dugout 0.1.10

Git-native secrets manager for development teams, written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

//! Age encryption backend implementation.
//!
//! Provides encryption/decryption using the age format with x25519 keys
//! and ASCII armor encoding.

use std::io::{Read, Write};

/// Maximum size for decrypted content (10 MB).
/// Prevents memory exhaustion from maliciously crafted ciphertext.
const MAX_DECRYPT_SIZE: u64 = 10 * 1024 * 1024;

use ::age::x25519;
use tracing::trace;

use super::Cipher;
use crate::error::{CipherError, Result};

/// Age-based cryptographic backend using x25519 keys
pub struct Age;

impl Cipher for Age {
    type Recipient = x25519::Recipient;
    type Identity = x25519::Identity;

    fn name(&self) -> &'static str {
        "age"
    }

    fn encrypt(&self, plaintext: &str, recipients: &[x25519::Recipient]) -> Result<String> {
        trace!(
            recipients = recipients.len(),
            plaintext_len = plaintext.len(),
            "encrypting"
        );

        let encryptor =
            age::Encryptor::with_recipients(recipients.iter().map(|r| r as &dyn age::Recipient))
                .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;

        let mut encrypted = Vec::new();
        let mut writer = encryptor
            .wrap_output(age::armor::ArmoredWriter::wrap_output(
                &mut encrypted,
                age::armor::Format::AsciiArmor,
            )?)
            .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;

        writer.write_all(plaintext.as_bytes())?;
        let armored = writer
            .finish()
            .map_err(|e| CipherError::EncryptionFailed(format!("{}", e)))?;
        armored
            .finish()
            .map_err(|e| CipherError::ArmorFailed(format!("{}", e)))?;

        trace!(ciphertext_len = encrypted.len(), "encrypted");

        String::from_utf8(encrypted)
            .map_err(|e| CipherError::EncryptionFailed(format!("UTF-8 error: {}", e)).into())
    }

    fn decrypt(&self, encrypted: &str, identity: &x25519::Identity) -> Result<String> {
        trace!(ciphertext_len = encrypted.len(), "decrypting");

        let reader = age::armor::ArmoredReader::new(encrypted.as_bytes());
        let decryptor = age::Decryptor::new(reader)
            .map_err(|e| CipherError::DecryptionFailed(format!("{}", e)))?;

        let mut decrypted = Vec::new();
        let reader = decryptor
            .decrypt(std::iter::once(identity as &dyn age::Identity))
            .map_err(|e| CipherError::DecryptionFailed(format!("{}", e)))?;

        // Limit read size to prevent memory exhaustion from malicious ciphertext
        reader
            .take(MAX_DECRYPT_SIZE + 1)
            .read_to_end(&mut decrypted)?;

        if decrypted.len() as u64 > MAX_DECRYPT_SIZE {
            return Err(CipherError::DecryptionFailed(format!(
                "decrypted content exceeds {} byte limit",
                MAX_DECRYPT_SIZE
            ))
            .into());
        }

        trace!(plaintext_len = decrypted.len(), "decrypted");

        String::from_utf8(decrypted)
            .map_err(|e| CipherError::DecryptionFailed(format!("UTF-8 error: {}", e)).into())
    }
}

/// Parse a public key string into an age recipient
///
/// # Errors
///
/// Returns `CipherError::InvalidPublicKey` if the key format is invalid.
pub fn parse_recipient(key: &str) -> Result<x25519::Recipient> {
    key.parse::<x25519::Recipient>()
        .map_err(|_| CipherError::InvalidPublicKey(key.to_string()).into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_encrypt_decrypt_roundtrip() {
        let cipher = Age;
        let identity = x25519::Identity::generate();
        let recipient = identity.to_public();

        let plaintext = "Hello, World!";
        let encrypted = cipher.encrypt(plaintext, &[recipient]).unwrap();

        assert_ne!(encrypted, plaintext);
        assert!(encrypted.contains("-----BEGIN AGE ENCRYPTED FILE-----"));

        let decrypted = cipher.decrypt(&encrypted, &identity).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_decrypt_large_payload() {
        let cipher = Age;
        let identity = x25519::Identity::generate();
        let recipient = identity.to_public();

        // Create a large payload (10KB)
        let plaintext = "A".repeat(10_000);
        let encrypted = cipher.encrypt(&plaintext, &[recipient]).unwrap();

        let decrypted = cipher.decrypt(&encrypted, &identity).unwrap();
        assert_eq!(decrypted, plaintext);
        assert_eq!(decrypted.len(), 10_000);
    }

    #[test]
    fn test_encrypt_with_multiple_recipients() {
        let cipher = Age;

        let identity1 = x25519::Identity::generate();
        let identity2 = x25519::Identity::generate();
        let recipient1 = identity1.to_public();
        let recipient2 = identity2.to_public();

        let plaintext = "Shared secret";
        let encrypted = cipher
            .encrypt(plaintext, &[recipient1, recipient2])
            .unwrap();

        // Both identities should be able to decrypt
        let decrypted1 = cipher.decrypt(&encrypted, &identity1).unwrap();
        assert_eq!(decrypted1, plaintext);

        let decrypted2 = cipher.decrypt(&encrypted, &identity2).unwrap();
        assert_eq!(decrypted2, plaintext);
    }
}