Mike/pop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e499d16b7c22b4a697e8c5e08959cfb522cf4424
pop/internal/mail/pgp.go
Senior Engineer e499d16b7c FRE-681: Fix code review findings - body flag, PGP encryption, passphrase handling 
- cmd/mail.go: Fix duplicate --body/--body-file flag binding (both used bodyFile)
- internal/mail/client.go: Add PGP encryption to Send via EncryptBody, add passphrase to MoveToTrash and SendDraft
- internal/mail/pgp.go: Store armored private key, add getUnlockedKeyRing helper,
  fix Decrypt/SignData/EncryptAndSign/DecryptAttachment to use passphrase via key.Unlock
- internal/mail/pgp.go: Add EncryptBody method for Send encryption with sender key
- cmd/draft.go: Update SendDraft call to include passphrase parameter
2026-04-28 10:08:33 -04:00

265 lines
7.2 KiB
Go
Raw Blame History

package mail
import (
"crypto/rand"
"fmt"
"github.com/ProtonMail/gopenpgp/v2/crypto"
)
type PGPKeyRing struct {
PrivateKey *crypto.Key
PublicKey []byte
PrivateKeyData string
}
type PGPService struct {
keyRing *PGPKeyRing
}
func NewPGPService(privateKeyArmored string) (*PGPService, error) {
privateKey, err := crypto.NewKeyFromArmored(privateKeyArmored)
if err != nil {
return nil, fmt.Errorf("failed to parse private key: %w", err)
}
publicKey, err := privateKey.GetPublicKey()
if err != nil {
return nil, fmt.Errorf("failed to extract public key: %w", err)
}
return &PGPService{
keyRing: &PGPKeyRing{
PrivateKey: privateKey,
PublicKey: publicKey,
PrivateKeyData: privateKeyArmored,
},
}, nil
}
func (s *PGPService) Encrypt(plaintext string, recipientPublicKey *crypto.Key) (string, error) {
pgpMessage := crypto.NewPlainMessage([]byte(plaintext))
recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
if err != nil {
return "", fmt.Errorf("failed to create recipient key ring: %w", err)
}
encrypted, err := recipientKeyRing.Encrypt(pgpMessage, nil)
if err != nil {
return "", fmt.Errorf("failed to encrypt: %w", err)
}
armored, err := encrypted.GetArmored()
if err != nil {
return "", fmt.Errorf("failed to armor encrypted message: %w", err)
}
return armored, nil
}
func (s *PGPService) EncryptBody(plaintext string, passphrase string) (string, error) {
pgpMessage := crypto.NewPlainMessage([]byte(plaintext))
pubKeyBytes, err := s.keyRing.PrivateKey.GetPublicKey()
if err != nil {
return "", fmt.Errorf("failed to get public key: %w", err)
}
pubKey, err := crypto.NewKeyFromArmored(string(pubKeyBytes))
if err != nil {
return "", fmt.Errorf("failed to parse public key: %w", err)
}
recipientKeyRing, err := crypto.NewKeyRing(pubKey)
if err != nil {
return "", fmt.Errorf("failed to create encryption key ring: %w", err)
}
signingKeyRing, err := s.getUnlockedKeyRing(passphrase)
if err != nil {
return "", fmt.Errorf("failed to create signing key ring: %w", err)
}
encrypted, err := recipientKeyRing.Encrypt(pgpMessage, signingKeyRing)
if err != nil {
return "", fmt.Errorf("failed to encrypt body: %w", err)
}
armored, err := encrypted.GetArmored()
if err != nil {
return "", fmt.Errorf("failed to armor encrypted body: %w", err)
}
return armored, nil
}
func (s *PGPService) EncryptAndSign(plaintext string, recipientPublicKey *crypto.Key, passphrase string) (string, error) {
pgpMessage := crypto.NewPlainMessage([]byte(plaintext))
recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
if err != nil {
return "", fmt.Errorf("failed to create recipient key ring: %w", err)
}
signingKeyRing, err := s.getUnlockedKeyRing(passphrase)
if err != nil {
return "", fmt.Errorf("failed to create signing key ring: %w", err)
}
encrypted, err := recipientKeyRing.Encrypt(pgpMessage, signingKeyRing)
if err != nil {
return "", fmt.Errorf("failed to encrypt and sign: %w", err)
}
armored, err := encrypted.GetArmored()
if err != nil {
return "", fmt.Errorf("failed to armor encrypted message: %w", err)
}
return armored, nil
}
func (s *PGPService) getUnlockedKeyRing(passphrase string) (*crypto.KeyRing, error) {
