Remove old testdata and update documentation to new location

2025-06-19 15:40:56 +00:00 · 2021-02-21 17:16:40 +01:00 · 2021-02-21 17:16:40 +01:00 · 71f66e3142
commit 71f66e3142
parent a6ab669811
4 changed files with 11 additions and 173 deletions
--- a/docs/decrypt.py
+++ b/docs/decrypt.py
@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+
+# this depends on the 'cryptography' package
+# pip install cryptography
+
+# example usage: ./scripts/decrypt.py --input ./app/src/test/resources/com/beemdevelopment/aegis/importers/aegis_encrypted.json
+# password: test
+
+import argparse
+import base64
+import getpass
+import io
+import json
+import sys
+
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
+from cryptography.hazmat.backends import default_backend
+import cryptography
+backend = default_backend()
+
+def die(msg, code=1):
+    print(msg, file=sys.stderr)
+    exit(code)
+
+def main():
+    parser = argparse.ArgumentParser(description="Decrypt an Aegis vault")
+    parser.add_argument("--input", dest="input", required=True, help="encrypted Aegis vault file")
+    parser.add_argument("--output", dest="output", default="-", help="output file ('-' for stdout)")
+    args = parser.parse_args()
+
+    # parse the Aegis vault file
+    with io.open(args.input, "r") as f:
+        data = json.load(f)
+
+    # ask the user for a password
+    password = getpass.getpass().encode("utf-8")
+
+    # extract all password slots from the header
+    header = data["header"]
+    slots = [slot for slot in header["slots"] if slot["type"] == 1]
+
+    # try the given password on every slot until one succeeds
+    master_key = None
+    for slot in slots:
+        # derive a key from the given password
+        kdf = Scrypt(
+            salt=bytes.fromhex(slot["salt"]),
+            length=32,
+            n=slot["n"],
+            r=slot["r"],
+            p=slot["p"],
+            backend=backend
+        )
+        key = kdf.derive(password)
+
+        # try to use the derived key to decrypt the master key
+        cipher = AESGCM(key)
+        params = slot["key_params"]
+        try:
+            master_key = cipher.decrypt(
+                nonce=bytes.fromhex(params["nonce"]),
+                data=bytes.fromhex(slot["key"]) + bytes.fromhex(params["tag"]),
+                associated_data=None
+            )
+            break
+        except cryptography.exceptions.InvalidTag:
+            pass
+
+    if master_key is None:
+        die("error: unable to decrypt the master key with the given password")
+
+    # decode the base64 vault contents
+    content = base64.b64decode(data["db"])
+
+    # decrypt the vault contents using the master key
+    params = header["params"]
+    cipher = AESGCM(master_key)
+    db = cipher.decrypt(
+        nonce=bytes.fromhex(params["nonce"]),
+        data=content + bytes.fromhex(params["tag"]),
+        associated_data=None
+    )
+
+    db = db.decode("utf-8")
+    if args.output != "-":
+        with io.open(args.output, "w") as f:
+            f.write(db)
+    else:
+        print(db)
+
+if __name__ == "__main__":
+    main()
--- a/docs/vault.md
+++ b/docs/vault.md
@ -70,8 +70,8 @@ __master key__.

 Aegis supports unlocking a vault with multiple different credentials. The main
 credential is a key derived from a user-provided password. In addition to that,
-users can also add a key backed by the Android KeyStore (authorized by biometrics)
-as a credential.
+users can also add a key backed by the Android KeyStore (authorized by
+biometrics) as a credential.

 #### Slots

@ -116,9 +116,14 @@ wheter the vault is encrypted or not. If it is, the value is a string containing
 the Base64 encoded (with padding) ciphertext of the vault contents. Otherwise,
 the value is a JSON object.

-Full examples of a plain text vault and an encrypted vault are available in the
-[testdata](/testdata) folder. There's also a Python script that can decrypt an
-Aegis vault given the password: [scripts/decrypt.py](/scripts/decrypt.py).
+Full examples of a [plain text
+vault](/app/src/test/resources/com/beemdevelopment/aegis/importers/aegis_plain.json)
+and an [encrypted
+vault](/app/src/test/resources/com/beemdevelopment/aegis/importers/aegis_encrypted.json)
+are available in the [test
+data](/app/src/test/resources/com/beemdevelopment/aegis/importers) folder.
+There's also an example Python script that can decrypt an Aegis vault given the
+password: [decrypt.py](/docs/decrypt.py).

 ### Header