certman/crypto.go

package main

import (
	"crypto/rand"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"os"

	_ "filippo.io/age"
	"golang.org/x/crypto/chacha20poly1305"
)

//var cert *x509.Certificate
//var key *rsa.PrivateKey
//
//func encryptBytes(data []byte) []byte {
//	if cert == nil || key == nil {
//		loadCerts()
//	}
//
//	encrypted, err := rsa.EncryptPKCS1v15(rand.Reader, cert.PublicKey.(*rsa.PublicKey), data)
//	if err != nil {
//		fmt.Println("Error encrypting data,", err)
//		os.Exit(1)
//	}
//	return encrypted
//}
//
//func decryptBytes(data []byte) []byte {
//	if cert == nil || key == nil {
//		loadCerts()
//	}
//
//	decrypted, err := rsa.DecryptPKCS1v15(rand.Reader, key, data)
//	if err != nil {
//		fmt.Println("Error decrypting data,", err)
//		os.Exit(1)
//	}
//	return decrypted
//}
//
//func loadCerts() {
//	var err error
//	certBytes, err := os.ReadFile(config.GetAsString("Crypto.cert_path"))
//	keyBytes, err := os.ReadFile(config.GetAsString("Crypto.key_path"))
//	if err != nil {
//		fmt.Println("Error reading cert or key,", err)
//		os.Exit(1)
//	}
//
//	cert, err = x509.ParseCertificate(certBytes)
//	if err != nil {
//		fmt.Println("Error parsing certificate,", err)
//		os.Exit(1)
//	}
//	key, err = x509.ParsePKCS1PrivateKey(keyBytes)
//	if err != nil {
//		fmt.Println("Error parsing private key,", err)
//	}
//}

// GenerateKey returns a base64-encoded 32-byte random key suitable to use as the
// symmetric passphrase for age scrypt mode. Store this securely (never in Git).
func GenerateKey() (string, error) {
	k := make([]byte, 32)
	if _, err := rand.Read(k); err != nil {
		return "", err
	}
	out := make([]byte, base64.StdEncoding.EncodedLen(len(k)))
	base64.StdEncoding.Encode(out, k)
	return string(out), nil
}

func decodeKey(b64 string) ([]byte, error) {
	key, err := base64.StdEncoding.DecodeString(b64) // standard padded
	if err != nil {
		return nil, err
	}
	if len(key) != chacha20poly1305.KeySize {
		return nil, fmt.Errorf("bad key length: got %d, want %d", len(key), chacha20poly1305.KeySize)
	}
	return key, nil
}

func EncryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
	key, err := decodeKey(keyB64)
	if err != nil {
		return err
	}

	aead, err := chacha20poly1305.NewX(key)
	if err != nil {
		return fmt.Errorf("new aead: %w", err)
	}

	plaintext, err := os.ReadFile(inPath)
	if err != nil {
		return fmt.Errorf("read input: %w", err)
	}

	nonce := make([]byte, chacha20poly1305.NonceSizeX) // 24 bytes
	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
		return fmt.Errorf("nonce: %w", err)
	}

	ciphertext := aead.Seal(nil, nonce, plaintext, aad)

	// Write: nonce || ciphertext
	out := make([]byte, 0, len(nonce)+len(ciphertext))
	out = append(out, nonce...)
	out = append(out, ciphertext...)

	if err := os.WriteFile(outPath, out, 0600); err != nil {
		return fmt.Errorf("write output: %w", err)
	}
	return nil
}

func DecryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
	key, err := decodeKey(keyB64)
	if err != nil {
		return err
	}

	aead, err := chacha20poly1305.NewX(key)
	if err != nil {
		return fmt.Errorf("new aead: %w", err)
	}

	in, err := os.ReadFile(inPath)
	if err != nil {
		return fmt.Errorf("read input: %w", err)
	}
	if len(in) < chacha20poly1305.NonceSizeX {
		return errors.New("ciphertext too short")
	}

	nonce := in[:chacha20poly1305.NonceSizeX]
	ciphertext := in[chacha20poly1305.NonceSizeX:]

	plaintext, err := aead.Open(nil, nonce, ciphertext, aad)
	if err != nil {
		return fmt.Errorf("decrypt/auth failed: %w", err)
	}

	if err := os.WriteFile(outPath, plaintext, 0640); err != nil {
		return fmt.Errorf("write output: %w", err)
	}
	return nil
}