libsignify_rs/

file.rs

//
// signify-rs: cryptographically sign and verify files
// lib/src/file.rs: File utility functions
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
// Based in part upon OpenBSD's signify which is:
//   Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
//   Copyright (c) 2016 Marc Espie <espie@openbsd.org>
//   Copyright (c) 2019 Adrian Perez de Castro <aperez@igalia.com>
//   Copyright (c) 2019 Scott Bennett and other contributors
//   SPDX-License-Identifier: ISC
//
// SPDX-License-Identifier: ISC

use crate::crypto::{CHECKSUM_LEN, KDFALG, KEYNUMLEN, PKALG, SALT_LEN};
use crate::error::{Error, Result};
use base64ct::{Base64, Encoding as _};
use core::str;
use memchr::memchr;
use static_assertions::assert_eq_size;
use std::fs::File;
use std::fs::OpenOptions;
use std::io::stdin;
use std::io::stdout;
use std::io::{Read, Write};
use std::path::Path;
use zeroize::Zeroize;
use zeroize::Zeroizing;

/// Untrusted comment header.
pub const COMMENTHDR: &str = "untrusted comment: ";
/// Max comment length.
pub const MAX_COMMENT_LEN: usize = 1024;

/// Encrypted secret key structure.
///
/// Stores the encrypted secret key along with KDF parameters and checksums.
#[repr(C)]
#[derive(Debug)]
pub struct EncKey {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// KDF algorithm (must be "BK").
    pub kdfalg: [u8; 2],
    /// Number of KDF rounds.
    pub kdfrounds: u32,
    /// Salt for KDF.
    pub salt: [u8; SALT_LEN],
    /// Checksum of the decrypted key.
    pub checksum: [u8; CHECKSUM_LEN],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Encrypted secret key data.
    pub seckey: Zeroizing<[u8; 64]>,
}

impl Zeroize for EncKey {
    fn zeroize(&mut self) {
        self.pkalg.zeroize();
        self.kdfalg.zeroize();
        self.kdfrounds.zeroize();
        self.salt.zeroize();
        self.checksum.zeroize();
        self.keynum.zeroize();
        self.seckey.zeroize();
    }
}

impl Drop for EncKey {
    fn drop(&mut self) {
        self.zeroize();
    }
}

/// Public key structure.
#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct PubKey {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Public key data.
    pub pubkey: [u8; 32],
}

/// Signature structure.
#[derive(Debug, Clone, Copy)]
pub struct Sig {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Signature data.
    pub sig: [u8; 64],
}

impl EncKey {
    /// Parse `EncKey` from raw bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    /// Returns `Error::UnsupportedKdfAlgo` if algorithm is not BK.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let kdfalg = bytes
            .get(2..4)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let kdfrounds_bytes = bytes.get(4..8).ok_or(Error::InvalidKeyLength)?;
        let kdfrounds = u32::from_be_bytes(
            kdfrounds_bytes
                .try_into()
                .map_err(|_e| Error::InvalidKeyLength)?,
        );
        let salt = bytes
            .get(8..24)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let checksum = bytes
            .get(24..32)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(32..40)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let seckey = Zeroizing::new(
            bytes
                .get(40..104)
                .ok_or(Error::InvalidKeyLength)?
                .try_into()
                .map_err(|_e| Error::InvalidKeyLength)?,
        );

        // Strict length check
        if bytes.len() != 104 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }
        if kdfalg != KDFALG {
            return Err(Error::UnsupportedKdfAlgo);
        }

        Ok(Self {
            pkalg,
            kdfalg,
            kdfrounds,
            salt,
            checksum,
            keynum,
            seckey,
        })
    }

    /// Serialize `EncKey` to raw bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Zeroizing<Vec<u8>> {
        let mut out = Zeroizing::new(Vec::with_capacity(104));
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.kdfalg);
        out.extend_from_slice(&self.kdfrounds.to_be_bytes());
        out.extend_from_slice(&self.salt);
        out.extend_from_slice(&self.checksum);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(self.seckey.as_ref());
        out
    }
}

impl PubKey {
    /// Parse `PubKey` from bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(2..10)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let pubkey = bytes
            .get(10..42)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;

        if bytes.len() != 42 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }

        Ok(Self {
            pkalg,
            keynum,
            pubkey,
        })
    }

    /// Serialize `PubKey` to bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Vec<u8> {
        let mut out = Vec::with_capacity(42);
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(&self.pubkey);
        out
    }
}

impl Sig {
    /// Parse `Sig` from bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(2..10)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let sig = bytes
            .get(10..74)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;

        if bytes.len() != 74 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }

        Ok(Self { pkalg, keynum, sig })
    }

    /// Serialize `Sig` to bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Vec<u8> {
        let mut out = Vec::with_capacity(74);
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(&self.sig);
        out
    }
}

