feat(dpapi): implement encryption and key derivation functions (#350)

The `crypto` module contains many _magic_ numbers. I took them from the
Python DPAPI implementation:
https://github.com/jborean93/dpapi-ng/blob/main/src/dpapi_ng/_crypto.py
and
https://github.com/jborean93/dpapi-ng/blob/main/src/dpapi_ng/_gkdi.py.

Docs & references:

* [[MS-GKDI]: Group Key Distribution
Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/943dd4f6-6b80-4a66-8594-80df6d2aad0a).
* [jborean93/dpapi-ng](https://github.com/jborean93/dpapi-ng/tree/main).

Author: TheBestTvarynka

Cargo.lock

@@ -34,6 +34,7 @@ rand = "0.8"
 cfg-if = "1"
 time = { version = "0.3", default-features = false }
 sha1 = { version = "0.10", default-features = false }
+sha2 = "0.10"
 num-derive = "0.4"
 num-traits = { version = "0.2", default-features = false }
 picky = "7.0.0-rc.11"
@@ -53,6 +54,7 @@ proptest = "1.6"
 serde = "1"
 byteorder = "1.5"
 num-bigint-dig = "0.8"
+hmac = "0.12"
 
 [features]
 default = ["aws-lc-rs"]
@@ -83,6 +85,7 @@ cfg-if.workspace = true
 time = { workspace = true, features = ["std"] }
 picky.workspace = true
 sha1.workspace = true
+sha2.workspace = true
 num-derive.workspace = true
 num-traits = { workspace = true, default-features = true }
 picky-asn1-der.workspace = true
@@ -98,11 +101,10 @@ picky-krb.workspace = true
 picky-asn1 = { workspace = true, features = ["time_conversion"] }
 byteorder.workspace = true
 num-bigint-dig.workspace = true
+hmac.workspace = true
 
 md-5 = "0.10"
 md4 = "0.10"
-sha2 = "0.10"
-hmac = "0.12"
 crypto-mac = "0.11"
 lazy_static = "1.5"
 serde_derive = "1"

Cargo.toml

@@ -22,6 +22,20 @@ picky-asn1.workspace = true
 picky-asn1-der.workspace = true
 picky-asn1-x509 = { workspace = true, features = ["pkcs7"] }
 num-bigint-dig.workspace = true
+sha1.workspace = true
+sha2.workspace = true
+rand.workspace = true
+hmac.workspace = true
+
+rust-kbkdf = { version = "1.1", git = "https://gitlab.com/TheBestTvarynka/rust-kbkdf.git", branch = "fix-key-generation" }
+elliptic-curve = { version = "0.13", features = ["sec1", "std"] }
+p521 = { version = "0.13", features = ["ecdh"] }
+p256 = { version = "0.13", features = ["ecdh"] }
+p384 = { version = "0.13", features = ["ecdh"] }
+concat-kdf = { version = "0.1", features = ["std"] }
+typenum = "1.17"
+aes-kw = { version = "0.2", features = ["std"] }
+aes-gcm = { version = "0.10", features = ["std"] }
 
 thiserror = "2.0"
 regex = "1.11"

crates/dpapi/Cargo.toml

@@ -60,11 +60,11 @@ pub struct KeyIdentifier {
     pub flags: u32,
 
     /// The L0 index of the key.
-    pub l0: u32,
+    pub l0: i32,
     /// The L1 index of the key.
-    pub l1: u32,
+    pub l1: i32,
     /// The L2 index of the key.
-    pub l2: u32,
+    pub l2: i32,
     /// A GUID that identifies a root key.
     pub root_key_identifier: Uuid,
 
@@ -79,6 +79,10 @@ pub struct KeyIdentifier {
 impl KeyIdentifier {
     // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/192c061c-e740-4aa0-ab1d-6954fb3e58f7
     const MAGIC: [u8; 4] = [0x4b, 0x44, 0x53, 0x4b];
+
+    pub fn is_public_key(&self) -> bool {
+        self.flags & 1 != 0
+    }
 }
 
 impl Encode for KeyIdentifier {
@@ -90,9 +94,9 @@ impl Encode for KeyIdentifier {
         write_buf(&KeyIdentifier::MAGIC, &mut writer)?;
         writer.write_u32::<LittleEndian>(self.flags)?;
 
