feat: support age encryption

- Support decrypting / encrypting age secrets
- Support generating age keys on device
- Simplify copying age public keys from device, so age identities can be
added as gopass recipeints with `gopass recipient add age1...`

Author: acaloiaro

Gemfile.lock

@@ -39,7 +39,7 @@ GEM
     dotenv (2.8.1)
     emoji_regex (3.2.3)
     excon (0.112.0)
-    faraday (1.10.5)
+    faraday (1.10.4)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -55,11 +55,11 @@ GEM
       faraday (>= 0.8.0)
       http-cookie (~> 1.0.0)
     faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.1)
+    faraday-em_synchrony (1.0.0)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.2.0)
-      multipart-post (~> 2.0)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)

pass.xcodeproj/project.pbxproj

@@ -20,9 +20,9 @@ class AddPasswordTableViewController: PasswordEditorTableViewController {
     override func shouldPerformSegue(withIdentifier identifier: String, sender _: Any?) -> Bool {
         if identifier == "saveAddPasswordSegue" {
             // check PGP key
-            guard PGPAgent.shared.isPrepared else {
+            guard EncryptionManager.shared.isPrepared else {
                 let alertTitle = "CannotAddPassword".localize()
-                let alertMessage = "PgpKeyNotSet.".localize()
+                let alertMessage = "EncryptionBackendNotConfigured.".localize()
                 Utils.alert(title: alertTitle, message: alertMessage, controller: self, completion: nil)
                 return false
             }

pass.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -0,0 +1,138 @@
+//
+//  AgeKeyArmorImportTableViewController.swift
+//  pass
+//
+//  Created by Mingshen Sun on 17/2/2017.
+//  Copyright © 2017 Bob Sun. All rights reserved.
+//
+
+import AgeKit
+import passKit
+import UIKit
+
+class AgeKeyArmorImportTableViewController: AutoCellHeightUITableViewController, UITextViewDelegate {
+    @IBOutlet var armorPrivateKeyTextView: UITextView!
+    @IBOutlet var publicKeyLabel: UILabel!
+    @IBOutlet var copyPublicKeyButton: UIButton!
+
+    private var armorPrivateKey: String?
+
+    override func viewDidLoad() {
+        super.viewDidLoad()
+        armorPrivateKeyTextView.delegate = self
+        copyPublicKeyButton.setImage(UIImage(systemName: "doc.on.doc"), for: .normal)
+        copyPublicKeyButton.isEnabled = false
+
+        // Pre-populate with existing private key from Keychain
+        if let existingPrivateKey = AppKeychain.shared.get(for: AgeKey.PRIVATE.getKeychainKey()) {
+            armorPrivateKeyTextView.text = existingPrivateKey
+            updatePublicKey(from: existingPrivateKey)
+        } else {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+        }
+    }
+
+    private func updatePublicKey(from privateKeyText: String?) {
+        guard let privateKeyText = privateKeyText?.trimmed, !privateKeyText.isEmpty else {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+            copyPublicKeyButton.isEnabled = false
+            return
+        }
+
+        do {
+            let publicKey = try Age.derivePublicKey(from: privateKeyText)
+            publicKeyLabel.text = publicKey
+            copyPublicKeyButton.isEnabled = true
+        } catch {
+            publicKeyLabel.text = "PublicKeyAutomatic.".localize()
+            copyPublicKeyButton.isEnabled = false
+        }
+    }
+
+    @IBAction
+    private func copyPublicKey(_: Any) {
+        guard copyPublicKeyButton.isEnabled, let publicKey = publicKeyLabel.text else {
+            return
+        }
+
+        SecurePasteboard.shared.copy(textToCopy: publicKey, expirationTime: 0)
+
+        let alert = UIAlertController(
+            title: nil,
+            message: "PublicKeyCopied.".localize(),
+            preferredStyle: .alert
+        )
+        present(alert, animated: true)
+        DispatchQueue.main.asyncAfter(deadline: .now() + 1) {
+            alert.dismiss(animated: true)
+        }
+    }
+
+    @IBAction
+    private func save(_: Any) {
+        armorPrivateKey = armorPrivateKeyTextView.text
+        saveImportedKeys()
+    }
+
+    func textView(_: UITextView, shouldChangeTextIn _: NSRange, replacementText text: String) -> Bool {
+        if text == UIPasteboard.general.string {
+            // user pastes something, do the copy here again and clear the pasteboard in 45s
+            SecurePasteboard.shared.copy(textToCopy: text)
+        }
+        return true
+    }
+
+    func textViewDidChange(_ textView: UITextView) {
+        updatePublicKey(from: textView.text)
+    }
+}
+
+extension AgeKeyArmorImportTableViewController: AgeKeyImporter {
+    static let keySource = KeySource.ageArmor
+    static let label = "AsciiArmorAgeKey".localize()
+
+    func isReadyToUse() -> Bool {
+        let privateKey = armorPrivateKeyTextView.text.trimmed
+
+        // Check if private key is not empty
+        guard !privateKey.isEmpty else {
+            Utils.alert(title: "CannotSave".localize(), message: "SetAgePrivateKey.".localize(), controller: self, completion: nil)
+            return false
+        }
+
+        // Validate private key format
+        guard privateKey.hasPrefix(Age.privateKeyPrefix) else {
+            Utils.alert(
+                title: "CannotSave".localize(),
+                message: String(format: "AgeKeyInvalidPrefix.".localize(), Age.privateKeyPrefix),
+                controller: self,
+                completion: nil
+            )
+            return false
+        }
+
+        // Validate that private key can be parsed and public key can be derived
+        do {
+            _ = try Age.derivePublicKey(from: privateKey)
+        } catch {
+            Utils.alert(
+                title: "CannotSave".localize(),
+                message: String(format: "AgeKeyInvalidFormat.".localize(), error.localizedDescription),
+                controller: self,
+                completion: nil
+            )
+            return false
+        }
+
+        return true
+    }
+
+    func importKeys() throws {
+        // Only import private key - public key is derived
+        try KeyFileManager.PrivateAge.importKey(from: armorPrivateKey ?? "")
+    }
+
+    func saveImportedKeys() {
+        performSegue(withIdentifier: "saveAgeKeySegue", sender: self)
+    }
+}

