added hmac validation (#1)

Reviewed-on: #1
Co-authored-by: Ron Rise <ron@siteworxpro.com>
Co-committed-by: Ron Rise <ron@siteworxpro.com>

.gitea/workflows/tests.yml

@@ -1,14 +1,14 @@
 on:
   push:
     branches:
-      - "*"
+      - "**"
 
 name: 🧪 ✨ Unit Tests Workflow
 
 jobs:
   test-go:
     env:
-      GO_VERSION: '1.24.3'
+      GO_VERSION: '1.25.0'
     name: 🔍 🐹 Go Tests
     runs-on: ubuntu-latest
     steps:

build.sh

@@ -6,8 +6,9 @@ for distro in $(go tool dist list)
 do
     arrIN=(${distro//\// })
 
-    if [[ ${arrIN[0]} == 'linux' || ${arrIN[0]} == 'darwin'  || ${arrIN[0]} == 'freebsd' || ${arrIN[0]} == 'windows' ]]; then
+    if [[ ${arrIN[0]} == 'linux' || ${arrIN[0]} == 'darwin' ]]; then
       echo "Building $distro..."
       GOOS=${arrIN[0]} GOARCH=${arrIN[1]} go build --ldflags="-X 'github.com/siteworxpro/rsa-file-encryption/printer.Version=$(git describe --tags --abbrev=0)'" -o dist/rsa-file-encryption_${arrIN[0]}_${arrIN[1]}
+      gpg --detach-sign "dist/rsa-file-encryption_${arrIN[0]}_${arrIN[1]}"
     fi
 done

crypt/file.go

@@ -4,15 +4,20 @@ import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/hmac"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/subtle"
 	"fmt"
 	"os"
 )
 
+const hmacKey = "::HMAC::"
+
 type EncryptedFile struct {
 	ciphertext      []byte
+	hmac            []byte
 	plainText       []byte
 	nonce           []byte
 	privatePem      []byte
@@ -25,7 +30,13 @@ type EncryptedFile struct {
 
 func (f *EncryptedFile) packFile() []byte {
 	file := append(f.nonce, f.ciphertext...)
-	return append(file, f.symmetricKeyEnc...)
+	file = append(file, f.symmetricKeyEnc...)
+	if len(f.hmac) > 0 {
+		file = append(file, []byte(hmacKey)...)
+		file = append(file, f.hmac...)
+	}
+
+	return file
 }
 
 func (f *EncryptedFile) EncryptFile() error {
@@ -48,9 +59,29 @@ func (f *EncryptedFile) EncryptFile() error {
 	cbc.CryptBlocks(ciphertext, plaintextP)
 	f.ciphertext = ciphertext
 
+	mac, err := f.generateHmac()
+	if err != nil {
+		return err
+	}
+
+	f.hmac = mac
+
 	return nil
 }
 
+func (f *EncryptedFile) generateHmac() ([]byte, error) {
+	if len(f.symmetricKey) == 0 {
+		return nil, fmt.Errorf("symmetric key is not set")
+	}
+
+	mac := hmac.New(sha256.New, f.symmetricKey)
+	mac.Write(f.nonce)
+	mac.Write(f.ciphertext)
+
+	f.hmac = mac.Sum(nil)
+	return f.hmac, nil
+}
+
 func (f *EncryptedFile) OsReadPlainTextFile(path string) error {
 	plaintext, err := os.ReadFile(path)
 	if err != nil {
@@ -84,7 +115,21 @@ func (f *EncryptedFile) WriteDecryptedFileToDisk(filePath string) error {
 func (f *EncryptedFile) unpackFileAndDecrypt(packedFile []byte) error {
 	keyLen := f.privateKey.Size()
 
+	minReqLen := aes.BlockSize + keyLen + len(hmacKey)
+
+	if len(packedFile) < minReqLen {
+		return fmt.Errorf("packed file is too short to be valid")
+	}
+
+	if bytes.Contains(packedFile, []byte(hmacKey)) {
+		parts := bytes.SplitN(packedFile, []byte(hmacKey), 2)
+		packedFile, f.hmac = parts[0], parts[1]
+	}
+
 	lenWithoutKey := len(packedFile) - keyLen
+	if lenWithoutKey < aes.BlockSize {
+		return fmt.Errorf("packed file is too short to contain valid nonce and ciphertext")
+	}
 
 	packedFile, f.symmetricKeyEnc = packedFile[0:lenWithoutKey], packedFile[lenWithoutKey:]
 
