forked from sneak/secret
109 lines
3.4 KiB
Go
109 lines
3.4 KiB
Go
package secret
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"syscall"
|
|
|
|
"filippo.io/age"
|
|
"golang.org/x/term"
|
|
)
|
|
|
|
// encryptToRecipient encrypts data to a recipient using age
|
|
func encryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
|
|
Debug("encryptToRecipient starting", "data_length", len(data))
|
|
|
|
var buf bytes.Buffer
|
|
Debug("Creating age encryptor")
|
|
w, err := age.Encrypt(&buf, recipient)
|
|
if err != nil {
|
|
Debug("Failed to create encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to create encryptor: %w", err)
|
|
}
|
|
Debug("Created age encryptor successfully")
|
|
|
|
Debug("Writing data to encryptor")
|
|
if _, err := w.Write(data); err != nil {
|
|
Debug("Failed to write data to encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to write data: %w", err)
|
|
}
|
|
Debug("Wrote data to encryptor successfully")
|
|
|
|
Debug("Closing encryptor")
|
|
if err := w.Close(); err != nil {
|
|
Debug("Failed to close encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to close encryptor: %w", err)
|
|
}
|
|
Debug("Closed encryptor successfully")
|
|
|
|
result := buf.Bytes()
|
|
Debug("encryptToRecipient completed successfully", "result_length", len(result))
|
|
return result, nil
|
|
}
|
|
|
|
// decryptWithIdentity decrypts data with an identity using age
|
|
func decryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
|
|
r, err := age.Decrypt(bytes.NewReader(data), identity)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create decryptor: %w", err)
|
|
}
|
|
|
|
result, err := io.ReadAll(r)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read decrypted data: %w", err)
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// encryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
|
|
func encryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
|
|
recipient, err := age.NewScryptRecipient(passphrase)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
|
|
}
|
|
|
|
return encryptToRecipient(data, recipient)
|
|
}
|
|
|
|
// decryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
|
|
func decryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, error) {
|
|
identity, err := age.NewScryptIdentity(passphrase)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
|
|
}
|
|
|
|
return decryptWithIdentity(encryptedData, identity)
|
|
}
|
|
|
|
// readPassphrase reads a passphrase securely from the terminal without echoing
|
|
// This version is for unlocking and doesn't require confirmation
|
|
func readPassphrase(prompt string) (string, error) {
|
|
// Check if stderr is a terminal - if not, we can't prompt interactively
|
|
if !term.IsTerminal(int(syscall.Stderr)) {
|
|
return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode)")
|
|
}
|
|
|
|
// Check if stdin is a terminal
|
|
if !term.IsTerminal(int(syscall.Stdin)) {
|
|
// Not a terminal - use shared line reader to avoid buffering conflicts
|
|
return readLineFromStdin(prompt)
|
|
}
|
|
|
|
// Terminal input - use secure password reading
|
|
fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
|
|
passphrase, err := term.ReadPassword(int(syscall.Stdin))
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to read passphrase: %w", err)
|
|
}
|
|
fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo
|
|
|
|
if len(passphrase) == 0 {
|
|
return "", fmt.Errorf("passphrase cannot be empty")
|
|
}
|
|
|
|
return string(passphrase), nil
|
|
}
|