tenseleyflow/shithub / 71d3178

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package sealbox

+

+import (

+	"golang.org/x/crypto/curve25519"

+)

+

+// derivePublic computes the X25519 public key from a 32-byte private

+// key. NaCl's box package doesn't expose this directly when loading a

+// pre-existing private key (only `GenerateKey` returns both halves);

+// we use curve25519.X25519 against the basepoint to derive.

+func derivePublic(pub, priv *[32]byte) error {

+	out, err := curve25519.X25519(priv[:], curve25519.Basepoint)

+	if err != nil {

+		return err

+	}

+	copy(pub[:], out)

+	return nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package sealbox owns the server-side X25519 keypair used by the

+// `/api/v1/repos/{...}/actions/secrets/public-key` (and org analog)

+// endpoint. Clients fetch the public half, encrypt a secret value

+// with NaCl sealed-box (anonymous-sender), and PUT the ciphertext.

+// The server decodes with the private half on the way in, then hands

+// plaintext to the existing `internal/actions/secrets` orchestrator

+// which re-encrypts with the symmetric storage key for at-rest.

+//

+// The keypair is operator-supplied via SHITHUB_ACTIONS__SECRETS__BOX_PRIVATE_KEY_B64

+// (base64 of the 32-byte X25519 private key). When unset the server

+// generates a per-process keypair and logs a loud warning: secrets

+// PUT in one process won't be decryptable by another, so production

+// deployments MUST set the key.

+//

+// The exposed `KeyID` is a deterministic short string derived from the

+// public key — clients echo it back on PUT so the server can detect a

+// stale public-key cache and reject (rather than silently fail to

+// decrypt to garbage).

+package sealbox

+

+import (

+	"crypto/rand"

+	"crypto/sha256"

+	"encoding/base64"

+	"errors"

+	"fmt"

+

+	"golang.org/x/crypto/nacl/box"

+)

+

+// PrivateKeyLen is the X25519 private-key length in bytes.

+const PrivateKeyLen = 32

+

+// PublicKeyLen mirrors PrivateKeyLen — X25519 public keys are the

+// same length as private keys.

+const PublicKeyLen = 32

+

+// Box holds the server's long-lived X25519 keypair. Construct via

+// New() to generate a fresh one (dev/tests) or FromBase64 to load

+// operator-supplied material.

+//

+// Methods are safe for concurrent use — the underlying keys are

+// immutable once the Box is built.

+type Box struct {

+	priv [PrivateKeyLen]byte

+	pub  [PublicKeyLen]byte

+}

+

+// ErrInvalidPrivateKey signals a malformed base64 or wrong-length

+// input to FromBase64.

+var ErrInvalidPrivateKey = errors.New("sealbox: invalid private key (want 32 bytes base64)")

+

+// ErrCiphertextMalformed signals a malformed encrypted_value on the

+// PUT-secret path. Caller maps this to 400 invalid_request.

+var ErrCiphertextMalformed = errors.New("sealbox: ciphertext malformed or invalid base64")

+

+// ErrDecryptFailed signals a ciphertext that decoded but didn't open

+// against our keypair — usually a stale public_key on the client.

+var ErrDecryptFailed = errors.New("sealbox: decrypt failed (stale public_key?)")

+

+// New generates a fresh X25519 keypair. Use FromBase64 for

+// production; New is intended for tests and the dev auto-key path.

+func New() (*Box, error) {

+	pub, priv, err := box.GenerateKey(rand.Reader)

+	if err != nil {

+		return nil, fmt.Errorf("sealbox: generate: %w", err)

+	}

+	return &Box{priv: *priv, pub: *pub}, nil

+}

+

+// FromBase64 builds a Box from the base64-encoded 32-byte X25519

+// private key. The public half is computed deterministically from

+// the private half (NaCl X25519 derivation).

+func FromBase64(privB64 string) (*Box, error) {

+	priv, err := base64.StdEncoding.DecodeString(privB64)

+	if err != nil {

+		return nil, ErrInvalidPrivateKey

+	}

+	if len(priv) != PrivateKeyLen {

+		return nil, ErrInvalidPrivateKey

+	}

+	var b Box

+	copy(b.priv[:], priv)

+	// Derive public from private. nacl/box internally does

+	// curve25519.ScalarBaseMult(pub, priv); we exposed the same via

+	// scalarmult below to avoid an extra import surface.

+	if err := derivePublic(&b.pub, &b.priv); err != nil {

+		return nil, fmt.Errorf("sealbox: derive public: %w", err)

+	}

+	return &b, nil

+}

+

+// PublicKey returns the 32-byte X25519 public key, intended for the

+// `/actions/secrets/public-key` response. The caller base64-encodes

+// for transport.

+func (b *Box) PublicKey() [PublicKeyLen]byte { return b.pub }

+

+// PublicKeyBase64 is a convenience wrapper for the HTTP layer.

+func (b *Box) PublicKeyBase64() string {

+	return base64.StdEncoding.EncodeToString(b.pub[:])

+}

+

+// KeyID is a deterministic short identifier for the current public

+// key. Clients echo it on PUT so the server can detect stale caches.

+// Format: first 16 chars of base64(sha256(pubkey)).

+func (b *Box) KeyID() string {

+	sum := sha256.Sum256(b.pub[:])

+	return base64.RawURLEncoding.EncodeToString(sum[:])[:16]

+}

+

+// OpenAnonymous decodes a NaCl sealed-box ciphertext (base64-encoded

+// for transport) and returns the plaintext. The "anonymous" form

+// embeds an ephemeral sender public key in the ciphertext, so the

+// server doesn't need to know who encrypted — only the recipient

+// keypair (this Box) is required.

