forked from sneak/secret
350 lines
11 KiB
Go
350 lines
11 KiB
Go
package secret
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/secret/pkg/agehd"
|
|
"github.com/spf13/afero"
|
|
)
|
|
|
|
// PGPUnlockKeyMetadata extends UnlockKeyMetadata with PGP-specific data
|
|
type PGPUnlockKeyMetadata struct {
|
|
UnlockKeyMetadata
|
|
// GPG key ID used for encryption
|
|
GPGKeyID string `json:"gpg_key_id"`
|
|
// Age keypair information
|
|
AgePublicKey string `json:"age_public_key"`
|
|
AgeRecipient string `json:"age_recipient"`
|
|
}
|
|
|
|
// PGPUnlockKey represents a PGP-protected unlock key
|
|
type PGPUnlockKey struct {
|
|
Directory string
|
|
Metadata UnlockKeyMetadata
|
|
fs afero.Fs
|
|
}
|
|
|
|
// GetIdentity implements UnlockKey interface for PGP-based unlock keys
|
|
func (p *PGPUnlockKey) GetIdentity() (*age.X25519Identity, error) {
|
|
DebugWith("Getting PGP unlock key identity",
|
|
slog.String("key_id", p.GetID()),
|
|
slog.String("key_type", p.GetType()),
|
|
)
|
|
|
|
// Step 1: Read the encrypted age private key from filesystem
|
|
agePrivKeyPath := filepath.Join(p.Directory, "priv.age.gpg")
|
|
Debug("Reading PGP-encrypted age private key", "path", agePrivKeyPath)
|
|
|
|
encryptedAgePrivKeyData, err := afero.ReadFile(p.fs, agePrivKeyPath)
|
|
if err != nil {
|
|
Debug("Failed to read PGP-encrypted age private key", "error", err, "path", agePrivKeyPath)
|
|
return nil, fmt.Errorf("failed to read encrypted age private key: %w", err)
|
|
}
|
|
|
|
DebugWith("Read PGP-encrypted age private key",
|
|
slog.String("key_id", p.GetID()),
|
|
slog.Int("encrypted_length", len(encryptedAgePrivKeyData)),
|
|
)
|
|
|
|
// Step 2: Decrypt the age private key using GPG
|
|
Debug("Decrypting age private key with GPG", "key_id", p.GetID())
|
|
agePrivKeyData, err := gpgDecrypt(encryptedAgePrivKeyData)
|
|
if err != nil {
|
|
Debug("Failed to decrypt age private key with GPG", "error", err, "key_id", p.GetID())
|
|
return nil, fmt.Errorf("failed to decrypt age private key with GPG: %w", err)
|
|
}
|
|
|
|
DebugWith("Successfully decrypted age private key with GPG",
|
|
slog.String("key_id", p.GetID()),
|
|
slog.Int("decrypted_length", len(agePrivKeyData)),
|
|
)
|
|
|
|
// Step 3: Parse the decrypted age private key
|
|
Debug("Parsing decrypted age private key", "key_id", p.GetID())
|
|
ageIdentity, err := age.ParseX25519Identity(string(agePrivKeyData))
|
|
if err != nil {
|
|
Debug("Failed to parse age private key", "error", err, "key_id", p.GetID())
|
|
return nil, fmt.Errorf("failed to parse age private key: %w", err)
|
|
}
|
|
|
|
DebugWith("Successfully parsed PGP age identity",
|
|
slog.String("key_id", p.GetID()),
|
|
slog.String("public_key", ageIdentity.Recipient().String()),
|
|
)
|
|
|
|
return ageIdentity, nil
|
|
}
|
|
|
|
// GetType implements UnlockKey interface
|
|
func (p *PGPUnlockKey) GetType() string {
|
|
return "pgp"
|
|
}
|
|
|
|
// GetMetadata implements UnlockKey interface
|
|
func (p *PGPUnlockKey) GetMetadata() UnlockKeyMetadata {
|
|
return p.Metadata
|
|
}
|
|
|
|
// GetDirectory implements UnlockKey interface
|
|
func (p *PGPUnlockKey) GetDirectory() string {
|
|
return p.Directory
|
|
}
|
|
|
|
// GetID implements UnlockKey interface
|
|
func (p *PGPUnlockKey) GetID() string {
|
|
return p.Metadata.ID
|
|
}
|
|
|
|
// ID implements UnlockKey interface - generates ID from GPG key ID
|
|
func (p *PGPUnlockKey) ID() string {
|
|
// Generate ID using GPG key ID: <keyid>-pgp
|
|
gpgKeyID, err := p.GetGPGKeyID()
|
|
if err != nil {
|
|
// Fallback to metadata ID if we can't read the GPG key ID
|
|
return p.Metadata.ID
|
|
}
|
|
return fmt.Sprintf("%s-pgp", gpgKeyID)
|
|
}
|
|
|
|
// Remove implements UnlockKey interface - removes the PGP unlock key
|
|
func (p *PGPUnlockKey) Remove() error {
|
|
// For PGP keys, we just need to remove the directory
|
|
// No external resources (like keychain items) to clean up
|
|
if err := p.fs.RemoveAll(p.Directory); err != nil {
|
|
