-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.go
186 lines (151 loc) · 4.6 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
package main
import (
"bytes"
"fmt"
"io/ioutil"
"os"
filepath "path"
"strings"
"github.com/spf13/cobra"
"golang.org/x/crypto/nacl/secretbox"
"golang.org/x/crypto/openpgp"
)
const (
encodingHEX = "hex"
encodingBASE64 = "base64"
)
var (
cmd = &cobra.Command{
Use: os.Args[0],
Short: "secretbox",
}
cmdEncrypt = &cobra.Command{
Use: "encrypt a file",
Short: "encrypts a file",
Run: runEncrypt,
}
cmdDecrypt = &cobra.Command{
Use: "decrypt a file",
Short: "decrypts a file",
Run: runDecrypt,
}
parts int
threshold int
input string
output string
encoding string
keyring string
)
func init() {
cmdEncrypt.Flags().IntVarP(&parts, "parts", "p", 5, "total parts to split key into")
cmdEncrypt.Flags().IntVarP(&threshold, "threshold", "t", 3, "minimum parts needed to decrypt")
cmdEncrypt.Flags().StringVarP(&keyring, "keyring", "k", "", "PGP keyring to encrypt secrets")
// Flags common to both encrypt / decrypt
addFlags := func(cmd *cobra.Command, op string) {
cmd.Flags().StringVarP(&input, "input", "i", "", fmt.Sprintf("file to %s", op))
cmd.Flags().StringVarP(&output, "output", "o", "", fmt.Sprintf("destination for %sed file", op))
cmd.Flags().StringVarP(&encoding, "encoding", "e", encodingHEX, "key encoding to use (hex or base64)")
}
addFlags(cmdEncrypt, "encrypt")
addFlags(cmdDecrypt, "decrypt")
cmd.AddCommand(cmdEncrypt, cmdDecrypt)
}
func main() {
cmd.Execute()
}
// Encrypt the input file
func runEncrypt(cmd *cobra.Command, args []string) {
checkEncoding()
checkFiles()
var entities openpgp.EntityList
if keyring != "" {
data, err := ioutil.ReadFile(keyring)
exitOnError("Read PGP keyring", err)
entities, err = openpgp.ReadArmoredKeyRing(bytes.NewReader(data))
exitOnError("Parse PGP keyring", err)
}
plain, err := ioutil.ReadFile(input)
exitOnError("Reading input file", err)
params := &ShamirParams{
Parts: parts,
Threshold: threshold,
}
shamirKey := generateShamirKey(params)
fmt.Printf("\nEncrypting to '%s'\n", output)
nonce, key := splitNaclKey(shamirKey.Key)
crypted := secretbox.Seal(nil, plain, &nonce, &key)
err = ioutil.WriteFile(output, crypted, os.FileMode(400))
exitOnError("Failed to write output file:", err)
fmt.Printf("Encrypted using secret key in %d parts with threshold %d:\n\n", parts, threshold)
if len(entities) == 0 {
displayShamirKey(shamirKey, encoding)
} else {
if len(entities) != len(shamirKey.Parts) {
exit(1, fmt.Sprintf("# of secrets %d != # of PGP keys %d", len(entities), len(shamirKey.Parts)))
}
// Encrypt each secret with a PGP recipient, then display
for i, part := range shamirKey.Parts {
key := entities[i]
fmt.Printf("Encrypting secret %d for recipient:\n", i+1)
for _, identity := range key.Identities {
fmt.Println(" -->", identity.Name)
}
fmt.Println()
encoded := fmt.Sprintf("%s\n", encode(part, encoding))
crypted, err := encryptPGP([]byte(encoded), key)
exitOnError("PGP encrypt", err)
armored, err := armorPGP(crypted)
exitOnError("PGP armor", err)
fmt.Println(armored)
fmt.Println()
}
}
fmt.Println("\nSuccess!")
}
// Decrypt the input file
func runDecrypt(cmd *cobra.Command, args []string) {
checkEncoding()
checkFiles()
crypted, err := ioutil.ReadFile(input)
exitOnError("Reading input file", err)
naclKey := obtainShamirKey()
nonce, key := splitNaclKey(naclKey)
plain, ok := secretbox.Open(nil, crypted, &nonce, &key)
if !ok {
exit(1, "Decryption failed!")
}
err = ioutil.WriteFile(output, plain, os.FileMode(400))
exitOnError("Failed to write output file:", err)
fmt.Println("\nSuccess!")
}
// Ensure the encoding is supported
func checkEncoding() {
switch encoding {
case encodingHEX, encodingBASE64:
default:
exit(1, fmt.Sprintf("unknown encoding '%s'", encoding))
}
}
// Check the input / output files are correct
func checkFiles() {
// Check if the variables are set and not equivalent
exitOnEmpty("you must provide the 'input' filename", input)
exitOnEmpty("you must provide the 'output' filename", output)
// Must never overwrite input
if strings.Compare(input, output) == 0 {
exit(1, "input and output paths must not be the same!")
}
// Ensure the input file exists
if !fileExists(input) {
exit(1, fmt.Sprintf("input file '%s' must exist", input))
}
// Ensure output file doesn't already exist.
if fileExists(output) {
exit(1, fmt.Sprintf("output file '%s' already exists! not overwriting.", output))
}
// Ensure output file's parent directory exists
parent := filepath.Dir(output)
if !fileExists(parent) {
exit(1, fmt.Sprintf("output directory '%s' does not exist", parent))
}
}