forked from smallstep/cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secretbox.go
186 lines (155 loc) 路 4.47 KB
/
secretbox.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
package nacl
import (
"fmt"
"io/ioutil"
"os"
"github.com/pkg/errors"
"github.com/smallstep/cli/errs"
"github.com/smallstep/cli/utils"
"github.com/urfave/cli"
"golang.org/x/crypto/nacl/secretbox"
)
func secretboxCommand() cli.Command {
return cli.Command{
Name: "secretbox",
Usage: "encrypts and authenticates small messages using secret-key cryptography",
UsageText: "step crypto nacl secretbox <subcommand> [arguments] [global-flags] [subcommand-flags]",
Description: `**step crypto nacl secretbox** command group uses secret-key cryptography to
encrypt, decrypt and authenticate messages.
TODO
## EXAMPLES
Encrypt a message using a 256-bit secret key, a new nacl box private key can
be used as the secret:
'''
$ step crypto nacl secretbox seal nonce secretbox.key
Write text to seal: ********
o2NJTsIJsk0dl4epiBwS1mM4xFED7iE
$ cat message.txt | step crypto nacl secretbox seal nonce secretbox.key
o2NJTsIJsk0dl4epiBwS1mM4xFED7iE
'''
Decrypt and authenticate the message:
'''
$ echo o2NJTsIJsk0dl4epiBwS1mM4xFED7iE | step crypto nacl secretbox open nonce secretbox.key
message
'''`,
Subcommands: cli.Commands{
secretboxOpenCommand(),
secretboxSealCommand(),
},
}
}
func secretboxOpenCommand() cli.Command {
return cli.Command{
Name: "open",
Action: cli.ActionFunc(secretboxOpenAction),
Usage: "authenticates and decrypts a box produced by seal",
UsageText: `**step crypto nacl secretbox open** <nonce> <key-file>
[--raw]`,
Description: `**step crypto nacl secretbox open** verifies and decrypts a ciphertext using a
secret key and a nonce.
TODO
For examples, see **step help crypto nacl secretbox**.`,
Flags: []cli.Flag{
cli.BoolFlag{
Name: "raw",
Usage: "Indicates that input is not base64 encoded",
},
},
}
}
func secretboxSealCommand() cli.Command {
return cli.Command{
Name: "seal",
Action: cli.ActionFunc(secretboxSealAction),
Usage: "produces an encrypted ciphertext",
UsageText: `**step crypto nacl secretbox seal** <nonce> <key-file>
[--raw]`,
Description: `**step crypto nacl secretbox seal** encrypts and authenticates a message using
a secret key and a nonce.
TODO
For examples, see **step help crypto nacl secretbox**.`,
Flags: []cli.Flag{
cli.BoolFlag{
Name: "raw",
Usage: "Do not base64 encode output",
},
},
}
}
func secretboxOpenAction(ctx *cli.Context) error {
if err := errs.NumberOfArguments(ctx, 2); err != nil {
return err
}
args := ctx.Args()
nonce, keyFile := []byte(args[0]), args[1]
if len(nonce) > 24 {
return errors.New("nonce cannot be longer than 24 bytes")
}
key, err := ioutil.ReadFile(keyFile)
if err != nil {
return errs.FileError(err, keyFile)
} else if len(key) != 32 {
return errors.New("invalid key file: key size is not 32 bytes")
}
input, err := utils.ReadAll(os.Stdin)
if err != nil {
return errors.Wrap(err, "error reading input")
}
var rawInput []byte
if ctx.Bool("raw") {
rawInput = input
} else {
// DecodeLen returns the maximum length,
// Decode will return the actual length.
rawInput = make([]byte, b64Encoder.DecodedLen(len(input)))
n, err := b64Encoder.Decode(rawInput, input)
if err != nil {
return errors.Wrap(err, "error decoding base64 input")
}
rawInput = rawInput[:n]
}
var n [24]byte
var k [32]byte
copy(n[:], nonce)
copy(k[:], key)
// Fixme: if we prepend the nonce in the seal we can use use rawInput[24:]
// as the message and rawInput[:24] as the nonce instead of requiring one.
raw, ok := secretbox.Open(nil, rawInput, &n, &k)
if !ok {
return errors.New("error authenticating or decrypting input")
}
os.Stdout.Write(raw)
return nil
}
func secretboxSealAction(ctx *cli.Context) error {
if err := errs.NumberOfArguments(ctx, 2); err != nil {
return err
}
args := ctx.Args()
nonce, keyFile := []byte(args[0]), args[1]
if len(nonce) > 24 {
return errors.New("nonce cannot be longer than 24 bytes")
}
key, err := ioutil.ReadFile(keyFile)
if err != nil {
return errs.FileError(err, keyFile)
} else if len(key) != 32 {
return errors.New("invalid key: key size is not 32 bytes")
}
input, err := utils.ReadInput("Write text to seal: ")
if err != nil {
return errors.Wrap(err, "error reading input")
}
var n [24]byte
var k [32]byte
copy(n[:], nonce)
copy(k[:], key)
// Fixme: we can prepend nonce[:] so it's not necessary in the open.
raw := secretbox.Seal(nil, input, &n, &k)
if ctx.Bool("raw") {
os.Stdout.Write(raw)
} else {
fmt.Println(b64Encoder.EncodeToString(raw))
}
return nil
}