key, err := crypto.NewKeyFromArmored(s.keyRing.PrivateKeyData)
if err != nil {
return nil, fmt.Errorf("failed to parse private key: %w", err)
}
if passphrase != "" {
unlockedKey, err := key.Unlock([]byte(passphrase))
if err != nil {
return nil, fmt.Errorf("failed to unlock private key: %w", err)
}
key = unlockedKey
}
return crypto.NewKeyRing(key)
}
func (s *PGPService) Decrypt(encrypted string, passphrase string) (string, error) {
pgpMessage, err := crypto.NewPGPMessageFromArmored(encrypted)
if err != nil {
return "", fmt.Errorf("failed to parse encrypted message: %w", err)
}
decryptionKeyRing, err := s.getUnlockedKeyRing(passphrase)
if err != nil {
return "", fmt.Errorf("failed to create decryption key ring: %w", err)
}
decrypted, err := decryptionKeyRing.Decrypt(pgpMessage, nil, 0)
if err != nil {
return "", fmt.Errorf("failed to decrypt: %w", err)
}
return decrypted.GetString(), nil
}
func (s *PGPService) GenerateKeyPair(email string, passphrase string) (privateKey, publicKey string, err error) {
key, err := crypto.GenerateKey(email, passphrase, "RSA", 4096)
if err != nil {
return "", "", fmt.Errorf("failed to generate key pair: %w", err)
}
privateArmor, err := key.Armor()
if err != nil {
return "", "", fmt.Errorf("failed to armor private key: %w", err)
}
pubKeyBytes, err := key.GetPublicKey()
if err != nil {
return "", "", fmt.Errorf("failed to extract public key: %w", err)
}
pubArmor := string(pubKeyBytes)
return privateArmor, pubArmor, nil
}
func (s *PGPService) GetFingerprint() (string, error) {
if s.keyRing == nil || s.keyRing.PrivateKey == nil {
return "", fmt.Errorf("no key ring available")
}
fingerprint := s.keyRing.PrivateKey.GetFingerprint()
return fingerprint, nil
}
func (s *PGPService) SignData(data []byte, passphrase string) (string, error) {
pgpMessage := crypto.NewPlainMessage(data)
signingKeyRing, err := s.getUnlockedKeyRing(passphrase)
if err != nil {
return "", fmt.Errorf("failed to create signing key ring: %w", err)
}
signed, err := signingKeyRing.SignDetached(pgpMessage)
if err != nil {
return "", fmt.Errorf("failed to sign data: %w", err)
}
armored, err := signed.GetArmored()
if err != nil {
return "", fmt.Errorf("failed to armor signed data: %w", err)
}
return armored, nil
}
func (s *PGPService) EncryptAttachment(data []byte, recipientPublicKey *crypto.Key) (*Attachment, error) {
symKey := make([]byte, 32)
if _, err := rand.Read(symKey); err != nil {
return nil, fmt.Errorf("failed to generate symmetric key: %w", err)
}
pgpMessage := crypto.NewPlainMessage(data)
sk, err := crypto.NewSessionKeyFromToken(symKey, "AES256").Encrypt(pgpMessage)
if err != nil {
return nil, fmt.Errorf("failed to encrypt attachment: %w", err)
}
// Encrypt the symmetric key with recipient's public key
recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
if err != nil {
return nil, fmt.Errorf("failed to create recipient key ring: %w", err)
}
encryptedSymKey, err := recipientKeyRing.EncryptSessionKey(
crypto.NewSessionKeyFromToken(symKey, "AES256"),
)
if err != nil {
return nil, fmt.Errorf("failed to encrypt symmetric key: %w", err)
}
return &Attachment{
DataEnc: string(sk),
Keys: []AttachmentKey{{
DataEnc: string(encryptedSymKey),
}},
}, nil
}
func (s *PGPService) DecryptAttachment(attachment *Attachment, passphrase string) ([]byte, error) {
if len(attachment.Keys) == 0 {
return nil, fmt.Errorf("no keys available for attachment decryption")
}
decryptionKeyRing, err := s.getUnlockedKeyRing(passphrase)
if err != nil {
return nil, fmt.Errorf("failed to create decryption key ring: %w", err)
}
sk, err := decryptionKeyRing.DecryptSessionKey([]byte(attachment.Keys[0].DataEnc))
if err != nil {
return nil, fmt.Errorf("failed to decrypt symmetric key: %w", err)
}
decrypted, err := sk.Decrypt([]byte(attachment.DataEnc))
if err != nil {
return nil, fmt.Errorf("failed to decrypt attachment: %w", err)
}
return decrypted.GetBinary(), nil
}
Reference in New Issue View Git Blame Copy Permalink