@@ -93,10 +138,22 @@ func (f *EncryptedFile) unpackFileAndDecrypt(packedFile []byte) error {
 		return err
 	}
 
+	if len(f.hmac) > 0 {
+		mac, err := f.generateHmac()
+		if err != nil {
+			return err
+		}
+
+		if !hmac.Equal(mac, f.hmac) {
+			return fmt.Errorf("hmac verification failed")
+		}
+	}
+
 	a, err := aes.NewCipher(f.symmetricKey)
 	if err != nil {
 		return err
 	}
+
 	f.nonce, f.ciphertext = packedFile[0:aes.BlockSize], packedFile[aes.BlockSize:]
 
 	cbc := cipher.NewCBCDecrypter(a, f.nonce)

crypt/keys.go

@@ -7,6 +7,7 @@ import (
 	"crypto/sha512"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 	"os"
 )
 
@@ -85,6 +86,10 @@ func (f *EncryptedFile) GenerateSymmetricKey() error {
 func (f *EncryptedFile) ParsePublicPem() error {
 	pemKeyBin, _ := pem.Decode(f.PublicPem)
 
+	if pemKeyBin == nil {
+		return fmt.Errorf("failed to parse PEM block containing the public key")
+	}
+
 	if bytes.Contains(f.PublicPem, []byte("-----BEGIN PUBLIC KEY-----")) {
 		key, err := x509.ParsePKIXPublicKey(pemKeyBin.Bytes)
 		if err != nil {
@@ -109,6 +114,10 @@ func (f *EncryptedFile) ParsePublicPem() error {
 func (f *EncryptedFile) ParsePrivatePem() error {
 	pemKeyBin, _ := pem.Decode(f.privatePem)
 
+	if pemKeyBin == nil {
+		return fmt.Errorf("failed to parse PEM block containing the private key")
+	}
+
 	if bytes.Contains(f.privatePem, []byte("-----BEGIN PRIVATE KEY-----")) {
 		key, err := x509.ParsePKCS8PrivateKey(pemKeyBin.Bytes)
 		if err != nil {

go.mod

@@ -1,18 +1,18 @@
 module github.com/siteworxpro/rsa-file-encryption
 
-go 1.24.3
+go 1.25.0
 
 require (
 	github.com/charmbracelet/bubbles v0.21.0
-	github.com/charmbracelet/bubbletea v1.3.5
+	github.com/charmbracelet/bubbletea v1.3.6
 	github.com/charmbracelet/lipgloss v1.1.0
-	github.com/urfave/cli/v2 v2.27.6
+	github.com/urfave/cli/v2 v2.27.7
 )
 
 require (
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/charmbracelet/colorprofile v0.3.1 // indirect
-	github.com/charmbracelet/x/ansi v0.9.2 // indirect
+	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
@@ -28,7 +28,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 )

go.sum

@@ -2,14 +2,14 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
 github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
-github.com/charmbracelet/bubbletea v1.3.5 h1:JAMNLTbqMOhSwoELIr0qyP4VidFq72/6E9j7HHmRKQc=
+github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
-github.com/charmbracelet/bubbletea v1.3.5/go.mod h1:TkCnmH+aBd4LrXhXcqrKiYwRs7qyQx5rBgH5fVY3v54=
+github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.3.1 h1:k8dTHMd7fgw4bnFd7jXTLZrSU/CQrKnL3m+AxCzDz40=
 github.com/charmbracelet/colorprofile v0.3.1/go.mod h1:/GkGusxNs8VB/RSOh3fu0TJmQ4ICMMPApIIVn0KszZ0=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.9.2 h1:92AGsQmNTRMzuzHEYfCdjQeUzTrgE1vfO5/7fEVoXdY=
+github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
-github.com/charmbracelet/x/ansi v0.9.2/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
+github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
@@ -37,16 +37,16 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
+github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
-github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=