Implement chpass command

jrick · jrick · commit 5b37a63efb28 · 2020-02-09T14:12:36.000-05:00
diff --git a/keyfile/keyfile.go b/keyfile/keyfile.go
@@ -29,6 +29,13 @@ type Argon2idParams struct {
 	Memory uint32
 }
 
+// Keyfields describes keyfile fields that must be preserved when a key is
+// reencrypted.
+type Keyfields struct {
+	Comment     string
+	Fingerprint string
+}
+
 // GenerateKeys generates a random Streamlined NTRU Prime 4591^761
 // public/secret key pair, writing the public key to pkw and secret key to skw.
 // The secret key is encrypted with ChaCha20-Poly1305 using a symmetric key
@@ -76,35 +83,68 @@ func GenerateKeys(rand io.Reader, pkw, skw io.Writer, passphrase []byte, kdfp *A
 
 	// Write secret key
 	buf.Reset()
+	kf := Keyfields{
+		Comment:     comment,
+		Fingerprint: fingerprint,
+	}
+	err = writeSecretKey(buf, sk, kf, skKey, salt, time, memory, ncpu)
+	if err != nil {
+		return "", err
+	}
+	_, err = io.Copy(skw, buf)
+	if err != nil {
+		return "", err
+	}
+
+	return fingerprint, nil
+}
+
+func writeSecretKey(buf *bytes.Buffer, sk *SecretKey, kf Keyfields, skKey []byte, salt []byte, time, memory uint32, threads uint8) error {
 	fmt.Fprintf(buf, "ss encryption secret key\n")
-	fmt.Fprintf(buf, "comment: %s\n", comment)
+	fmt.Fprintf(buf, "comment: %s\n", kf.Comment)
 	fmt.Fprintf(buf, "cryptosystem: sntrup4591761\n")
-	fmt.Fprintf(buf, "fingerprint: %s\n", fingerprint)
+	fmt.Fprintf(buf, "fingerprint: %s\n", kf.Fingerprint)
 	fmt.Fprintf(buf, "encryption: argon2id-chacha20-poly1305\n")
 	fmt.Fprintf(buf, "argon2id-salt: %s\n", base64.StdEncoding.EncodeToString(salt))
 	fmt.Fprintf(buf, "argon2id-time: %d\n", time)
 	fmt.Fprintf(buf, "argon2id-memory: %d\n", memory)
-	fmt.Fprintf(buf, "argon2id-threads: %d\n", ncpu)
+	fmt.Fprintf(buf, "argon2id-threads: %d\n", threads)
 	fmt.Fprintf(buf, "encoding: base64\n")
 	// Everything above is Associated Data
 	data := buf.Bytes()
 	fmt.Fprintf(buf, "\n")
 	aead, err := chacha20poly1305.New(skKey)
 	if err != nil {
-		return "", err
+		return err
 	}
 	nonce := make([]byte, aead.NonceSize())
 	skCiphertext := aead.Seal(nil, nonce, sk[:], data)
-	enc = base64.NewEncoder(base64.StdEncoding, buf)
+	enc := base64.NewEncoder(base64.StdEncoding, buf)
 	enc.Write(skCiphertext)
 	enc.Close()
 	fmt.Fprintf(buf, "\n")
-	_, err = io.Copy(skw, buf)
+	return nil
+}
+
+// EncryptSecretKey writes the secret key encrypted in keyfile format to skw.
+func EncryptSecretKey(rand io.Reader, skw io.Writer, sk *SecretKey, passphrase []byte, kdfp *Argon2idParams, kf Keyfields) error {
+	salt := make([]byte, saltsize)
+	_, err := rand.Read(salt)
 	if err != nil {
-		return "", err
+		return err
 	}
+	ncpu := uint8(runtime.NumCPU())
+	time := kdfp.Time
+	memory := kdfp.Memory
+	skKey := argon2.IDKey(passphrase, salt, time, memory, ncpu, chacha20poly1305.KeySize)
 