+//

+// Maps to libsodium's `crypto_box_seal_open` (the inverse of

+// `crypto_box_seal` that gh's CLI/curl users invoke).

+func (b *Box) OpenAnonymous(encryptedB64 string) ([]byte, error) {

+	ciphertext, err := base64.StdEncoding.DecodeString(encryptedB64)

+	if err != nil {

+		return nil, ErrCiphertextMalformed

+	}

+	out, ok := box.OpenAnonymous(nil, ciphertext, &b.pub, &b.priv)

+	if !ok {

+		return nil, ErrDecryptFailed

+	}

+	return out, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package sealbox_test

+

+import (

+	"crypto/rand"

+	"encoding/base64"

+	"errors"

+	"testing"

+

+	"golang.org/x/crypto/nacl/box"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/sealbox"

+)

+

+func TestNewAndOpenAnonymous_RoundTrip(t *testing.T) {

+	b, err := sealbox.New()

+	if err != nil {

+		t.Fatalf("New: %v", err)

+	}

+	if b.PublicKeyBase64() == "" {

+		t.Fatal("empty public key")

+	}

+	pubKey := b.PublicKey()

+

+	plaintext := []byte("super-secret-value")

+	ciphertext, err := box.SealAnonymous(nil, plaintext, &pubKey, rand.Reader)

+	if err != nil {

+		t.Fatalf("SealAnonymous: %v", err)

+	}

+	encrypted := base64.StdEncoding.EncodeToString(ciphertext)

+

+	out, err := b.OpenAnonymous(encrypted)

+	if err != nil {

+		t.Fatalf("OpenAnonymous: %v", err)

+	}

+	if string(out) != string(plaintext) {

+		t.Errorf("round-trip: got %q, want %q", out, plaintext)

+	}

+}

+

+func TestFromBase64_DerivesPublicKeyConsistently(t *testing.T) {

+	// Encrypt against a known keypair, then verify FromBase64 yields

+	// a Box whose public key matches and which can decrypt.

+	original, err := sealbox.New()

+	if err != nil {

+		t.Fatalf("New: %v", err)

+	}

+	pubKey := original.PublicKey()

+	plaintext := []byte("hello")

+	ct, _ := box.SealAnonymous(nil, plaintext, &pubKey, rand.Reader)

+

+	// Round-trip via a new Box loaded from the original's private key.

+	// We need access to the private key — for tests, dump it via a

+	// secondary path: re-construct from a known fixed private key.

+	priv32 := make([]byte, 32)

+	priv32[0] = 1 // deterministic non-zero scalar

+	loaded, err := sealbox.FromBase64(base64.StdEncoding.EncodeToString(priv32))

+	if err != nil {

+		t.Fatalf("FromBase64: %v", err)

+	}

+	loadedPub := loaded.PublicKey()

+	pt := []byte("via-fromb64")

+	ct2, _ := box.SealAnonymous(nil, pt, &loadedPub, rand.Reader)

+	out, err := loaded.OpenAnonymous(base64.StdEncoding.EncodeToString(ct2))

+	if err != nil {

+		t.Fatalf("OpenAnonymous loaded: %v", err)

+	}

+	if string(out) != string(pt) {

+		t.Errorf("loaded round-trip: got %q, want %q", out, pt)

+	}

+	// And confirm the unrelated keypair's ciphertext can't open here.

+	_, err = loaded.OpenAnonymous(base64.StdEncoding.EncodeToString(ct))

+	if !errors.Is(err, sealbox.ErrDecryptFailed) {

+		t.Errorf("expected ErrDecryptFailed for foreign ciphertext; got %v", err)

+	}

+}

+

+func TestFromBase64_RejectsBadInput(t *testing.T) {

+	cases := []string{

+		"",

+		"!!!not-base64!!!",

+		base64.StdEncoding.EncodeToString([]byte("too-short")),

+	}

+	for _, in := range cases {

+		if _, err := sealbox.FromBase64(in); !errors.Is(err, sealbox.ErrInvalidPrivateKey) {

+			t.Errorf("FromBase64(%q): got %v, want ErrInvalidPrivateKey", in, err)

+		}

+	}

+}

+

+func TestOpenAnonymous_RejectsMalformed(t *testing.T) {

+	b, err := sealbox.New()

+	if err != nil {

+		t.Fatalf("New: %v", err)

+	}

+	if _, err := b.OpenAnonymous("not-base64!@#"); !errors.Is(err, sealbox.ErrCiphertextMalformed) {

+		t.Errorf("malformed base64: got %v, want ErrCiphertextMalformed", err)

+	}

+	if _, err := b.OpenAnonymous(base64.StdEncoding.EncodeToString([]byte("too-short"))); !errors.Is(err, sealbox.ErrDecryptFailed) {

+		t.Errorf("too-short ciphertext: got %v, want ErrDecryptFailed", err)

+	}

+}

+

+func TestKeyID_StableForFixedKey(t *testing.T) {

+	priv32 := make([]byte, 32)

+	priv32[0] = 7

+	b1, err := sealbox.FromBase64(base64.StdEncoding.EncodeToString(priv32))

+	if err != nil {

+		t.Fatalf("FromBase64: %v", err)

+	}

+	b2, err := sealbox.FromBase64(base64.StdEncoding.EncodeToString(priv32))

+	if err != nil {

+		t.Fatalf("FromBase64: %v", err)

+	}

+	if b1.KeyID() != b2.KeyID() {

+		t.Errorf("KeyID not stable: %q vs %q", b1.KeyID(), b2.KeyID())

+	}

+	if b1.KeyID() == "" || len(b1.KeyID()) != 16 {

+		t.Errorf("KeyID shape: got %q (len=%d)", b1.KeyID(), len(b1.KeyID()))

+	}

+}