feat: support age encryption

- Support decrypting / encrypting age secrets
- Support generating age keys on device
- Simplify copying age public keys from device, so age identities can be
added as gopass recipeints with `gopass recipient add age1...`

Author: acaloiaro

Gemfile.lock

@@ -39,7 +39,7 @@ GEM
     dotenv (2.8.1)
     emoji_regex (3.2.3)
     excon (0.112.0)
-    faraday (1.10.5)
+    faraday (1.10.4)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -55,11 +55,11 @@ GEM
       faraday (>= 0.8.0)
       http-cookie (~> 1.0.0)
     faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.1)
+    faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.2.0)
-      multipart-post (~> 2.0)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)

pass.xcodeproj/project.pbxproj

@@ -20,9 +20,9 @@ class AddPasswordTableViewController: PasswordEditorTableViewController {
     override func shouldPerformSegue(withIdentifier identifier: String, sender _: Any?) -> Bool {
         if identifier == "saveAddPasswordSegue" {
             // check PGP key
-            guard PGPAgent.shared.isPrepared else {
+            guard EncryptionManager.shared.isPrepared else {
                 let alertTitle = "CannotAddPassword".localize()
-                let alertMessage = "PgpKeyNotSet.".localize()
+                let alertMessage = "EncryptionBackendNotConfigured.".localize()
                 Utils.alert(title: alertTitle, message: alertMessage, controller: self, completion: nil)
                 return false
             }

pass.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -0,0 +1,130 @@
+import AgeKit
+import passKit
+import UIKit
+
+class AgeKeyArmorImportTableViewController: AutoCellHeightUITableViewController, UITextViewDelegate {
+    @IBOutlet var armorPrivateKeyTextView: UITextView!
+    @IBOutlet var publicKeyLabel: UILabel!
+    @IBOutlet var copyPublicKeyButton: UIButton!
+
+    private var armorPrivateKey: String?
+
+    override func viewDidLoad() {
+        super.viewDidLoad()
+        armorPrivateKeyTextView.delegate = self
+        copyPublicKeyButton.setImage(UIImage(systemName: "doc.on.doc"), for: .normal)
+        copyPublicKeyButton.isEnabled = false
+
+        // Pre-populate with existing private key from Keychain
+        if let existingPrivateKey = AppKeychain.shared.get(for: AgeKey.PRIVATE.getKeychainKey()) {
+            armorPrivateKeyTextView.text = existingPrivateKey
+            updatePublicKey(from: existingPrivateKey)
+        } else {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+        }
+    }
+
+    private func updatePublicKey(from privateKeyText: String?) {
+        guard let privateKeyText = privateKeyText?.trimmed, !privateKeyText.isEmpty else {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+            copyPublicKeyButton.isEnabled = false
+            return
+        }
+
+        do {
+            let publicKey = try Age.derivePublicKey(from: privateKeyText)
+            publicKeyLabel.text = publicKey
+            copyPublicKeyButton.isEnabled = true
+        } catch {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+            copyPublicKeyButton.isEnabled = false
+        }
+    }
+
+    @IBAction
+    private func copyPublicKey(_: Any) {
+        guard copyPublicKeyButton.isEnabled, let publicKey = publicKeyLabel.text else {
+            return
+        }
+
+        SecurePasteboard.shared.copy(textToCopy: publicKey, expirationTime: 0)
+
+        let alert = UIAlertController(
+            title: nil,
+            message: "PublicKeyCopied.".localize(),
+            preferredStyle: .alert
+        )
+        present(alert, animated: true)
+        DispatchQueue.main.asyncAfter(deadline: .now() + 1) {
+            alert.dismiss(animated: true)
+        }
+    }
+
+    @IBAction
+    private func save(_: Any) {
+        armorPrivateKey = armorPrivateKeyTextView.text
+        saveImportedKeys()
+    }
+
+    func textView(_: UITextView, shouldChangeTextIn _: NSRange, replacementText text: String) -> Bool {
+        if text == UIPasteboard.general.string {
+            // user pastes something, do the copy here again and clear the pasteboard in 45s
+            SecurePasteboard.shared.copy(textToCopy: text)
+        }
+        return true
+    }
+
+    func textViewDidChange(_ textView: UITextView) {
+        updatePublicKey(from: textView.text)
+    }
+}
+
+extension AgeKeyArmorImportTableViewController: AgeKeyImporter {
+    static let keySource = KeySource.ageArmor
+    static let label = "AsciiArmorAgeKey".localize()
+
+    func isReadyToUse() -> Bool {
+        let privateKey = armorPrivateKeyTextView.text.trimmed
+
+        // Check if private key is not empty
+        guard !privateKey.isEmpty else {
+            Utils.alert(title: "CannotSave".localize(), message: "SetAgePrivateKey.".localize(), controller: self, completion: nil)
+            return false
+        }
+
+        // Validate private key format
+        guard privateKey.hasPrefix(Age.privateKeyPrefix) else {
+            Utils.alert(
+                title: "CannotSave".localize(),
+                message: String(format: "AgeKeyInvalidPrefix.".localize(), Age.privateKeyPrefix),
+                controller: self,
+                completion: nil
+            )
+            return false
+        }
+
+        // Validate that private key can be parsed and public key can be derived
+        do {
+            _ = try Age.derivePublicKey(from: privateKey)
+        } catch {
+            Utils.alert(
+                title: "CannotSave".localize(),
+                message: String(format: "AgeKeyInvalidFormat.".localize(), error.localizedDescription),
+                controller: self,
+                completion: nil
+            )
+            return false
+        }
+
+        return true
+    }
+
+    func importKeys() throws {
+        // Only import private key - public key is derived
+        try KeyFileManager.PrivateAge.importKey(from: armorPrivateKey ?? "")
+    }
+
+    func saveImportedKeys() {
+        performSegue(withIdentifier: "saveAgeKeySegue", sender: self)
+    }
+}