-	return fingerprint, nil
+	buf := new(bytes.Buffer)
+	err = writeSecretKey(buf, sk, kf, skKey, salt, time, memory, ncpu)
+	if err != nil {
+		return err
+	}
+	_, err = io.Copy(skw, buf)
+	return err
 }
 
 func readKeyFile(r io.Reader, firstLine string) (fields map[string]string, ad []byte, encodedKey string, err error) {
@@ -200,53 +240,60 @@ func ReadPublicKey(r io.Reader) (*PublicKey, error) {
 
 // OpenSecretKey reads and decrypts an encryted Streamlined NTRU Prime 4591^761
 // secret key in the keyfile format from r.
-func OpenSecretKey(r io.Reader, passphrase []byte) (*SecretKey, error) {
+func OpenSecretKey(r io.Reader, passphrase []byte) (_ *SecretKey, _ Keyfields, err error) {
+	e := func(err error) (*SecretKey, Keyfields, error) {
+		return nil, Keyfields{}, err
+	}
+
 	fields, keyAD, encodedSealedKey, err := readKeyFile(r, "ss encryption secret key")
 	if err != nil {
-		return nil, err
+		return
 	}
 	sealedKey, err := base64.StdEncoding.DecodeString(encodedSealedKey)
 	if err != nil {
-		return nil, err
+		return
 	}
 	err = requireFields(fields, map[string]string{
 		"cryptosystem": "sntrup4591761",
 		"encryption":   "argon2id-chacha20-poly1305",
 		"encoding":     "base64",
 	})
 	if err != nil {
-		return nil, err
+		return
 	}
 	salt, err := base64.StdEncoding.DecodeString(fields["argon2id-salt"])
 	if err != nil {
-		return nil, err
+		return
 	}
 	time, err := strconv.ParseUint(fields["argon2id-time"], 10, 32)
 	if err != nil {
-		return nil, fmt.Errorf("argon2id-time: %w", err)
+		return e(fmt.Errorf("argon2id-time: %w", err))
 	}
 	memory, err := strconv.ParseUint(fields["argon2id-memory"], 10, 32)
 	if err != nil {
-		return nil, fmt.Errorf("argon2id-memory: %w", err)
+		return e(fmt.Errorf("argon2id-memory: %w", err))
 	}
 	ncpu, err := strconv.ParseUint(fields["argon2id-threads"], 10, 8)
 	if err != nil {
-		return nil, fmt.Errorf("argon2id-threads: %w", err)
+		return e(fmt.Errorf("argon2id-threads: %w", err))
 	}
 	derivedKey := argon2.IDKey(passphrase, salt, uint32(time), uint32(memory), uint8(ncpu), chacha20poly1305.KeySize)
 	aead, err := chacha20poly1305.New(derivedKey)
 	if err != nil {
-		return nil, err
+		return
 	}
 	skNonce := make([]byte, aead.NonceSize())
 	key, err := aead.Open(sealedKey[:0], skNonce, sealedKey, keyAD)
 	if err != nil {
-		return nil, err
+		return
 	}
 	sk := new(SecretKey)
 	if len(key) != len(sk) {
-		return nil, fmt.Errorf("secret key has invalid length %d", len(key))
+		return e(fmt.Errorf("secret key has invalid length %d", len(key)))
 	}
 	copy(sk[:], key)
-	return sk, nil
+	var kf Keyfields
+	kf.Comment = fields["comment"]
+	kf.Fingerprint = fields["fingerprint"]
+	return sk, kf, nil
 }
diff --git a/ss.go b/ss.go
@@ -10,6 +10,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"os"
 	"os/user"
@@ -24,6 +25,7 @@ import (
 func usage() {
 	fmt.Fprintf(os.Stderr, `Usage of %s:
   %[1]s keygen [-i id] [-t time] [-m memory (MiB)] [-c comment]
+  %[1]s chpass [-i id] [-t time] [-m memory (MiB)]
   %[1]s encrypt [-i id|pubkey] [-in input] [-out output]
   %[1]s encrypt -passphrase [-in input] [-out output] [-t time] [-m memory (MiB)]
   %[1]s decrypt [-i id] [-in input] [-out output]
@@ -45,6 +47,9 @@ func main() {
 	case "keygen":
 		fs := new(keygenFlags).parse(os.Args[2:])
 		err = keygen(fs)
+	case "chpass":
+		fs := new(chpassFlags).parse(os.Args[2:])
+		err = chpass(fs)
 	case "encrypt":
 		fs := new(encryptFlags).parse(os.Args[2:])
 		encrypt(fs)
@@ -187,6 +192,104 @@ func keygen(fs *keygenFlags) (err error) {
 	return nil
 }
 
