man what a clusterfuck

internal/secret/crypto.go

@@ -0,0 +1,112 @@
+package secret
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"syscall"
+
+	"filippo.io/age"
+	"golang.org/x/term"
+)
+
+// encryptToRecipient encrypts data to a recipient using age
+func encryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
+	var buf bytes.Buffer
+	w, err := age.Encrypt(&buf, recipient)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create encryptor: %w", err)
+	}
+
+	if _, err := w.Write(data); err != nil {
+		return nil, fmt.Errorf("failed to write data: %w", err)
+	}
+
+	if err := w.Close(); err != nil {
+		return nil, fmt.Errorf("failed to close encryptor: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}
+
+// decryptWithIdentity decrypts data with an identity using age
+func decryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
+	r, err := age.Decrypt(bytes.NewReader(data), identity)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create decryptor: %w", err)
+	}
+
+	result, err := io.ReadAll(r)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read decrypted data: %w", err)
+	}
+
+	return result, nil
+}
+
+// encryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
+func encryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
+	recipient, err := age.NewScryptRecipient(passphrase)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
+	}
+
+	return encryptToRecipient(data, recipient)
+}
+
+// decryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
+func decryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, error) {
+	identity, err := age.NewScryptIdentity(passphrase)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
+	}
+
+	return decryptWithIdentity(encryptedData, identity)
+}
+
+// readPassphrase reads a passphrase securely from the terminal without echoing
+// This version is for unlocking and doesn't require confirmation
+func readPassphrase(prompt string) (string, error) {
+	// Check if stdin is a terminal
+	if !term.IsTerminal(int(syscall.Stdin)) {
+		// Not a terminal - fall back to regular input
+		fmt.Print(prompt)
+		var passphrase string
+		_, err := fmt.Scanln(&passphrase)
+		if err != nil {
+			return "", fmt.Errorf("failed to read passphrase: %w", err)
+		}
+		return passphrase, nil
+	}
+
+	// Terminal input - use secure password reading
+	fmt.Print(prompt)
+	passphrase, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", fmt.Errorf("failed to read passphrase: %w", err)
+	}
+	fmt.Println() // Print newline since ReadPassword doesn't echo
+
+	if len(passphrase) == 0 {
+		return "", fmt.Errorf("passphrase cannot be empty")
+	}
+
+	return string(passphrase), nil
+}
+
+// decryptSecretWithLongTermKey is a helper that parses a long-term private key and uses it to decrypt secret data
+func decryptSecretWithLongTermKey(ltPrivKeyData []byte, encryptedData []byte) ([]byte, error) {
+	// Parse long-term private key
+	ltIdentity, err := age.ParseX25519Identity(string(ltPrivKeyData))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
+	}
+
+	// Decrypt secret data using long-term key
+	decryptedData, err := decryptWithIdentity(encryptedData, ltIdentity)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt secret: %w", err)
+	}
+
+	return decryptedData, nil
+}