-        writer.write_u32::<LittleEndian>(self.l0)?;
-        writer.write_u32::<LittleEndian>(self.l1)?;
-        writer.write_u32::<LittleEndian>(self.l2)?;
+        writer.write_i32::<LittleEndian>(self.l0)?;
+        writer.write_i32::<LittleEndian>(self.l1)?;
+        writer.write_i32::<LittleEndian>(self.l2)?;
 
         self.root_key_identifier.encode(&mut writer)?;
 
@@ -125,9 +129,9 @@ impl Decode for KeyIdentifier {
 
         let flags = reader.read_u32::<LittleEndian>()?;
 
-        let l0 = reader.read_u32::<LittleEndian>()?;
-        let l1 = reader.read_u32::<LittleEndian>()?;
-        let l2 = reader.read_u32::<LittleEndian>()?;
+        let l0 = reader.read_i32::<LittleEndian>()?;
+        let l1 = reader.read_i32::<LittleEndian>()?;
+        let l2 = reader.read_i32::<LittleEndian>()?;
         let root_key_identifier = Uuid::decode(&mut reader)?;
 
         let key_info_len = reader.read_u32::<LittleEndian>()?;

crates/dpapi/src/blob.rs

@@ -0,0 +1,87 @@
+use hmac::{Hmac, Mac};
+use rust_kbkdf::{PseudoRandomFunction, PseudoRandomFunctionKey};
+
+use super::{CryptoError, CryptoResult};
+
+pub struct HmacShaPrfKey<'key>(&'key [u8]);
+
+impl<'key> HmacShaPrfKey<'key> {
+    pub fn new(key: &'key [u8]) -> Self {
+        Self(key)
+    }
+
+    pub fn key(&self) -> &[u8] {
+        self.0
+    }
+}
+
+impl<'key> PseudoRandomFunctionKey for HmacShaPrfKey<'key> {
+    type KeyHandle = HmacShaPrfKey<'key>;
+
+    fn key_handle(&self) -> &Self::KeyHandle {
+        self
+    }
+}
+
+macro_rules! define_hmac_sha_prf {
+    ($name:ident, $sha:ty, $out_size:ty) => {
+        pub struct $name {
+            hmac: Option<Hmac<$sha>>,
+        }
+
+        impl $name {
+            pub fn new() -> Self {
+                Self { hmac: None }
+            }
+        }
+
+        impl<'a> PseudoRandomFunction<'a> for $name {
+            type KeyHandle = HmacShaPrfKey<'a>;
+            type PrfOutputSize = $out_size;
+            type Error = CryptoError;
+
+            fn init(
+                &mut self,
+                key: &'a dyn PseudoRandomFunctionKey<KeyHandle = HmacShaPrfKey<'a>>,
+            ) -> CryptoResult<()> {
+                self.hmac = Some(Hmac::<$sha>::new_from_slice(key.key_handle().key()).map_err(|_| {
+                    use hmac::digest::crypto_common::KeySizeUser;
+
+                    CryptoError::InvalidKeyLength {
+                        expected: Hmac::<$sha>::key_size(),
+                        actual: key.key_handle().key().len(),
+                    }
+                })?);
+
+                Ok(())
+            }
+
+            fn update(&mut self, msg: &[u8]) -> CryptoResult<()> {
+                if let Some(hmac) = self.hmac.as_mut() {
+                    hmac.update(msg);
+
+                    Ok(())
+                } else {
+                    Err(CryptoError::Uninitialized("HMAC hasher"))
+                }
+            }
+
+            fn finish(&mut self, out: &mut [u8]) -> CryptoResult<usize> {
+                if let Some(hmac) = self.hmac.as_mut() {
+                    let hmac = hmac.clone().finalize().into_bytes();
+
+                    out.copy_from_slice(hmac.as_slice());
+
+                    Ok(hmac.as_slice().len())
+                } else {
+                    Err(CryptoError::Uninitialized("HMAC hasher"))
+                }
+            }
+        }
+    };
+}
+
+define_hmac_sha_prf!(HmacSha1Prf, sha1::Sha1, typenum::U20);
+define_hmac_sha_prf!(HmacSha256Prf, sha2::Sha256, typenum::U32);
+define_hmac_sha_prf!(HmacSha384Prf, sha2::Sha384, typenum::U48);
+define_hmac_sha_prf!(HmacSha512Prf, sha2::Sha512, typenum::U64);