rixxc/age-plugin-xwing
1
0
Fork 0
mirror of https://github.com/Rixxc/age-plugin-xwing.git synced 2025-12-04 14:59:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore: refactor code

Browse Source
This commit is contained in:
Aaron Kaiser
2025-11-25 23:31:37 +00:00
parent dbe4901906
commit 265760e24d
1 changed files with 67 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
src/main.rs
View File

@@ -15,7 +15,6 @@ use base64::prelude::*;
use clap::Parser; use clap::Parser;
use rand_core::OsRng; use rand_core::OsRng;
use std::{ use std::{
array::TryFromSliceError,
collections::{HashMap, HashSet}, collections::{HashMap, HashSet},
io, io,
}; };
@@ -51,10 +50,12 @@ impl RecipientPlugin {
self.recipients self.recipients
.iter() .iter()
.map(|recipient| { .map(|recipient| {
let (ct, ss) = recipient let (ct, shk) = recipient
.encapsulate(&mut OsRng) .encapsulate(&mut OsRng)
.expect("X-Wing encapsulation should not fail with a valid RNG"); .expect("X-Wing encapsulation should not fail with a valid RNG");
let wrapped_key = aead_encrypt(&ss, file_key.expose_secret());
let wrapped_key = aead_encrypt(&shk, file_key.expose_secret());
Stanza { Stanza {
tag: PLUGIN_NAME.to_string(), tag: PLUGIN_NAME.to_string(),
args: vec![BASE64_STANDARD_NO_PAD.encode(ct.to_bytes())], args: vec![BASE64_STANDARD_NO_PAD.encode(ct.to_bytes())],
@@ -79,14 +80,12 @@ impl RecipientPluginV1 for RecipientPlugin {
}); });
} }
let pk: Result<&[u8; ENCAPSULATION_KEY_SIZE], TryFromSliceError> = bytes.try_into(); let pk: &[u8; ENCAPSULATION_KEY_SIZE] =
let pk = match pk { bytes.try_into().map_err(|_| recipient::Error::Recipient {
Ok(x) => Ok(EncapsulationKey::from(x)),
Err(_) => Err(recipient::Error::Recipient {
index, index,
message: "Invalid recipient".to_string(), message: "Invalid recipient".to_string(),
}), })?;
}?; let pk = EncapsulationKey::from(pk);
self.recipients.push(pk); self.recipients.push(pk);
@@ -102,7 +101,7 @@ impl RecipientPluginV1 for RecipientPlugin {
if plugin_name != PLUGIN_NAME { if plugin_name != PLUGIN_NAME {
return Err(recipient::Error::Identity { return Err(recipient::Error::Identity {
index, index,
message: "This Identity should not be handled by this plugin".to_owned(), message: "This identity should not be handled by this plugin".to_string(),
}); });
} }
@@ -140,116 +139,78 @@ struct IdentityPlugin {
} }
impl IdentityPlugin { impl IdentityPlugin {
fn parse_ciphertext(arg: &str) -> Result<Ciphertext, String> {
// age-plugin-xwing up to version 0.1.1 encoded its ciphertext using BASE64_STANDARD.
// We still want to be able to support decrypting those.
