From 6d25374fd7046e36ea8adffaa7735379b9119eb7 Mon Sep 17 00:00:00 2001
From: Felicitas Pojtinger <felicitas@pojtinger.com>
Date: Sun, 5 Dec 2021 01:52:24 +0100
Subject: [PATCH] feat: Add minisign key generation support

---
 cmd/stbak/cmd/keygen.go | 110 ++++++++++++++++++++++++----------------
 cmd/stbak/cmd/root.go   |   6 +--
 2 files changed, 70 insertions(+), 46 deletions(-)

diff --git a/cmd/stbak/cmd/keygen.go b/cmd/stbak/cmd/keygen.go
index fcc85f2..0dffaef 100644
--- a/cmd/stbak/cmd/keygen.go
+++ b/cmd/stbak/cmd/keygen.go
@@ -2,11 +2,13 @@ package cmd
 
 import (
 	"bytes"
+	"crypto/rand"
 	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 
+	"aead.dev/minisign"
 	"filippo.io/age"
 	"github.com/ProtonMail/gopenpgp/v2/armor"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
@@ -32,68 +34,90 @@ var keygenCmd = &cobra.Command{
 		pubkey := ""
 		privkey := ""
 
-		switch viper.GetString(encryptionFlag) {
-		case encryptionFormatAgeKey:
-			identity, err := age.GenerateX25519Identity()
-			if err != nil {
-				return err
-			}
-
-			pubkey = identity.Recipient().String()
-			privkey = identity.String()
-
-			if password := viper.GetString(passwordFlag); password != "" {
-				passwordRecipient, err := age.NewScryptRecipient(password)
+		if encryptionFormat := viper.GetString(encryptionFlag); encryptionFormat != noneKey {
+			switch encryptionFormat {
+			case encryptionFormatAgeKey:
+				identity, err := age.GenerateX25519Identity()
 				if err != nil {
 					return err
 				}
 
-				out := &bytes.Buffer{}
-				w, err := age.Encrypt(out, passwordRecipient)
+				pubkey = identity.Recipient().String()
+				privkey = identity.String()
+
+				if password := viper.GetString(passwordFlag); password != "" {
+					passwordRecipient, err := age.NewScryptRecipient(password)
+					if err != nil {
+						return err
+					}
+
+					out := &bytes.Buffer{}
+					w, err := age.Encrypt(out, passwordRecipient)
+					if err != nil {
+						return err
+					}
+
+					if _, err := io.WriteString(w, privkey); err != nil {
+						return err
+					}
+
+					if err := w.Close(); err != nil {
+						return err
+					}
+
+					privkey = out.String()
+				}
+			case encryptionFormatPGPKey:
+				armoredIdentity, err := helper.GenerateKey("STFS", "stfs@example.com", []byte(viper.GetString(passwordFlag)), "x25519", 0)
 				if err != nil {
 					return err
 				}
 
-				if _, err := io.WriteString(w, privkey); err != nil {
+				rawIdentity, err := armor.Unarmor(armoredIdentity)
+				if err != nil {
 					return err
 				}
 
-				if err := w.Close(); err != nil {
+				identity, err := crypto.NewKey([]byte(rawIdentity))
+				if err != nil {
 					return err
 				}
 
-				privkey = out.String()
-			}
-		case encryptionFormatPGPKey:
-			armoredIdentity, err := helper.GenerateKey("STFS", "stfs@example.com", []byte(viper.GetString(passwordFlag)), "x25519", 0)
-			if err != nil {
-				return err
-			}
+				pub, err := identity.GetPublicKey()
+				if err != nil {
+					return err
+				}
 
-			rawIdentity, err := armor.Unarmor(armoredIdentity)
-			if err != nil {
-				return err
-			}
+				priv, err := identity.Serialize()
+				if err != nil {
+					return err
+				}
 
-			identity, err := crypto.NewKey([]byte(rawIdentity))
-			if err != nil {
-				return err
+				pubkey = string(pub)
+				privkey = string(priv)
+			default:
+				return errKeygenForFormatUnsupported
 			}
+		} else if signatureFormat := viper.GetString(signatureFlag); signatureFormat != noneKey {
+			switch signatureFormat {
+			case signatureFormatMinisignKey:
+				pub, rawPriv, err := minisign.GenerateKey(rand.Reader)
+				if err != nil {
+					return err
+				}
 
-			pub, err := identity.GetPublicKey()
-			if err != nil {
-				return err
+				priv, err := minisign.EncryptKey(viper.GetString(passwordFlag), rawPriv)
+				if err != nil {
+					return err
+				}
+
+				pubkey = pub.String()
+				privkey = string(priv)
+			default:
+				return errKeygenForFormatUnsupported
 			}
-
-			priv, err := identity.Serialize()
-			if err != nil {
-				return err
-			}
-
-			pubkey = string(pub)
-			privkey = string(priv)
-		default:
-			return errKeygenForEncryptionFormatUnsupported
+		} else {
+			return errKeygenForFormatUnsupported
 		}
 
 		// Write pubkey (read/writable by everyone)
diff --git a/cmd/stbak/cmd/root.go b/cmd/stbak/cmd/root.go
index e9c4139..e1d2493 100644
--- a/cmd/stbak/cmd/root.go
+++ b/cmd/stbak/cmd/root.go
@@ -60,9 +60,9 @@ var (
 
 	knownEncryptionFormats = []string{noneKey, encryptionFormatAgeKey, encryptionFormatPGPKey}
 
-	errUnknownEncryptionFormat              = errors.New("unknown encryption format")
-	errUnsupportedEncryptionFormat          = errors.New("unsupported encryption format")
-	errKeygenForEncryptionFormatUnsupported = errors.New("can not generate keys for this encryption format")
+	errUnknownEncryptionFormat     = errors.New("unknown encryption format")
+	errUnsupportedEncryptionFormat = errors.New("unsupported encryption format")
+	errKeygenForFormatUnsupported  = errors.New("can not generate keys for this format")
 
 	knownSignatureFormats = []string{noneKey, signatureFormatMinisignKey}