/// Parse a signify file from a stream.
///
/// Reads from `reader`, parses the OpenBSD-compatible format
/// (comment line + base64 line), and decodes the object using `parse_fn`.
///
/// # Errors
///
/// Returns `Error::Io` if file cannot be read.
/// Returns `Error::InvalidCommentHeader` if header is missing or malformed.
/// Returns `Error::InvalidSignatureUtf8` if base64 is invalid utf8.
/// Returns `Error::Base64Decode` if decoding fails.
/// Returns various errors from `parse_fn`.
pub fn parse_stream<F, R, T>(mut reader: R, parse_fn: F) -> Result<(T, Vec<u8>)>
where
    R: Read,
    F: Fn(&[u8]) -> Result<T>,
{
    // Bounded read for header (comment + base64).
    // Keys are small (104 bytes encoded ~ 140 bytes + comment).
    // Signatures are small (74 bytes encoded ~ 100 bytes + comment).
    // 4KB is generous.
    const HEADER_LIMIT: usize = 4096;
    let mut header_buf = vec![0_u8; HEADER_LIMIT];

    // Read up to HEADER_LIMIT.
    let mut total_read = 0;
    while total_read < HEADER_LIMIT {
        let n = reader
            .read(&mut header_buf[total_read..])
            .map_err(Error::Io)?;
        if n == 0 {
            break;
        }
        total_read = total_read.checked_add(n).ok_or(Error::Overflow)?;
    }
    header_buf.truncate(total_read);

    // Find first newline.
    let n1 = memchr(b'\n', &header_buf).ok_or(Error::InvalidCommentHeader)?;
    let header_bytes = &header_buf[..n1];

    // Strict verify prefix.
    let prefix = COMMENTHDR.as_bytes();
    if !header_bytes.starts_with(prefix) {
        return Err(Error::InvalidCommentHeader);
    }
    let comment = header_bytes[prefix.len()..].to_vec();

    let n2_start = n1.checked_add(1).ok_or(Error::Overflow)?;
    let n2 = memchr(b'\n', &header_buf[n2_start..])
        .unwrap_or_else(|| header_buf.len().saturating_sub(n2_start));

    let b64_start = n2_start;
    let b64_end = b64_start.checked_add(n2).ok_or(Error::Overflow)?;

    if b64_end > header_buf.len() {
        return Err(Error::InvalidCommentHeader);
    }

    let b64_bytes = &header_buf[b64_start..b64_end];

    // Base64 decode.
    let b64_str = str::from_utf8(b64_bytes).map_err(|_e| Error::InvalidSignatureUtf8)?;
    let decoded = Base64::decode_vec(b64_str.trim()).map_err(Error::Base64Decode)?;

    let obj = parse_fn(&decoded)?;
    Ok((obj, comment))
}

/// Parse a signify file.
///
/// Reads file at `path` (or stdin if "-"), parses the OpenBSD-compatible format
/// (comment line + base64 line), and decodes the object using `parse_fn`.
///
/// # Errors
///
/// Returns `Error::Io` if file cannot be read.
/// Returns `Error::InvalidCommentHeader` if header is missing or malformed.
/// Returns `Error::InvalidSignatureUtf8` if base64 is invalid utf8.
/// Returns `Error::Base64Decode` if decoding fails.
/// Returns various errors from `parse_fn`.
pub fn parse<T, F>(path: &Path, parse_fn: F) -> Result<(T, Vec<u8>)>
where
    F: Fn(&[u8]) -> Result<T>,
{
    let reader: Box<dyn Read> = if path.to_str() == Some("-") {
        Box::new(stdin())
    } else {
        Box::new(open(path, false)?)
    };

    parse_stream(reader, parse_fn)
}

/// Write a signify file to a stream.
///
/// Writes `comment` and base64-encoded `data` to `writer`.
///
/// # Errors
///
/// Returns `Error::Io` on write failure.
pub fn write_stream(mut writer: impl Write, comment: &[u8], data: &[u8]) -> Result<()> {
    let encoded = Base64::encode_string(data);

    let mut content = Vec::new();
    content.extend_from_slice(COMMENTHDR.as_bytes());
    content.extend_from_slice(comment);
    content.push(b'\n');
    content.extend_from_slice(encoded.as_bytes());
    content.push(b'\n');

    writer.write_all(&content).map_err(Error::Io)?;
    Ok(())
}

/// Write a signify file.
///
/// Writes `comment` and base64-encoded `data` to `path` (or stdout if "-").
///
/// # Errors
///
/// Returns `Error::Io` on file creation or write failure.
pub fn write(path: &Path, comment: &[u8], data: &[u8]) -> Result<()> {
    let writer: Box<dyn Write> = if path.to_str() == Some("-") {
        Box::new(stdout())
    } else {
        Box::new(open(path, true)?)
    };

    write_stream(writer, comment, data)
}

/// Open a file for read or write.
///
/// If `write` the file is created new with mode 600.
pub fn open(path: &Path, write: bool) -> Result<File> {
    let mut opts = OpenOptions::new();
    if write {
        opts.write(true).create_new(true);
        #[cfg(unix)]
        {
            use std::os::unix::fs::OpenOptionsExt;
            opts.mode(0o600);
        }
    } else {
        opts.read(true);
    }

    opts.open(path).map_err(Error::Io)
}

assert_eq_size!(EncKey, [u8; 104]);
assert_eq_size!(PubKey, [u8; 42]);
assert_eq_size!(Sig, [u8; 74]);

