passforios/pass/Services/PasswordDecryptor.swift

//
//  PasswordDecryptor.swift
//  pass
//
//  Created by Sun, Mingshen on 1/17/21.
//  Copyright © 2021 Bob Sun. All rights reserved.
//

import CryptoTokenKit
import Gopenpgp
import passKit
import SVProgressHUD
import UIKit
import YubiKit

func decryptPassword(
    in controller: UIViewController,
    with passwordPath: String,
    using keyID: String? = nil,
    completion: @escaping ((Password) -> Void)
) {
    // YubiKey is not supported in extension
    if Defaults.isYubiKeyEnabled {
        DispatchQueue.main.async {
            let alert = UIAlertController(title: "Error", message: "YubiKey is not supported in extension, please use the Pass app instead.", preferredStyle: .alert)
            alert.addAction(UIAlertAction.ok())
            controller.present(alert, animated: true)
        }
        return
    }
    DispatchQueue.global(qos: .userInteractive).async {
        do {
            let requestPGPKeyPassphrase = Utils.createRequestPGPKeyPassphraseHandler(controller: controller)
            let decryptedPassword = try PasswordStore.shared.decrypt(path: passwordPath, keyID: keyID, requestPGPKeyPassphrase: requestPGPKeyPassphrase)

            DispatchQueue.main.async {
                completion(decryptedPassword)
            }
        } catch let AppError.pgpPrivateKeyNotFound(keyID: key) {
            DispatchQueue.main.async {
                let alert = UIAlertController(title: "CannotShowPassword".localize(), message: AppError.pgpPrivateKeyNotFound(keyID: key).localizedDescription, preferredStyle: .alert)
                alert.addAction(UIAlertAction.cancelAndPopView(controller: controller))
                let selectKey = UIAlertAction.selectKey(type: PGPKey.PRIVATE, controller: controller) { action in
                    decryptPassword(in: controller, with: passwordPath, using: action.title, completion: completion)
                }
                alert.addAction(selectKey)

                controller.present(alert, animated: true)
            }
        } catch {
            DispatchQueue.main.async {
                Utils.alert(title: "CannotCopyPassword".localize(), message: error.localizedDescription, controller: controller)
            }
        }
    }
}

class PasswordYubiKeyDecryptor {
    let yubiKeyConnection = YubiKeyConnection()

    func didDisconnect(completion: @escaping (_ connection: YKFConnectionProtocol?, _ error: Error?) -> Void) {
        yubiKeyConnection.didDisconnect(handler: completion)
    }

    private func handleError(error: Error, forConnection connection: YKFConnectionProtocol) -> Error {
        if (connection as? YKFNFCConnection) != nil {
            YubiKitManager.shared.stopNFCConnection(withErrorMessage: error.localizedDescription)
            return error // Dont pass on the error since we display it in the NFC modal
        }
        return error
    }

    func yubiKeyDecrypt(encryptedData: Data, pin: String) async throws -> Data {
        let connection = await yubiKeyConnection.startConnection()

        do {
            guard let smartCard = connection.smartCardInterface else {
                throw AppError.yubiKey(.connection(message: "Failed to get smart card interface."))
            }
            do {
                try await smartCard.selectOpenPGPApplication()
            } catch {
                throw AppError.yubiKey(.connection(message: "Failed to select OpenPGP application"))
            }
            do {
                try await smartCard.verify(password: pin)
            } catch {
                throw AppError.yubiKey(.connection(message: "Failed to verify PIN"))
            }
            guard let deciphered = try? await smartCard.decipher(ciphertext: encryptedData) else {
                throw AppError.yubiKey(.connection(message: "Failed to dicipher data"))
            }
            let decryptedData = try decryptData(deciphered: deciphered, ciphertext: encryptedData)
            if (connection as? YKFNFCConnection) != nil {
                YubiKitManager.shared.stopNFCConnection()
            }
            return decryptedData
        } catch {
            throw handleError(error: error, forConnection: connection)
        }
    }
}

