sneak
4adeeae1db
Adds a new "secure-enclave" unlocker type that stores the vault's long-term private key encrypted by a non-exportable P-256 key held in the Secure Enclave hardware. Decryption (ECDH) is performed inside the SE; the key never leaves the hardware. Uses CryptoTokenKit identities created via sc_auth, which allows SE access from unsigned binaries without Apple Developer Program membership. ECIES (X963SHA256 + AES-GCM) handles encryption and decryption through Security.framework. New package internal/macse/ provides the CGo bridge to Security.framework for SE key creation, ECIES encrypt/decrypt, and key deletion. The SE unlocker directly encrypts the vault long-term key (no intermediate age keypair).
254 lines
7.7 KiB
Go
254 lines
7.7 KiB
Go
package vault
|
|
|
|
import (
|
|
"fmt"
|
|
"log/slog"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"filippo.io/age"
|
|
"git.eeqj.de/sneak/secret/internal/secret"
|
|
"git.eeqj.de/sneak/secret/pkg/agehd"
|
|
"github.com/spf13/afero"
|
|
)
|
|
|
|
// Vault represents a secrets vault
|
|
type Vault struct {
|
|
Name string
|
|
fs afero.Fs
|
|
stateDir string
|
|
longTermKey *age.X25519Identity // In-memory long-term key when unlocked
|
|
}
|
|
|
|
// NewVault creates a new Vault instance
|
|
func NewVault(fs afero.Fs, stateDir string, name string) *Vault {
|
|
secret.Debug("Creating NewVault instance")
|
|
v := &Vault{
|
|
Name: name,
|
|
fs: fs,
|
|
stateDir: stateDir,
|
|
longTermKey: nil,
|
|
}
|
|
secret.Debug("Created NewVault instance successfully")
|
|
|
|
return v
|
|
}
|
|
|
|
// Locked returns true if the vault doesn't have a long-term key in memory
|
|
func (v *Vault) Locked() bool {
|
|
return v.longTermKey == nil
|
|
}
|
|
|
|
// Unlock sets the long-term key in memory, unlocking the vault
|
|
func (v *Vault) Unlock(key *age.X25519Identity) {
|
|
v.longTermKey = key
|
|
}
|
|
|
|
// GetLongTermKey returns the long-term key if available in memory
|
|
func (v *Vault) GetLongTermKey() *age.X25519Identity {
|
|
return v.longTermKey
|
|
}
|
|
|
|
// ClearLongTermKey removes the long-term key from memory (locks the vault)
|
|
func (v *Vault) ClearLongTermKey() {
|
|
v.longTermKey = nil
|
|
}
|
|
|
|
// GetOrDeriveLongTermKey gets the long-term key from memory or derives it from available sources
|
|
func (v *Vault) GetOrDeriveLongTermKey() (*age.X25519Identity, error) {
|
|
// If we have it in memory, return it
|
|
if !v.Locked() {
|
|
return v.longTermKey, nil
|
|
}
|
|
|
|
secret.Debug("Vault is locked, attempting to unlock", "vault_name", v.Name)
|
|
|
|
// Try to derive from environment mnemonic first
|
|
if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
|
|
secret.Debug("Using mnemonic from environment for long-term key derivation", "vault_name", v.Name)
|
|
|
|
// Load vault metadata to get the derivation index
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get vault directory: %w", err)
|
|
}
|
|
|
|
metadata, err := LoadVaultMetadata(v.fs, vaultDir)
|
|
if err != nil {
|
|
secret.Debug("Failed to load vault metadata", "error", err, "vault_name", v.Name)
|
|
|
|
return nil, fmt.Errorf("failed to load vault metadata: %w", err)
|
|
}
|
|
|
|
ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
|
|
if err != nil {
|
|
secret.Debug("Failed to derive long-term key from mnemonic", "error", err, "vault_name", v.Name)
|
|
|
|
return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
|
|
}
|
|
|
|
// Verify that the derived key matches the stored public key hash
|
|
derivedPubKeyHash := ComputeDoubleSHA256([]byte(ltIdentity.Recipient().String()))
|
|
if derivedPubKeyHash != metadata.PublicKeyHash {
|
|
secret.Debug("Derived public key hash does not match stored hash",
|
|
"vault_name", v.Name,
|
|
"derived_hash", derivedPubKeyHash,
|
|
"stored_hash", metadata.PublicKeyHash,
|
|
"derivation_index", metadata.DerivationIndex)
|
|
|
|
return nil, fmt.Errorf("derived public key does not match vault: mnemonic may be incorrect")
|
|
}
|
|
|
|
secret.DebugWith("Successfully derived long-term key from mnemonic",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("public_key", ltIdentity.Recipient().String()),
|
|
slog.Uint64("derivation_index", uint64(metadata.DerivationIndex)),
|
|
)
|
|
|
|
// Cache the derived key by unlocking the vault
|
|
v.Unlock(ltIdentity)
|
|
secret.Debug("Vault is unlocked (lt key in memory) via mnemonic", "vault_name", v.Name)
|
|
|
|
return ltIdentity, nil
|
|
}
|
|
|
|
// No mnemonic available, try to use current unlocker
|
|
secret.Debug("No mnemonic available, using current unlocker to unlock vault", "vault_name", v.Name)
|
|
|
|
// Get current unlocker
|
|
unlocker, err := v.GetCurrentUnlocker()
|
|
if err != nil {
|
|
secret.Debug("Failed to get current unlocker", "error", err, "vault_name", v.Name)
|
|
|
|
return nil, fmt.Errorf("failed to get current unlocker: %w", err)
|
|
}
|
|
|
|
secret.DebugWith("Retrieved current unlocker for vault unlock",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("unlocker_type", unlocker.GetType()),
|
|
slog.String("unlocker_id", unlocker.GetID()),
|
|
)
|
|
|
|
// Get the long-term key via the unlocker.