pass/Base.lproj/Main.storyboard

@@ -0,0 +1,21 @@
+//
+//  AgeKeyImporter.swift
+//  pass
+//
+//  Created by Mingshen Sun on 17/2/2017.
+//  Copyright © 2017 Bob Sun. All rights reserved.
+//
+
+import passKit
+
+protocol AgeKeyImporter: KeyImporter {
+    func doAfterImport()
+}
+
+extension AgeKeyImporter {
+    static var isCurrentKeySource: Bool {
+        Defaults.ageKeySource == keySource
+    }
+
+    func doAfterImport() {}
+}

pass/Controllers/AddPasswordTableViewController.swift

@@ -81,18 +81,28 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         return uiSwitch
     }()
 
+    private lazy var encryptionBackendSegmentedControl: UISegmentedControl = {
+        let segmentedControl = UISegmentedControl(items: ["GPG", "Age"])
+        segmentedControl.sizeToFit()
+        segmentedControl.addTarget(self, action: #selector(encryptionBackendSwitchAction), for: .valueChanged)
+        return segmentedControl
+    }()
+
     override func viewDidLoad() {
         tableData = [
             // section 0
-            [[.title: "AboutRepository".localize(), .action: "segue", .link: "showAboutRepositorySegue"]],
+            [[.title: "Encryption", .action: "none"]],
 
             // section 1
+            [[.title: "AboutRepository".localize(), .action: "segue", .link: "showAboutRepositorySegue"]],
+
+            // section 2
             [
                 [.title: "RememberPgpKeyPassphrase".localize(), .action: "none"],
                 [.title: "RememberGitCredentialPassphrase".localize(), .action: "none"],
             ],
 
-            // section 2
+            // section 3
             [
                 [.title: "EnableGPGID".localize(), .action: "none"],
                 [.title: "ShowFolders".localize(), .action: "none"],
@@ -110,6 +120,10 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         cell.accessoryType = .none
         cell.selectionStyle = .none
         switch cell.textLabel!.text! {
+        case "Encryption":
+            cell.accessoryView = encryptionBackendSegmentedControl
+            let backend = Defaults.encryptionBackend
+            encryptionBackendSegmentedControl.selectedSegmentIndex = backend == .gpg ? 0 : 1
         case "AboutRepository".localize():
             cell.accessoryType = .disclosureIndicator
         case "HideUnknownFields".localize():
@@ -138,6 +152,16 @@ class GeneralSettingsTableViewController: BasicStaticTableViewController {
         return cell
     }
 
+    @objc
+    func encryptionBackendSwitchAction(_ sender: UISegmentedControl) {
+        if sender.selectedSegmentIndex == 0 {
+            Defaults.encryptionBackend = .gpg
+        } else {
+            Defaults.encryptionBackend = .age
+        }
+        EncryptionManager.shared.uninitKeys()
+    }
+
     private func addDetailButton(to cell: UITableViewCell, for uiSwitch: UISwitch, with action: Selector) {
         let detailButton = UIButton(type: .detailDisclosure)
         uiSwitch.frame = CGRect(

pass/Controllers/AgeKeyArmorImportTableViewController.swift

@@ -197,7 +197,8 @@ class GitRepositorySettingsTableViewController: UITableViewController, PasswordA
                 )
 
                 let gpgIDFile = self.passwordStore.storeURL.appendingPathComponent(".gpg-id").path
-                guard FileManager.default.fileExists(atPath: gpgIDFile) else {
+                let ageRecipientsFile = self.passwordStore.storeURL.appendingPathComponent(".age-recipients").path
+                guard FileManager.default.fileExists(atPath: gpgIDFile) || FileManager.default.fileExists(atPath: ageRecipientsFile) else {
                     self.passwordStore.eraseStoreData()
                     SVProgressHUD.dismiss {
                         DispatchQueue.main.async {