pass/Base.lproj/Main.storyboard

@@ -0,0 +1,13 @@
+import passKit
+
+protocol AgeKeyImporter: KeyImporter {
+    func doAfterImport()
+}
+
+extension AgeKeyImporter {
+    static var isCurrentKeySource: Bool {
+        Defaults.ageKeySource == keySource
+    }
+
+    func doAfterImport() {}
+}

pass/Controllers/AddPasswordTableViewController.swift

@@ -81,18 +81,28 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         return uiSwitch
     }()
 
+    private lazy var encryptionBackendSegmentedControl: UISegmentedControl = {
+        let segmentedControl = UISegmentedControl(items: ["GPG", "Age"])
+        segmentedControl.sizeToFit()
+        segmentedControl.addTarget(self, action: #selector(encryptionBackendSwitchAction), for: .valueChanged)
+        return segmentedControl
+    }()
+
     override func viewDidLoad() {
         tableData = [
             // section 0
-            [[.title: "AboutRepository".localize(), .action: "segue", .link: "showAboutRepositorySegue"]],
+            [[.title: "Encryption", .action: "none"]],
 
             // section 1
+            [[.title: "AboutRepository".localize(), .action: "segue", .link: "showAboutRepositorySegue"]],
+
+            // section 2
             [
                 [.title: "RememberPgpKeyPassphrase".localize(), .action: "none"],
                 [.title: "RememberGitCredentialPassphrase".localize(), .action: "none"],
             ],
 
-            // section 2
+            // section 3
             [
                 [.title: "EnableGPGID".localize(), .action: "none"],
                 [.title: "ShowFolders".localize(), .action: "none"],
@@ -110,6 +120,10 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         cell.accessoryType = .none
         cell.selectionStyle = .none
         switch cell.textLabel!.text! {
+        case "Encryption":
+            cell.accessoryView = encryptionBackendSegmentedControl
+            let backend = Defaults.encryptionBackend
+            encryptionBackendSegmentedControl.selectedSegmentIndex = backend == .gpg ? 0 : 1
         case "AboutRepository".localize():
             cell.accessoryType = .disclosureIndicator
         case "HideUnknownFields".localize():
@@ -138,6 +152,16 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         return cell
     }
 
+    @objc
+    func encryptionBackendSwitchAction(_ sender: UISegmentedControl) {
+        if sender.selectedSegmentIndex == 0 {
+            Defaults.encryptionBackend = .gpg
+        } else {
+            Defaults.encryptionBackend = .age
+        }
+        EncryptionManager.shared.uninitKeys()
+    }
+
     private func addDetailButton(to cell: UITableViewCell, for uiSwitch: UISwitch, with action: Selector) {
         let detailButton = UIButton(type: .detailDisclosure)
         uiSwitch.frame = CGRect(

pass/Controllers/AgeKeyArmorImportTableViewController.swift

@@ -197,7 +197,8 @@ class GitRepositorySettingsTableViewController: UITableViewController, PasswordA
                 )
 