return fmt.Errorf("failed to remove PGP unlock key directory: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// NewPGPUnlockKey creates a new PGPUnlockKey instance
|
|
func NewPGPUnlockKey(fs afero.Fs, directory string, metadata UnlockKeyMetadata) *PGPUnlockKey {
|
|
return &PGPUnlockKey{
|
|
Directory: directory,
|
|
Metadata: metadata,
|
|
fs: fs,
|
|
}
|
|
}
|
|
|
|
// GetGPGKeyID returns the GPG key ID from metadata
|
|
func (p *PGPUnlockKey) GetGPGKeyID() (string, error) {
|
|
// Load the metadata
|
|
metadataPath := filepath.Join(p.Directory, "unlock-metadata.json")
|
|
metadataData, err := afero.ReadFile(p.fs, metadataPath)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to read PGP metadata: %w", err)
|
|
}
|
|
|
|
var pgpMetadata PGPUnlockKeyMetadata
|
|
if err := json.Unmarshal(metadataData, &pgpMetadata); err != nil {
|
|
return "", fmt.Errorf("failed to parse PGP metadata: %w", err)
|
|
}
|
|
|
|
return pgpMetadata.GPGKeyID, nil
|
|
}
|
|
|
|
// generatePGPUnlockKeyName generates a unique name for the PGP unlock key based on hostname and date
|
|
func generatePGPUnlockKeyName() (string, error) {
|
|
hostname, err := os.Hostname()
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to get hostname: %w", err)
|
|
}
|
|
|
|
// Format: hostname-pgp-YYYY-MM-DD
|
|
enrollmentDate := time.Now().Format("2006-01-02")
|
|
return fmt.Sprintf("%s-pgp-%s", hostname, enrollmentDate), nil
|
|
}
|
|
|
|
// CreatePGPUnlockKey creates a new PGP unlock key and stores it in the vault
|
|
func CreatePGPUnlockKey(fs afero.Fs, stateDir string, gpgKeyID string) (*PGPUnlockKey, error) {
|
|
// Check if GPG is available
|
|
if err := checkGPGAvailable(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Get current vault
|
|
vault, err := GetCurrentVault(fs, stateDir)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get current vault: %w", err)
|
|
}
|
|
|
|
// Generate the unlock key name based on hostname and date
|
|
unlockKeyName, err := generatePGPUnlockKeyName()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate unlock key name: %w", err)
|
|
}
|
|
|
|
// Create unlock key directory using the generated name
|
|
vaultDir, err := vault.GetDirectory()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get vault directory: %w", err)
|
|
}
|
|
|
|
unlockKeyDir := filepath.Join(vaultDir, "unlock.d", unlockKeyName)
|
|
if err := fs.MkdirAll(unlockKeyDir, DirPerms); err != nil {
|
|
return nil, fmt.Errorf("failed to create unlock key directory: %w", err)
|
|
}
|
|
|
|
// Step 1: Generate a new age keypair for the PGP unlock key
|
|
ageIdentity, err := age.GenerateX25519Identity()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate age keypair: %w", err)
|
|
}
|
|
|
|
// Step 2: Store age public key as plaintext
|
|
agePublicKeyString := ageIdentity.Recipient().String()
|
|
agePubKeyPath := filepath.Join(unlockKeyDir, "pub.age")
|
|
if err := afero.WriteFile(fs, agePubKeyPath, []byte(agePublicKeyString), FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write age public key: %w", err)
|
|
}
|
|
|
|
// Step 3: Get or derive the long-term private key
|
|
var ltPrivKeyData []byte
|
|
|
|
// Check if mnemonic is available in environment variable
|
|
if envMnemonic := os.Getenv(EnvMnemonic); envMnemonic != "" {
|
|
// Use mnemonic directly to derive long-term key
|
|
ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
|
|
}
|
|
ltPrivKeyData = []byte(ltIdentity.String())
|
|
} else {
|
|
// Get the vault to access current unlock key
|
|
currentUnlockKey, err := vault.GetCurrentUnlockKey()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get current unlock key: %w", err)
|
|
}
|
|
|
|
// Get the current unlock key identity
|
|
currentUnlockIdentity, err := currentUnlockKey.GetIdentity()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get current unlock key identity: %w", err)
|
|
}
|
|
|
|
// Get encrypted long-term key from current unlock key, handling different types
|
|
var encryptedLtPrivKey []byte
|
|
switch currentUnlockKey := currentUnlockKey.(type) {
|
|
case *PassphraseUnlockKey:
|
|
// Read the encrypted long-term private key from passphrase unlock key
