feat(dpapi-cli): implement simple DPAPI cli client; (#378)

Author: PavloMyroniuk

Cargo.lock

@@ -18,6 +18,7 @@ members = [
   "crates/winscard",
   "crates/ffi-types",
   "crates/dpapi",
+  "crates/dpapi-cli-client",
 ]
 exclude = [
   "tools/wasm-testcompile",

Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "dpapi-cli-client"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+xflags = "0.3"
+dpapi = { path = "../dpapi" }
+tracing-subscriber = { workspace = true, features = ["std", "fmt", "local-time", "env-filter"] }

crates/dpapi-cli-client/Cargo.toml

@@ -0,0 +1,38 @@
+use std::path::PathBuf;
+
+xflags::xflags! {
+    /// DPAPI cli client. This app is used to encrypt/decrypt secrets using the DPAPI.
+    cmd dpapi {
+        /// Target server hostname.
+        /// For example, win-956cqossjtf.tbt.com.
+        required --server server: String
+
+        /// The username to decrypt/encrypt the DPAPI blob.
+        /// The username can be specified in FQDN (DOMAIN\username) or UPN (username@domain) format.
+        required --username username: String
+
+        /// User's password.
+        required --password password: String
+
+        /// Client's computer name. This parameter is optional.
+        /// If not provided, the current computer name will be used.
+        optional --computer-name computer_name: String
+
+        /// Encrypt secret.
+        /// This command simulates the `NCryptProtectSecret` function. The encrypted secret (DPAPI blob) will be printed to stdout.
+        cmd encrypt {
+            /// User's SID.
+            required --sid sid: String
+
+            /// Secret to encrypt.
+            /// This parameter is optional. If not provided, the app will try to read the secret from stdin.
+            optional --secret secret: String
+        }
+
+        cmd decrypt {
+            /// Path to file that contains DPAPI blob.
+            /// This parameter is optional. If not provided, the app will try to read the DPAPI blob from stdin.
+            optional --file file: PathBuf
+        }
+    }
+}

crates/dpapi-cli-client/src/cli.rs

@@ -0,0 +1,36 @@
+use std::fs::OpenOptions;
+
+use tracing_subscriber::prelude::*;
+use tracing_subscriber::EnvFilter;
+
+const DPAPI_LOG_PATH_ENV: &str = "DPAPI_LOG_PATH";
+
+pub fn init_logging() {
+    let path = if let Ok(path) = std::env::var(DPAPI_LOG_PATH_ENV) {
+        path
+    } else {
+        eprintln!(
+            "[DPAPI] {} environment variable is not set. Logging is disabled.",
+            DPAPI_LOG_PATH_ENV
+        );
+        return;
+    };
+
+    let file = match OpenOptions::new().create(true).append(true).open(&path) {
+        Ok(f) => f,
+        Err(e) => {
+            eprintln!("[DPAPI] Couldn't open log file: {e}. File path: {}", path);
+            return;
+        }
+    };
+
+    let fmt_layer = tracing_subscriber::fmt::layer()
+        .pretty()
+        .with_thread_names(true)
+        .with_writer(file);
+
+    tracing_subscriber::registry()
+        .with(fmt_layer)
+        .with(EnvFilter::from_env("DPAPI_LOG_LEVEL"))
+        .init();
+}

crates/dpapi-cli-client/src/logging.rs

@@ -0,0 +1,63 @@
+mod cli;
+mod logging;
+
+use std::fs;
+use std::io::{stdin, stdout, Read, Result, Write};
+
+use crate::cli::{Decrypt, Dpapi, DpapiCmd, Encrypt};
+
+fn run(data: Dpapi) -> Result<()> {
+    logging::init_logging();
+
+    let Dpapi {
+        server,
+        username,
+        password,
+        computer_name,
+        subcommand,
+    } = data;
+
+    match subcommand {
+        DpapiCmd::Encrypt(Encrypt { sid, secret }) => {
+            let secret = if let Some(secret) = secret {
+                secret.into_bytes()
+            } else {
+                stdin().bytes().collect::<Result<Vec<_>>>()?
+            };
+
+            let blob = dpapi::n_crypt_protect_secret(
+                secret.into(),
+                sid,
+                None,
+                &server,
+                &username,
+                password.into(),
+                computer_name,
+            )
+            .unwrap();
+
+            stdout().write_all(&blob)?;
+        }
+        DpapiCmd::Decrypt(Decrypt { file }) => {
+            let blob = if let Some(file) = file {
+                fs::read(file)?
+            } else {
+                stdin().bytes().collect::<Result<Vec<_>>>()?
+            };
+
+            let secret =
+                dpapi::n_crypt_unprotect_secret(&blob, &server, &username, password.into(), computer_name).unwrap();
+
+            stdout().write_all(secret.as_ref())?;
+        }
+    }
+
+    Ok(())
+}
+
+fn main() -> Result<()> {
+    match Dpapi::from_env() {
+        Ok(flags) => run(flags),
+        Err(err) => err.exit(),
+    }
+}

crates/dpapi-cli-client/src/main.rs

@@ -306,13 +306,14 @@ fn try_get_kerberos_config(server: &str, client_computer_name: Option<String>) -
 ///
 /// MSDN:
 /// * [NCryptUnprotectSecret function (ncryptprotect.h)](https://learn.microsoft.com/en-us/windows/win32/api/ncryptprotect/nf-ncryptprotect-ncryptunprotectsecret).
+#[instrument(err)]
 pub fn n_crypt_unprotect_secret(
     blob: &[u8],
     server: &str,
     username: &str,
     password: Secret<String>,
     client_computer_name: Option<String>,
-) -> Result<Vec<u8>> {
+) -> Result<Secret<Vec<u8>>> {
     let dpapi_blob = DpapiBlob::decode(blob)?;
     let target_sd = dpapi_blob.protection_descriptor.get_target_sd()?;
 
@@ -330,7 +331,7 @@ pub fn n_crypt_unprotect_secret(
 
     info!("Successfully requested root key.");
 
-    decrypt_blob(&dpapi_blob, &root_key)
+    Ok(decrypt_blob(&dpapi_blob, &root_key)?.into())
 }
 
 /// Encrypts data to a specified protection descriptor.
@@ -341,8 +342,9 @@ pub fn n_crypt_unprotect_secret(
 ///
 /// MSDN:
 /// * [NCryptProtectSecret function (`ncryptprotect.h`)](https://learn.microsoft.com/en-us/windows/win32/api/ncryptprotect/nf-ncryptprotect-ncryptprotectsecret).
+#[instrument(ret)]
 pub fn n_crypt_protect_secret(
-    data: &[u8],
+    data: Secret<Vec<u8>>,
     sid: String,
     root_key_id: Option<Uuid>,
     server: &str,
@@ -371,5 +373,5 @@ pub fn n_crypt_protect_secret(
 
     info!("Successfully requested root key.");
 
-    encrypt_blob(data, &root_key, descriptor)
+    encrypt_blob(data.as_ref(), &root_key, descriptor)
 }