+type chpassFlags struct {
+	identity string
+	time     uint
+	memory   uint
+	force    bool
+	comment  string
+}
+
+func (f *chpassFlags) parse(args []string) *chpassFlags {
+	fs := flag.NewFlagSet("ss chpass", flag.ExitOnError)
+	fs.StringVar(&f.identity, "i", defaultID, "identity name")
+	fs.UintVar(&f.time, "t", defaultTime, "Argon2id time")
+	fs.UintVar(&f.memory, "m", defaultMemory, "Argon2id memory (MiB)")
+	fs.BoolVar(&f.force, "f", false, "force Argon2id key derivation despite low parameters")
+	fs.StringVar(&f.comment, "c", "", "comment")
+	fs.Parse(args)
+	return f
+}
+
+func chpass(fs *chpassFlags) error {
+	id := fs.identity
+	appdir := appdir()
+	skFilename := filepath.Join(appdir, id+".secret")
+	if _, err := os.Stat(skFilename); os.IsNotExist(err) {
+		return fmt.Errorf("%q not found", skFilename)
+	}
+	skFile, err := os.Open(skFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	time := uint32(fs.time)
+	memory := uint32(fs.memory)
+	if memory < defaultMemory {
+		log.Printf("warning: recommended Argon2id memory parameter is %d MiB",
+			defaultMemory)
+		if !fs.force {
+			return errors.New("choose stronger parameters, use defaults, or force with -f")
+		}
+	}
+
+	prompt := fmt.Sprintf("Current passphrase for %s", skFilename)
+	passphrase, err := promptPassphrase(prompt)
+	if err != nil {
+		return err
+	}
+	if len(passphrase) == 0 {
+		return errors.New("empty passphrase")
+	}
+
+	sk, kf, err := keyfile.OpenSecretKey(skFile, passphrase)
+	if err != nil {
+		log.Printf("%s: %v", skFilename, err)
+		log.Fatal("The secret keyfile cannot be opened.  " +
+			"This may be due to keyfile tampering or an incorrect passphrase.")
+	}
+	skFile.Close()
+
+	prompt = "New passphrase"
+	passphrase, err = promptPassphrase(prompt)
+	if err != nil {
+		return err
+	}
+	if len(passphrase) == 0 {
+		return errors.New("empty passphrase")
+	}
+	prompt += " (again)"
+	passphraseAgain, err := promptPassphrase(prompt)
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(passphrase, passphraseAgain) {
+		return errors.New("passphrases do not match")
+	}
+
+	tmpDir, tmpBasename := filepath.Split(skFilename)
+	tmpFi, err := ioutil.TempFile(tmpDir, tmpBasename)
+	if err != nil {
+		return err
+	}
+	err = tmpFi.Chmod(0600)
+	if err != nil {
+		return err
+	}
+	kdfp := &keyfile.Argon2idParams{Time: time, Memory: memory * 1024}
+	err = keyfile.EncryptSecretKey(rand.Reader, tmpFi, sk, passphrase, kdfp, kf)
+	if err != nil {
+		return err
+	}
+	tmpFi.Close()
+	err = os.Rename(tmpFi.Name(), skFilename)
+	if err != nil {
+		return err
+	}
+	log.Printf("rewrite %v", skFilename)
+	return nil
+}
+
 type encryptFlags struct {
 	passphrase bool
 	time       uint
@@ -343,7 +446,7 @@ func decrypt(fs *decryptFlags) {
 		if err != nil {
 			log.Fatal(err)
 		}
-		sk, err := keyfile.OpenSecretKey(skFile, passphrase)
+		sk, _, err := keyfile.OpenSecretKey(skFile, passphrase)
 		if err != nil {
 			log.Printf("%s: %v", skFilename, err)
 			log.Fatal("The secret keyfile cannot be opened.  " +
