public static byte[] DecryptBlob(byte[] blob, byte[] password, DerivedKeyCache keyCache)
{
// 1. Parse
var parsed = ParseEncryptedBlob(blob);
// 2. Derive the key and IV
//
// Depending on the mode, the key is either the actual encryption key or an interim key
// that is used to derive the iv, HMAC and the encryption keys.
var key = ComputeEncryptionKey(password, parsed.Salt, parsed.CryptoConfig, keyCache);
var iv = DeriveIv(key, parsed);
// 3. Derive the encryption key and the HMAC key
var keyHmacKey = DeriveKeyAndHmacKey(key, parsed.CryptoConfig);
var encryptionKey = keyHmacKey.Item1;
var hmacKey = keyHmacKey.Item2;
// 4. Check the MAC
if (!DoesHashMatch(parsed, iv, hmacKey))
{
throw new BadCredentialsException(
"The password is incorrect or the data in the vault is corrupted (MAC doesn't match)");
}
// 5. Decrypt
var plaintext = Decrypt(parsed.Ciphertext, iv, encryptionKey);
// 6. Inflate
return(Inflate(plaintext.Sub(6, int.MaxValue)));
}
public static byte[] ComputeEncryptionKey(byte[] password,
byte[] salt,
CryptoConfig config,
DerivedKeyCache cache)
{
return(cache.GetOrDerive(password, salt, config.KdfConfig));
}
public static Account[] ExtractEncryptedAccounts(byte[] blob, string password, DerivedKeyCache keyCache)
{
return(ExtractAccountsFromXml(DecryptBlob(blob, password, keyCache).ToUtf8()));
}
public static byte[] DecryptBlob(byte[] blob, string password, DerivedKeyCache keyCache)
{
return(DecryptBlob(blob, PasswordToBytes(password), keyCache));
}
