Merge pull request #6 from dcormier/dc/ml

Expose ability to encrypt with CRYPTPROTECT_LOCAL_MACHINE flag
billgraziano · Aug 29, 2020 · ba3e8bf · ba3e8bf
2 parents 71cc04b + b562c89
commit ba3e8bf
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 4 deletions.
diff --git a/dpapi.go b/dpapi.go
@@ -8,8 +8,11 @@ import (
 	"golang.org/x/sys/windows"
 )
 
+type cryptProtect uint32
+
 const (
-	cryptProtectUIForbidden = 0x1
+	cryptProtectUIForbidden  cryptProtect = 0x1
+	cryptProtectLocalMachine cryptProtect = 0x4
 )
 
 var (
@@ -42,9 +45,13 @@ func (b *dataBlob) toByteArray() []byte {
 
 // Encrypt a string value to a base64 string
 func Encrypt(secret string) (string, error) {
+	return encrypt(secret, cryptProtectUIForbidden)
+}
+
+func encrypt(secret string, cf cryptProtect) (string, error) {
 	var result string
 	var b []byte
-	b, err := EncryptBytes([]byte(secret))
+	b, err := encryptBytes([]byte(secret), cf)
 	if err != nil {
 		return result, errors.Wrap(err, "encryptbytes")
 	}
@@ -54,19 +61,35 @@ func Encrypt(secret string) (string, error) {
 
 // EncryptBytes encrypts a byte array and returns a byte array
 func EncryptBytes(data []byte) ([]byte, error) {
+	return encryptBytes(data, cryptProtectUIForbidden)
+}
+
+func encryptBytes(data []byte, cf cryptProtect) ([]byte, error) {
 	var outblob dataBlob
-	r, _, err := procEncryptData.Call(uintptr(unsafe.Pointer(newBlob(data))), 0, 0, 0, 0, cryptProtectUIForbidden, uintptr(unsafe.Pointer(&outblob)))
+	r, _, err := procEncryptData.Call(uintptr(unsafe.Pointer(newBlob(data))), 0, 0, 0, 0, uintptr(cf), uintptr(unsafe.Pointer(&outblob)))
 	if r == 0 {
 		return nil, errors.Wrap(err, "procencryptdata")
 	}
 	defer windows.LocalFree(windows.Handle(unsafe.Pointer(outblob.pbData)))
 	return outblob.toByteArray(), nil
 }
 
+// EncryptBytesMachineLocal encrypts a byte array and returns a byte array and associates the data
+// encrypted with the current computer instead of with an individual user.
+func EncryptBytesMachineLocal(data []byte) ([]byte, error) {
+	return encryptBytes(data, cryptProtectUIForbidden|cryptProtectLocalMachine)
+}
+
+// EncryptMachineLocal a string value to a base64 string and associates the data encrypted with the
+// current computer instead of with an individual user.
+func EncryptMachineLocal(secret string) (string, error) {
+	return encrypt(secret, cryptProtectUIForbidden|cryptProtectLocalMachine)
+}
+
 // DecryptBytes decrypts a byte array returning a byte array
 func DecryptBytes(data []byte) ([]byte, error) {
 	var outblob dataBlob
-	r, _, err := procDecryptData.Call(uintptr(unsafe.Pointer(newBlob(data))), 0, 0, 0, 0, cryptProtectUIForbidden, uintptr(unsafe.Pointer(&outblob)))
+	r, _, err := procDecryptData.Call(uintptr(unsafe.Pointer(newBlob(data))), 0, 0, 0, 0, uintptr(cryptProtectUIForbidden), uintptr(unsafe.Pointer(&outblob)))
 	if r == 0 {
 		return nil, errors.Wrap(err, "procdecryptdata")
 	}

diff --git a/dpapi_test.go b/dpapi_test.go
@@ -38,3 +38,36 @@ func TestBytes(t *testing.T) {
 		t.Errorf("expected: '%s' got: '%s'", hex.EncodeToString(secret), hex.EncodeToString(dec))
 	}
 }
+
+func TestMachineLocalString(t *testing.T) {
+
+	secret := "Hello World!;"
+	enc, err := EncryptMachineLocal(secret)
+	if err != nil {
+		t.Error("err from Encrypt: ", err)
+	}
+	dec, err := Decrypt(enc)
+	if err != nil {
+		t.Error("err from Decrypt: ", err)
+	}
+	if dec != secret {
+		t.Errorf("expected: '%s' got: '%s'", secret, dec)
+	}
+}
+
+func TestMachineLocalBytes(t *testing.T) {
+
+	secret := []byte("Hello World!;")
+	enc, err := EncryptBytesMachineLocal(secret)
+	if err != nil {
+		t.Error("err from EncryptBytesMachineLocal: ", err)
+	}
+	dec, err := DecryptBytes(enc)
+	if err != nil {
+		t.Error("err from DecryptBytes: ", err)
+	}
+	c := bytes.Compare(dec, secret)
+	if c != 0 {
+		t.Errorf("expected: '%s' got: '%s'", hex.EncodeToString(secret), hex.EncodeToString(dec))
+	}
+}