qsl designer

internal/secret/secret.go

@@ -0,0 +1,116 @@
+// Package secret encrypts sensitive settings values (passwords) at rest with
+// AES-256-GCM, keyed by a PBKDF2 key derived from a user-chosen passphrase.
+//
+// The passphrase — not the machine — is the key source, so an encrypted
+// database stays portable: copy the data folder to another PC, re-enter the
+// passphrase there, and the secrets decrypt. Encryption is opt-in: until the
+// user sets a passphrase, values are stored in clear (no behaviour change).
+//
+// Encrypted values are prefixed "enc:v1:" so reads can tell ciphertext from a
+// legacy plaintext value and migrate transparently.
+package secret
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/pbkdf2"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"errors"
+	"strings"
+)
+
+// Prefix marks an encrypted value. Bump the version if the scheme changes.
+const Prefix = "enc:v1:"
+
+// verifierPlaintext is encrypted under the key and stored so a wrong passphrase
+// is detected on unlock (the decryption fails / mismatches) instead of silently
+// producing garbage secrets.
+const verifierPlaintext = "opslog-secret-verifier-v1"
+
+// pbkdf2Iter is the work factor. ~600k SHA-256 rounds ≈ sub-second derivation,
+// in line with current OWASP guidance for PBKDF2-HMAC-SHA256.
+const pbkdf2Iter = 600_000
+
+const keyLen = 32 // AES-256
+const saltLen = 16
+
+// NewSalt returns a fresh random salt to store alongside the verifier.
+func NewSalt() ([]byte, error) {
+	s := make([]byte, saltLen)
+	if _, err := rand.Read(s); err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+// DeriveKey turns a passphrase + salt into the AES key.
+func DeriveKey(passphrase string, salt []byte) ([]byte, error) {
+	return pbkdf2.Key(sha256.New, passphrase, salt, pbkdf2Iter, keyLen)
+}
+
+// Cipher encrypts/decrypts individual values with the derived key.
+type Cipher struct{ gcm cipher.AEAD }
+
+// New builds a Cipher from a 32-byte key.
+func New(key []byte) (*Cipher, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	return &Cipher{gcm: gcm}, nil
+}
+
+// Encrypt returns "enc:v1:<base64(nonce||ciphertext)>".
+func (c *Cipher) Encrypt(plain string) string {
+	nonce := make([]byte, c.gcm.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return plain // extremely unlikely; never silently corrupt by returning bad data
+	}
+	ct := c.gcm.Seal(nonce, nonce, []byte(plain), nil)
+	return Prefix + base64.StdEncoding.EncodeToString(ct)
+}
+
+// Decrypt reverses Encrypt. A value without the prefix is returned unchanged
+// (legacy plaintext). A malformed/forged value returns an error.
+func (c *Cipher) Decrypt(stored string) (string, error) {
+	if !strings.HasPrefix(stored, Prefix) {
+		return stored, nil
+	}
+	raw, err := base64.StdEncoding.DecodeString(stored[len(Prefix):])
+	if err != nil {
+		return "", err
+	}
+	ns := c.gcm.NonceSize()
+	if len(raw) < ns {
+		return "", errors.New("ciphertext too short")
+	}
+	pt, err := c.gcm.Open(nil, raw[:ns], raw[ns:], nil)
+	if err != nil {
+		return "", err
+	}
+	return string(pt), nil
+}
+
+// IsEncrypted reports whether a stored value is ciphertext.
+func IsEncrypted(v string) bool { return strings.HasPrefix(v, Prefix) }
+
+// MakeVerifier encrypts the known token so the passphrase can be validated later.
+func (c *Cipher) MakeVerifier() string { return c.Encrypt(verifierPlaintext) }
+
+// CheckVerifier returns true when c (derived from the entered passphrase)
+// decrypts the stored verifier back to the known token — i.e. the passphrase is
+// correct.
+func (c *Cipher) CheckVerifier(stored string) bool {
+	p, err := c.Decrypt(stored)
+	if err != nil {
+		return false
+	}
+	return subtle.ConstantTimeCompare([]byte(p), []byte(verifierPlaintext)) == 1
+}