|
|
// SE unlockers return the long-term key directly from GetIdentity().
|
|
// Other unlockers return their own identity, used to decrypt longterm.age.
|
|
ltIdentity, err := v.unlockLongTermKey(unlocker)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
secret.DebugWith("Successfully obtained long-term identity via unlocker",
|
|
slog.String("vault_name", v.Name),
|
|
slog.String("unlocker_type", unlocker.GetType()),
|
|
slog.String("public_key", ltIdentity.Recipient().String()),
|
|
)
|
|
|
|
// Cache the derived key by unlocking the vault
|
|
v.Unlock(ltIdentity)
|
|
secret.Debug("Vault is unlocked (lt key in memory) via unlocker",
|
|
"vault_name", v.Name, "unlocker_type", unlocker.GetType())
|
|
|
|
return ltIdentity, nil
|
|
}
|
|
|
|
// unlockLongTermKey extracts the vault's long-term key using the given unlocker.
|
|
// SE unlockers decrypt the long-term key directly; other unlockers use an intermediate identity.
|
|
func (v *Vault) unlockLongTermKey(unlocker secret.Unlocker) (*age.X25519Identity, error) {
|
|
if unlocker.GetType() == "secure-enclave" {
|
|
secret.Debug("SE unlocker: decrypting long-term key directly via Secure Enclave")
|
|
|
|
ltIdentity, err := unlocker.GetIdentity()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to decrypt long-term key via SE: %w", err)
|
|
}
|
|
|
|
return ltIdentity, nil
|
|
}
|
|
|
|
// Standard unlockers: get unlocker identity, then decrypt longterm.age
|
|
unlockerIdentity, err := unlocker.GetIdentity()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get unlocker identity: %w", err)
|
|
}
|
|
|
|
encryptedLtPrivKeyPath := filepath.Join(unlocker.GetDirectory(), "longterm.age")
|
|
|
|
encryptedLtPrivKey, err := afero.ReadFile(v.fs, encryptedLtPrivKeyPath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read encrypted long-term private key: %w", err)
|
|
}
|
|
|
|
ltPrivKeyBuffer, err := secret.DecryptWithIdentity(encryptedLtPrivKey, unlockerIdentity)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to decrypt long-term private key: %w", err)
|
|
}
|
|
defer ltPrivKeyBuffer.Destroy()
|
|
|
|
ltIdentity, err := age.ParseX25519Identity(ltPrivKeyBuffer.String())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to parse long-term private key: %w", err)
|
|
}
|
|
|
|
return ltIdentity, nil
|
|
}
|
|
|
|
// GetDirectory returns the vault's directory path
|
|
func (v *Vault) GetDirectory() (string, error) {
|
|
return filepath.Join(v.stateDir, "vaults.d", v.Name), nil
|
|
}
|
|
|
|
// GetName returns the vault's name (for VaultInterface compatibility)
|
|
func (v *Vault) GetName() string {
|
|
return v.Name
|
|
}
|
|
|
|
// GetFilesystem returns the vault's filesystem (for VaultInterface compatibility)
|
|
func (v *Vault) GetFilesystem() afero.Fs {
|
|
return v.fs
|
|
}
|
|
|
|
// NumSecrets returns the number of secrets in the vault
|
|
func (v *Vault) NumSecrets() (int, error) {
|
|
vaultDir, err := v.GetDirectory()
|
|
if err != nil {
|
|
return 0, fmt.Errorf("failed to get vault directory: %w", err)
|
|
}
|
|
|
|
secretsDir := filepath.Join(vaultDir, "secrets.d")
|
|
exists, _ := afero.DirExists(v.fs, secretsDir)
|
|
if !exists {
|
|
return 0, nil
|
|
}
|
|
|
|
entries, err := afero.ReadDir(v.fs, secretsDir)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("failed to read secrets directory: %w", err)
|
|
}
|
|
|
|
// Count only directories that contain at least one version file
|
|
count := 0
|
|
for _, entry := range entries {
|
|
if !entry.IsDir() {
|
|
continue
|
|
}
|
|
|
|
// Check if this secret directory contains any version files
|
|
secretDir := filepath.Join(secretsDir, entry.Name())
|
|
versionFiles, err := afero.ReadDir(v.fs, secretDir)
|
|
if err != nil {
|
|
continue // Skip directories we can't read
|
|
}
|
|
|
|
// Look for at least one version file (excluding "current" symlink)
|
|
for _, vFile := range versionFiles {
|
|
if !vFile.IsDir() && vFile.Name() != "current" {
|
|
count++
|
|
|
|
break // Found at least one version, count this secret
|
|
}
|
|
}
|
|
}
|
|
|
|
return count, nil
|
|
}
|