, err = aead.Encrypt(v.sessionKey, v.Plaintext, []byte(""))
+	if err != nil {
+		return err
+	}
+	ioutil.WriteFile(vaultPath, []byte(toBase64(vs)), 0644)
+	return nil
+}
+
+// EditVaultFile vault.Path file
+func (v *Vault) EditVaultFile() {
+	tmpfile, _ := ioutil.TempFile("", "ssh-crypt")
+	defer os.Remove(tmpfile.Name())
+	tmpfile.Write([]byte(v.Plaintext))
+	editor := os.Getenv("EDITOR")
+	if editor == "" {
+		editor = "vi"
+	}
+	cmd := exec.Command(editor, tmpfile.Name())
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Run()
+	v.Plaintext, _ = ioutil.ReadFile(tmpfile.Name())
+}