search

neosmart / SecureStore

A .NET implementation of the cross-platform SecureStore (symmetrically-encrypted secrets) protocol
MIT License
96 stars 15 forks source link

"Tampered With" error when using custom tool to modify store.bin file. #8

Closed Ben3152 closed 1 year ago

Ben3152 commented 2 years ago

Hello,

I recently created a custom program, for my team to use, to modify/add/remove credentials from the store.bin file. When initially creating this .bin I generated a .key file using a password. Testing this before, everything worked, would accept the password or the .key file interchangeably. But after using the key file to decrypt the .bin to use in our tool and exporting that .bin file off again, using that same key file, now it won't decrypt the secrets using the password, as it worked before.

I was wondering if this is a bug, or if I need to use the password in our tool, to make sure both the password and key file can work.

Thank you

mqudsi commented 2 years ago

Hi Benjamin,

This sounds like a bug in your client implementation. You should be able to use the key or the password interchangeably to add, remove, update, or retrieve encrypted credentials with exactly identical results (down to the bit). The SecureStore protocol includes and the SecureStore.NET library implements the part of the spec that serves as "an early warning system" in case different encryption keys are detected when altering a store - this may be what you are running into.

Please note that we have two first-party clients for adding/updating/removing credentials from secret stores. You can install the SecureStore command line tool from the .NET nuget servers by running dotnet install --global SecureStore.Client after which the executable SecureStore becomes available or you can use the rust-written version of the same (executed as ssclient instead of SecureStore) by downloading the precompiled executables (scroll to the bottom) or installing them via cargo install ssclient (cargo is to rust as nuget is to .NET).

There's no problem with writing your own frontend for interfacing with a SecureStore vault, but there are subtleties you have to be careful of (as you've seen). With both SecureStore and ssclient available, it's unlikely that you need to write your own interface unless it's for fun!

If there's a reason why SecureStore/ssclient don't work for you and your team, I'm happy to hear them and perhaps we can provide an answer upstream.

mqudsi commented 1 year ago

I'm going to close this but feel free to ask if you have any questions.