109 lines
3.6 KiB
Go
109 lines
3.6 KiB
Go
package secret
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"syscall"
|
|
|
|
"filippo.io/age"
|
|
"golang.org/x/term"
|
|
)
|
|
|
|
// EncryptToRecipient encrypts data to a recipient using age
|
|
func EncryptToRecipient(data []byte, recipient age.Recipient) ([]byte, error) {
|
|
Debug("EncryptToRecipient starting", "data_length", len(data))
|
|
|
|
var buf bytes.Buffer
|
|
Debug("Creating age encryptor")
|
|
w, err := age.Encrypt(&buf, recipient)
|
|
if err != nil {
|
|
Debug("Failed to create encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to create encryptor: %w", err)
|
|
}
|
|
Debug("Created age encryptor successfully")
|
|
|
|
Debug("Writing data to encryptor")
|
|
if _, err := w.Write(data); err != nil {
|
|
Debug("Failed to write data to encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to write data: %w", err)
|
|
}
|
|
Debug("Wrote data to encryptor successfully")
|
|
|
|
Debug("Closing encryptor")
|
|
if err := w.Close(); err != nil {
|
|
Debug("Failed to close encryptor", "error", err)
|
|
return nil, fmt.Errorf("failed to close encryptor: %w", err)
|
|
}
|
|
Debug("Closed encryptor successfully")
|
|
|
|
result := buf.Bytes()
|
|
Debug("EncryptToRecipient completed successfully", "result_length", len(result))
|
|
return result, nil
|
|
}
|
|
|
|
// DecryptWithIdentity decrypts data with an identity using age
|
|
func DecryptWithIdentity(data []byte, identity age.Identity) ([]byte, error) {
|
|
r, err := age.Decrypt(bytes.NewReader(data), identity)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create decryptor: %w", err)
|
|
}
|
|
|
|
result, err := io.ReadAll(r)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read decrypted data: %w", err)
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// EncryptWithPassphrase encrypts data using a passphrase with age's scrypt-based encryption
|
|
func EncryptWithPassphrase(data []byte, passphrase string) ([]byte, error) {
|
|
recipient, err := age.NewScryptRecipient(passphrase)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create scrypt recipient: %w", err)
|
|
}
|
|
|
|
return EncryptToRecipient(data, recipient)
|
|
}
|
|
|
|
// DecryptWithPassphrase decrypts data using a passphrase with age's scrypt-based decryption
|
|
func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, error) {
|
|
identity, err := age.NewScryptIdentity(passphrase)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create scrypt identity: %w", err)
|
|
}
|
|
|
|
return DecryptWithIdentity(encryptedData, identity)
|
|
}
|
|
|
|
// ReadPassphrase reads a passphrase securely from the terminal without echoing
|
|
// This version is for unlocking and doesn't require confirmation
|
|
func ReadPassphrase(prompt string) (string, error) {
|
|
// Check if stdin is a terminal
|
|
if !term.IsTerminal(int(syscall.Stdin)) {
|
|
// Not a terminal - never read passphrases from piped input for security reasons
|
|
return "", fmt.Errorf("cannot read passphrase from non-terminal stdin (piped input or script). Please set the SB_UNLOCK_PASSPHRASE environment variable or run interactively")
|
|
}
|
|
|
|
// stdin is a terminal, check if stderr is also a terminal for interactive prompting
|
|
if !term.IsTerminal(int(syscall.Stderr)) {
|
|
return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE environment variable")
|
|
}
|
|
|
|
// Both stdin and stderr are terminals - use secure password reading
|
|
fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout
|
|
passphrase, err := term.ReadPassword(int(syscall.Stdin))
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to read passphrase: %w", err)
|
|
}
|
|
fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo
|
|
|
|
if len(passphrase) == 0 {
|
|
return "", fmt.Errorf("passphrase cannot be empty")
|
|
}
|
|
|
|
return string(passphrase), nil
|
|
}
|