-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexample.cpp
More file actions
132 lines (112 loc) · 4.33 KB
/
example.cpp
File metadata and controls
132 lines (112 loc) · 4.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#include "nigelcrypt/nigelcrypt.hpp"
#include <cstdlib>
#include <iostream>
#include <memory>
#include <vector>
// Example: runtime-only decryption using a pre-packed encrypted blob.
//
// Steps:
// 1) Create a plaintext file (NOT checked into source control).
// 2) Run tools/nigelcrypt_pack.exe to generate a header with ciphertext.
// 3) Include that header here and decrypt at runtime using a passphrase from
// an environment variable.
//
// For packed blobs, use --binding none so decryption works across runs.
//
// This example demonstrates:
// - Custom metadata (v3 envelope)
// - AAD usage
// - Policy enforcement
// - Region policy (application-defined)
// - Runtime binding for in-memory secrets
// - Memory-hardened decrypt buffers
// - Key rotation / rekey
//
// Build (MSVC):
// cl /std:c++20 /EHsc example.cpp
//
// Build (CMake-less, MinGW, etc.) make sure to link:
// bcrypt.lib and crypt32.lib (MSVC) or -lbcrypt -lcrypt32 (MinGW).
// Generated by tools/nigelcrypt_pack (example path; you generate this).
#include "packed/secret_blob.hpp"
int main() {
using nigelcrypt::PasswordKeyProvider;
using nigelcrypt::SecureString;
using nigelcrypt::Algorithm;
using nigelcrypt::RuntimeBinding;
// Passphrase must NOT be a string literal in your binary.
// Provide it at runtime, e.g. via environment variable.
const char* pass = std::getenv("NIGELCRYPT_PASSPHRASE");
if (!pass || !*pass) {
std::cerr << "Set NIGELCRYPT_PASSPHRASE before running.\n";
return 1;
}
// Optional policy enforcement.
nigelcrypt::RegionPolicy rp;
rp.enable = false;
rp.resolver = []() { return std::string("US"); };
rp.allowlist = {"US"};
nigelcrypt::set_region_policy(rp);
nigelcrypt::set_policy(nigelcrypt::hardened_policy());
// Strict mode (hard-fail unless requirements are met).
nigelcrypt::StrictMode sm;
sm.enabled = false;
sm.require_aad = true;
sm.require_binding = true;
sm.require_algorithm = Algorithm::Aes256Gcm;
nigelcrypt::set_strict_mode(sm);
// Configure key provider from the generated header parameters.
std::vector<uint8_t> salt(
nigelcrypt_packed::secret_salt.begin(),
nigelcrypt_packed::secret_salt.end()
);
auto provider = std::make_shared<PasswordKeyProvider>(
std::string(pass),
salt,
nigelcrypt_packed::secret_iterations,
nigelcrypt_packed::secret_key_id
);
nigelcrypt::set_key_provider(provider);
// Import the encrypted envelope (ciphertext only).
std::vector<uint8_t> blob(
nigelcrypt_packed::secret_blob.begin(),
nigelcrypt_packed::secret_blob.end()
);
if (blob.empty()) {
std::cerr << "Packed blob is empty. Generate it with nigelcrypt_pack.\n";
return 1;
}
auto info = nigelcrypt::audit_envelope(blob);
(void)info;
auto s = SecureString::import_envelope(blob);
auto opt = nigelcrypt::hardened_decrypt_options();
auto plain = s.decrypt("aad:packed", opt);
std::cout << "Decrypted: " << plain.c_str() << "\n";
// DPAPI secure storage example.
std::vector<uint8_t> blob_plain = {1, 2, 3};
auto blob_protected = nigelcrypt::encrypt_blob_dpapi(blob_plain, true);
auto blob_unprotected = nigelcrypt::decrypt_blob_dpapi(blob_protected);
(void)blob_unprotected;
// Optional: protect/unprotect plaintext pages.
plain.protect();
plain.unprotect();
// Optional: decrypt into a caller-provided buffer (stack).
char buf[256] = {};
s.decrypt_to(buf, sizeof(buf), "aad:packed");
// Example: in-memory secret with runtime binding + custom metadata.
std::vector<uint8_t> meta = {0x4E,0x69,0x67,0x65,0x6C,0x43,0x72,0x79,0x70,0x74}; // "NigelCrypt"
SecureString runtime_secret;
runtime_secret.set_custom_meta(meta);
runtime_secret.encrypt("runtime-only", "aad:runtime", Algorithm::Aes256Gcm, RuntimeBinding::Process);
auto runtime_plain = runtime_secret.decrypt("aad:runtime", opt);
std::cout << "Runtime: " << runtime_plain.c_str() << "\n";
// Example: rekey to rotate to a new key provider.
auto provider2 = std::make_shared<PasswordKeyProvider>(
std::string(pass),
salt,
nigelcrypt_packed::secret_iterations,
2
);
runtime_secret.rekey(provider2, "aad:runtime", Algorithm::Aes256Gcm, RuntimeBinding::Process);
return 0;
}