private func decryptData(deciphered: Data, ciphertext: Data) throws -> Data {
    let symmetricKeyIDNameDict: [UInt8: String] = [
        2: "3des",
        3: "cast5",
        7: "aes128",
        8: "aes192",
        9: "aes256",
    ]

    let message = createPGPMessage(from: ciphertext)

    guard let algoByte = deciphered.first, let algo = symmetricKeyIDNameDict[algoByte] else {
        throw AppError.yubiKey(.decipher(message: "Failed to new session key."))
    }

    guard let session_key = Gopenpgp.CryptoNewSessionKeyFromToken(deciphered[1 ..< deciphered.count - 2], algo) else {
        throw AppError.yubiKey(.decipher(message: "Failed to new session key."))
    }

    var error: NSError?
    guard let plaintext = Gopenpgp.HelperPassDecryptWithSessionKey(message, session_key, &error)?.data else {
        throw AppError.yubiKey(.decipher(message: "Failed to decrypt with session key: \(String(describing: error))"))
    }

    return plaintext
}
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00			`//`
			`// PasswordDecryptor.swift`
Rewrite PasswordViewController 2021-01-17 19:49:05 -08:00			`// pass`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00			`//`
Rewrite PasswordViewController 2021-01-17 19:49:05 -08:00			`// Created by Sun, Mingshen on 1/17/21.`
			`// Copyright © 2021 Bob Sun. All rights reserved.`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00			`//`

Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`import CryptoTokenKit`
			`import Gopenpgp`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00			`import passKit`
Rewrite PasswordViewController 2021-01-17 19:49:05 -08:00			`import SVProgressHUD`
			`import UIKit`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`import YubiKit`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`func decryptPassword(`
			`in controller: UIViewController,`
			`with passwordPath: String,`
			`using keyID: String? = nil,`
			`completion: @escaping ((Password) -> Void)`
			`) {`
			`// YubiKey is not supported in extension`
			`if Defaults.isYubiKeyEnabled {`
			`DispatchQueue.main.async {`
			`let alert = UIAlertController(title: "Error", message: "YubiKey is not supported in extension, please use the Pass app instead.", preferredStyle: .alert)`
			`alert.addAction(UIAlertAction.ok())`
			`controller.present(alert, animated: true)`
			`}`
			`return`
			`}`
Fix issues when no PGP passphase and enabling passcode 2021-01-03 17:38:02 -08:00			`DispatchQueue.global(qos: .userInteractive).async {`
			`do {`
			`let requestPGPKeyPassphrase = Utils.createRequestPGPKeyPassphraseHandler(controller: controller)`
			`let decryptedPassword = try PasswordStore.shared.decrypt(path: passwordPath, keyID: keyID, requestPGPKeyPassphrase: requestPGPKeyPassphrase)`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00
Fix issues when no PGP passphase and enabling passcode 2021-01-03 17:38:02 -08:00			`DispatchQueue.main.async {`
			`completion(decryptedPassword)`
			`}`
			`} catch let AppError.pgpPrivateKeyNotFound(keyID: key) {`
			`DispatchQueue.main.async {`
			`let alert = UIAlertController(title: "CannotShowPassword".localize(), message: AppError.pgpPrivateKeyNotFound(keyID: key).localizedDescription, preferredStyle: .alert)`
			`alert.addAction(UIAlertAction.cancelAndPopView(controller: controller))`
clarify public vs private keys + make prvate key IDs available 2026-03-11 16:16:50 +01:00			`let selectKey = UIAlertAction.selectKey(type: PGPKey.PRIVATE, controller: controller) { action in`
Fix issues when no PGP passphase and enabling passcode 2021-01-03 17:38:02 -08:00			`decryptPassword(in: controller, with: passwordPath, using: action.title, completion: completion)`
			`}`
			`alert.addAction(selectKey)`
Support selects a credential identity from the QuickType bar 2021-01-03 15:08:15 -08:00
Fix issues when no PGP passphase and enabling passcode 2021-01-03 17:38:02 -08:00			`controller.present(alert, animated: true)`
			`}`
			`} catch {`
			`DispatchQueue.main.async {`
			`Utils.alert(title: "CannotCopyPassword".localize(), message: error.localizedDescription, controller: controller)`
			`}`
			`}`
Rewrite AutoFill extension 2020-12-31 21:46:50 -08:00			`}`
			`}`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`class PasswordYubiKeyDecryptor {`
			`let yubiKeyConnection = YubiKeyConnection()`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`func didDisconnect(completion: @escaping (_ connection: YKFConnectionProtocol?, _ error: Error?) -> Void) {`
			`yubiKeyConnection.didDisconnect(handler: completion)`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`}`

Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`private func handleError(error: Error, forConnection connection: YKFConnectionProtocol) -> Error {`
			`if (connection as? YKFNFCConnection) != nil {`
			`YubiKitManager.shared.stopNFCConnection(withErrorMessage: error.localizedDescription)`
			`return error // Dont pass on the error since we display it in the NFC modal`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`}`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`return error`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`}`

Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`func yubiKeyDecrypt(encryptedData: Data, pin: String) async throws -> Data {`
			`let connection = await yubiKeyConnection.startConnection()`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`do {`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`guard let smartCard = connection.smartCardInterface else {`
			`throw AppError.yubiKey(.connection(message: "Failed to get smart card interface."))`
			`}`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`do {`
			`try await smartCard.selectOpenPGPApplication()`
			`} catch {`
			`throw AppError.yubiKey(.connection(message: "Failed to select OpenPGP application"))`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`}`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`do {`
			`try await smartCard.verify(password: pin)`
			`} catch {`
			`throw AppError.yubiKey(.connection(message: "Failed to verify PIN"))`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`}`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`guard let deciphered = try? await smartCard.decipher(ciphertext: encryptedData) else {`
			`throw AppError.yubiKey(.connection(message: "Failed to dicipher data"))`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`}`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`let decryptedData = try decryptData(deciphered: deciphered, ciphertext: encryptedData)`
			`if (connection as? YKFNFCConnection) != nil {`
			`YubiKitManager.shared.stopNFCConnection()`
			`}`
			`return decryptedData`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`} catch {`
Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`throw handleError(error: error, forConnection: connection)`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00			`}`
			`}`
			`}`

Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`private func decryptData(deciphered: Data, ciphertext: Data) throws -> Data {`
			`let symmetricKeyIDNameDict: [UInt8: String] = [`
			`2: "3des",`
			`3: "cast5",`
			`7: "aes128",`
			`8: "aes192",`
			`9: "aes256",`
			`]`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00
Use createPGPMessage instead of CryptoNewPGPMessage to support ASCII-armored password with YubiKey (#658) 2024-11-30 11:29:27 -08:00			`let message = createPGPMessage(from: ciphertext)`
Add support for Yubikey command chaining 2022-12-30 02:22:45 +00:00
			`guard let algoByte = deciphered.first, let algo = symmetricKeyIDNameDict[algoByte] else {`
			`throw AppError.yubiKey(.decipher(message: "Failed to new session key."))`
			`}`

			`guard let session_key = Gopenpgp.CryptoNewSessionKeyFromToken(deciphered[1 ..< deciphered.count - 2], algo) else {`
			`throw AppError.yubiKey(.decipher(message: "Failed to new session key."))`
			`}`

			`var error: NSError?`
			`guard let plaintext = Gopenpgp.HelperPassDecryptWithSessionKey(message, session_key, &error)?.data else {`
			`throw AppError.yubiKey(.decipher(message: "Failed to decrypt with session key: \(String(describing: error))"))`
			`}`

Refactor YubiKey decryptor (#663) - Add YKFSmartCardInterface extension to simplify smart card related calls - Use async/await to rewrite callback closures - Update YubiKeyConnection - Better error handling 2024-12-15 21:08:27 -08:00			`return plaintext`
Initial implementation of using YubiKey for decryption (#533) 2022-01-09 21:38:39 -08:00			`}`