                 let gpgIDFile = self.passwordStore.storeURL.appendingPathComponent(".gpg-id").path
-                guard FileManager.default.fileExists(atPath: gpgIDFile) else {
+                let ageRecipientsFile = self.passwordStore.storeURL.appendingPathComponent(".age-recipients").path
+                guard FileManager.default.fileExists(atPath: gpgIDFile) || FileManager.default.fileExists(atPath: ageRecipientsFile) else {
                     self.passwordStore.eraseStoreData()
                     SVProgressHUD.dismiss {
                         DispatchQueue.main.async {

pass/Controllers/AgeKeyImporter.swift

@@ -110,7 +110,7 @@ class PasswordDetailTableViewController: UITableViewController, UIGestureRecogni
         }
     }
 
-    private func decryptThenShowPasswordLocalKey(keyID: String? = nil) {
+    private func decryptThenShowPasswordLocalKey() {
         guard let passwordEntity else {
             Utils.alert(title: "CannotShowPassword".localize(), message: "PasswordDoesNotExist".localize(), controller: self, completion: {
                 self.navigationController!.popViewController(animated: true)
@@ -121,15 +121,15 @@ class PasswordDetailTableViewController: UITableViewController, UIGestureRecogni
             // decrypt password
             do {
                 let requestPGPKeyPassphrase = Utils.createRequestPGPKeyPassphraseHandler(controller: self)
-                self.password = try self.passwordStore.decrypt(passwordEntity: passwordEntity, keyID: keyID, requestPGPKeyPassphrase: requestPGPKeyPassphrase)
+                self.password = try self.passwordStore.decrypt(passwordEntity: passwordEntity, requestPassphrase: requestPGPKeyPassphrase)
                 self.showPassword()
             } catch let AppError.pgpPrivateKeyNotFound(keyID: key) {
                 DispatchQueue.main.async {
                     // alert: cancel or try again
                     let alert = UIAlertController(title: "CannotShowPassword".localize(), message: AppError.pgpPrivateKeyNotFound(keyID: key).localizedDescription, preferredStyle: .alert)
                     alert.addAction(UIAlertAction.cancelAndPopView(controller: self))
-                    let selectKey = UIAlertAction.selectKey(controller: self) { action in
-                        self.decryptThenShowPasswordLocalKey(keyID: action.title)
+                    let selectKey = UIAlertAction.selectKey(controller: self) { _ in
+                        self.decryptThenShowPasswordLocalKey()
                     }
                     alert.addAction(selectKey)
 
@@ -209,10 +209,10 @@ class PasswordDetailTableViewController: UITableViewController, UIGestureRecogni
         }
     }
 
-    private func saveEditPassword(password: Password, keyID: String? = nil) {
+    private func saveEditPassword(password: Password) {
         SVProgressHUD.show(withStatus: "Saving".localize())
         do {
-            passwordEntity = try passwordStore.edit(passwordEntity: passwordEntity!, password: password, keyID: keyID)
+            passwordEntity = try passwordStore.edit(passwordEntity: passwordEntity!, password: password, path: password.path)
             setTableData()
             tableView.reloadData()
             SVProgressHUD.showSuccess(withStatus: "Success".localize())
@@ -223,8 +223,8 @@ class PasswordDetailTableViewController: UITableViewController, UIGestureRecogni
                 SVProgressHUD.dismiss()
                 let alert = UIAlertController(title: "Cannot Edit Password", message: AppError.pgpPublicKeyNotFound(keyID: key).localizedDescription, preferredStyle: .alert)
                 alert.addAction(UIAlertAction.cancelAndPopView(controller: self))
-                let selectKey = UIAlertAction.selectKey(controller: self) { action in
-                    self.saveEditPassword(password: password, keyID: action.title)
+                let selectKey = UIAlertAction.selectKey(controller: self) { _ in
+                    self.saveEditPassword(password: password)
                 }
                 alert.addAction(selectKey)
 
@@ -388,7 +388,7 @@ class PasswordDetailTableViewController: UITableViewController, UIGestureRecogni
         // commit the change of HOTP counter
         if password!.changed != 0 {
             do {
-                passwordEntity = try passwordStore.edit(passwordEntity: passwordEntity!, password: password!)
+                passwordEntity = try passwordStore.edit(passwordEntity: passwordEntity!, password: password!, path: password!.path)
                 SVProgressHUD.showSuccess(withStatus: "PasswordCopied".localize() | "CounterUpdated".localize())
                 SVProgressHUD.dismiss(withDelay: 1)
             } catch {