let decoded = BASE64_STANDARD_NO_PAD
.decode(arg)
.or_else(|_| BASE64_STANDARD.decode(arg))
.map_err(|_| "Malformed base64".to_string())?;
let bytes: [u8; CIPHERTEXT_SIZE] = decoded
.try_into()
.map_err(|_| "Malformed ciphertext".to_string())?;
Ok(Ciphertext::from(&bytes))
}
fn try_decapsulate(
identities: &[DecapsulationKey],
ct: &Ciphertext,
) -> Option<x_wing::SharedSecret> {
identities.iter().find_map(|key| key.decapsulate(ct).ok())
}
fn unwrap_file_key(ss: &x_wing::SharedSecret, body: &[u8]) -> Result<FileKey, String> {
let plaintext = aead_decrypt(ss, FILE_KEY_BYTES, body).map_err(|e| e.to_string())?;
let key_bytes: [u8; FILE_KEY_BYTES] = plaintext.try_into().map_err(|_| {
format!("aead_decrypt returned a plaintext with a different size than {FILE_KEY_BYTES}")
})?;
Ok(FileKey::new(Box::new(key_bytes)))
}
fn decrypt_stanzas<I: Iterator<Item = (usize, Stanza)>>( fn decrypt_stanzas<I: Iterator<Item = (usize, Stanza)>>(
&self, &self,
file_index: usize, file_index: usize,
stanzas: I, stanzas: I,
) -> Result<FileKey, Vec<identity::Error>> { ) -> Result<FileKey, Vec<identity::Error>> {
let mut file_key = None;
let mut errors = Vec::new(); let mut errors = Vec::new();
for (stanza_index, stanza) in stanzas { for (stanza_index, stanza) in stanzas {
let arg = match stanza.args.first() { // Try to decrypt this stanza
Some(arg) => arg, let result = (|| {
None => { let arg = stanza.args.first().ok_or("Stanza is missing arguments")?;
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: "Stanza is missing arguments".to_string(),
});
continue;
}
};
// age-plugin-xwing up to version 0.1.1 encoded its ciphertext using BASE64_STANDARD. let ct = Self::parse_ciphertext(arg)?;
// We still want to be able to support decrypting those.
let ct = match (
BASE64_STANDARD_NO_PAD.decode(arg),
BASE64_STANDARD.decode(arg),
) {
(Ok(ct), _) => ct,
(_, Ok(ct)) => ct,
_ => {
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: "Malformed base64".to_string(),
});
continue;
}
};
let ct: [u8; CIPHERTEXT_SIZE] = match ct.try_into() { let ss = Self::try_decapsulate(&self.identities, &ct)
Ok(ct) => ct, .ok_or("No identity found that can decrypt the file")?;
Err(_) => {
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: "Malformed ciphertext".to_string(),
});
continue;
}
};
let ct = Ciphertext::from(&ct); Self::unwrap_file_key(&ss, &stanza.body)
})();
let ss = match self match result {
.identities Ok(file_key) => return Ok(file_key),
.iter() Err(message) => errors.push(identity::Error::Stanza {
.filter_map(|key| key.decapsulate(&ct).ok()) file_index,
.next() stanza_index,
{ message,
Some(ss) => ss, }),
None => { }
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: "No identity found that can decrypt the file".to_string(),
});
continue;
}
};
let unwrapped_file_key = match aead_decrypt(&ss, FILE_KEY_BYTES, &stanza.body) {
Ok(file_key) => match file_key.try_into() {
Ok(key_bytes) => FileKey::new(Box::new(key_bytes)),
Err(_) => {
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: format!(
"aead_decrypt returned a plaintext with a different size than {FILE_KEY_BYTES}"
),
});
continue;
}
},
Err(e) => {
errors.push(identity::Error::Stanza {
file_index,
stanza_index,
message: e.to_string(),
});
continue;
}
};
file_key = Some(unwrapped_file_key);
} }
if !errors.is_empty() { // If we get here, no stanza was successfully decrypted
return Err(errors); if errors.is_empty() {
Err(vec![identity::Error::Stanza {
file_index,
stanza_index: 0,
message: "No stanzas found to be handled by this plugin".to_string(),
}])
} else {
Err(errors)
} }
if let Some(file_key) = file_key {
return Ok(file_key);
}
Err(vec![identity::Error::Stanza {
file_index,
stanza_index: 0,
message: "No stanzas found to be handled by this plugin".to_string(),
}])
} }
} }
@@ -263,7 +224,7 @@ impl IdentityPluginV1 for IdentityPlugin {
if plugin_name != PLUGIN_NAME { if plugin_name != PLUGIN_NAME {
return Err(identity::Error::Identity { return Err(identity::Error::Identity {
index, index,
message: "This Identity should not be handled by this plugin".to_string(), message: "This identity should not be handled by this plugin".to_string(),
}); });
} }