|
|
encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read encrypted long-term key from current passphrase unlock key: %w", err)
|
|
}
|
|
|
|
case *PGPUnlockKey:
|
|
// Read the encrypted long-term private key from PGP unlock key
|
|
encryptedLtPrivKey, err = afero.ReadFile(fs, filepath.Join(currentUnlockKey.GetDirectory(), "longterm.age"))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read encrypted long-term key from current PGP unlock key: %w", err)
|
|
}
|
|
|
|
default:
|
|
return nil, fmt.Errorf("unsupported current unlock key type for PGP unlock key creation")
|
|
}
|
|
|
|
// Step 6: Decrypt long-term private key using current unlock key
|
|
ltPrivKeyData, err = DecryptWithIdentity(encryptedLtPrivKey, currentUnlockIdentity)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
|
|
}
|
|
}
|
|
|
|
// Step 7: Encrypt long-term private key to the new age unlock key
|
|
encryptedLtPrivKeyToAge, err := EncryptToRecipient(ltPrivKeyData, ageIdentity.Recipient())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encrypt long-term private key to age unlock key: %w", err)
|
|
}
|
|
|
|
// Write encrypted long-term private key
|
|
ltPrivKeyPath := filepath.Join(unlockKeyDir, "longterm.age")
|
|
if err := afero.WriteFile(fs, ltPrivKeyPath, encryptedLtPrivKeyToAge, FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write encrypted long-term private key: %w", err)
|
|
}
|
|
|
|
// Step 8: Encrypt age private key to the GPG key ID
|
|
agePrivateKeyBytes := []byte(ageIdentity.String())
|
|
encryptedAgePrivKey, err := gpgEncrypt(agePrivateKeyBytes, gpgKeyID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encrypt age private key with GPG: %w", err)
|
|
}
|
|
|
|
agePrivKeyPath := filepath.Join(unlockKeyDir, "priv.age.gpg")
|
|
if err := afero.WriteFile(fs, agePrivKeyPath, encryptedAgePrivKey, FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write encrypted age private key: %w", err)
|
|
}
|
|
|
|
// Step 9: Create and write enhanced metadata
|
|
// Generate the key ID directly using the GPG key ID
|
|
keyID := fmt.Sprintf("%s-pgp", gpgKeyID)
|
|
|
|
pgpMetadata := PGPUnlockKeyMetadata{
|
|
UnlockKeyMetadata: UnlockKeyMetadata{
|
|
ID: keyID,
|
|
Type: "pgp",
|
|
CreatedAt: time.Now(),
|
|
Flags: []string{"gpg", "encrypted"},
|
|
},
|
|
GPGKeyID: gpgKeyID,
|
|
AgePublicKey: agePublicKeyString,
|
|
AgeRecipient: ageIdentity.Recipient().String(),
|
|
}
|
|
|
|
metadataBytes, err := json.MarshalIndent(pgpMetadata, "", " ")
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to marshal unlock key metadata: %w", err)
|
|
}
|
|
|
|
if err := afero.WriteFile(fs, filepath.Join(unlockKeyDir, "unlock-metadata.json"), metadataBytes, FilePerms); err != nil {
|
|
return nil, fmt.Errorf("failed to write unlock key metadata: %w", err)
|
|
}
|
|
|
|
return &PGPUnlockKey{
|
|
Directory: unlockKeyDir,
|
|
Metadata: pgpMetadata.UnlockKeyMetadata,
|
|
fs: fs,
|
|
}, nil
|
|
}
|
|
|
|
// checkGPGAvailable verifies that GPG is available
|
|
func checkGPGAvailable() error {
|
|
cmd := exec.Command("gpg", "--version")
|
|
if err := cmd.Run(); err != nil {
|
|
return fmt.Errorf("GPG not available: %w (make sure 'gpg' command is installed and in PATH)", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// gpgEncrypt encrypts data to the specified GPG key ID
|
|
func gpgEncrypt(data []byte, keyID string) ([]byte, error) {
|
|
cmd := exec.Command("gpg", "--trust-model", "always", "--armor", "--encrypt", "-r", keyID)
|
|
cmd.Stdin = strings.NewReader(string(data))
|
|
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("GPG encryption failed: %w", err)
|
|
}
|
|
|
|
return output, nil
|
|
}
|
|
|
|
// gpgDecrypt decrypts GPG-encrypted data
|
|
func gpgDecrypt(encryptedData []byte) ([]byte, error) {
|
|
cmd := exec.Command("gpg", "--quiet", "--decrypt")
|
|
cmd.Stdin = strings.NewReader(string(encryptedData))
|
|
|
|
output, err := cmd.Output()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("GPG decryption failed: %w", err)
|
|
}
|
|
|
|
return output, nil
|
|
}
|