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_enckey_serialization() -> crate::error::Result<()> {
        let enc = EncKey {
            pkalg: PKALG,
            kdfalg: KDFALG,
            kdfrounds: 42,
            salt: [1u8; SALT_LEN],
            checksum: [2u8; CHECKSUM_LEN],
            keynum: [3u8; KEYNUMLEN],
            seckey: Zeroizing::new([4u8; 64]),
        };
        let bytes = enc.to_bytes();
        let enc2 = EncKey::from_bytes(&bytes)?;
        assert_eq!(enc.kdfrounds, enc2.kdfrounds);
        assert_eq!(enc.salt, enc2.salt);

        // Test invalid lengths.
        assert!(matches!(
            EncKey::from_bytes(&bytes[..103]),
            Err(Error::InvalidKeyLength)
        ));

        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            EncKey::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            EncKey::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        // Test bad KDFALG.
        let mut bad_kdf = bytes.clone();
        bad_kdf[2] = b'X';
        assert!(matches!(
            EncKey::from_bytes(&bad_kdf),
            Err(Error::UnsupportedKdfAlgo)
        ));

        Ok(())
    }

    #[test]
    fn test_pubkey_serialization() -> crate::error::Result<()> {
        let pubk = PubKey {
            pkalg: PKALG,
            keynum: [1u8; KEYNUMLEN],
            pubkey: [2u8; 32],
        };
        let bytes = pubk.to_bytes();
        let pubk2 = PubKey::from_bytes(&bytes)?;
        assert_eq!(pubk.keynum, pubk2.keynum);

        // Test invalid lengths.
        assert!(matches!(
            PubKey::from_bytes(&bytes[..41]),
            Err(Error::InvalidKeyLength)
        ));
        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            PubKey::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            PubKey::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        Ok(())
    }

    #[test]
    fn test_sig_serialization() -> crate::error::Result<()> {
        let sig = Sig {
            pkalg: PKALG,
            keynum: [1u8; KEYNUMLEN],
            sig: [0u8; 64],
        };
        let bytes = sig.to_bytes();
        let sig2 = Sig::from_bytes(&bytes)?;
        assert_eq!(sig.keynum, sig2.keynum);

        // Test invalid lengths.
        assert!(matches!(
            Sig::from_bytes(&bytes[..73]),
            Err(Error::InvalidKeyLength)
        ));

        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            Sig::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            Sig::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        Ok(())
    }

    #[test]
    #[cfg_attr(any(target_arch = "wasm32", target_arch = "wasm64"), ignore)]
    fn test_file_io() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path().join("secret.key");
        let data = b"secret data";

        write(&path, b"mycomment", data)?;

        let (read_data, comment) = parse::<Vec<u8>, _>(&path, |b| Ok(b.to_vec()))?;
        assert_eq!(read_data, data);
        assert_eq!(comment, b"mycomment");

        // Test missing file.
        let missing = dir.path().join("missing");
        assert!(matches!(
            parse::<Vec<u8>, _>(&missing, |_| Ok(vec![])),
            Err(Error::Io(_))
        ));

        // Test invalid prefix.
        let bad_prefix = dir.path().join("bad_prefix");
        let mut f = OpenOptions::new()
            .write(true)
            .create_new(true)
            .open(&bad_prefix)?;
        f.write_all(b"invalid header\n")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&bad_prefix, |_| Ok(vec![])),
            Err(Error::InvalidCommentHeader)
        ));

        // Test missing newline.
        let no_newline = dir.path().join("no_newline");
        let mut f = OpenOptions::new()
            .write(true)
            .create_new(true)
            .open(&no_newline)?;
        f.write_all(b"untrusted comment: foo")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&no_newline, |_| Ok(vec![])),
            Err(Error::InvalidCommentHeader)
        ));

        // Test invalid base64 (not utf8).
        // Create valid structure first.
        // Overwrite base64 part with garbage.
        let bad_utf8 = dir.path().join("bad_utf8");
        write(&bad_utf8, b"comment", b"")?;
        let mut f = OpenOptions::new().write(true).open(&bad_utf8)?;
        f.write_all(b"untrusted comment: comment\n\xFF\xFF\n")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&bad_utf8, |_| Ok(vec![])),
            Err(Error::InvalidSignatureUtf8)
        ));

        Ok(())
    }
}