age: Add p256tag::Recipient

Author: str4d

Cargo.lock

@@ -28,6 +28,9 @@ chacha20poly1305 = { version = "0.10", default-features = false, features = ["al
 # - X25519 from RFC 7748
 x25519-dalek = { version = "2", features = ["static_secrets"] }
 
+# - P-256
+p256 = { version = "0.13", default-features = false, features = ["arithmetic"] }
+
 # - HKDF from RFC 5869 with SHA-256
 # - HMAC from RFC 2104 with SHA-256
 hkdf = "0.12"
@@ -53,7 +56,7 @@ nom = { version = "7", default-features = false, features = ["alloc"] }
 # Secret management
 pinentry = "0.6"
 secrecy = "0.10"
-subtle = "2"
+subtle = "2.6"
 zeroize = "1"
 
 # Localization

Cargo.toml

@@ -11,6 +11,8 @@ to 1.0.0 are beta releases.
 ## [Unreleased]
 ### Added
 - `age::encrypted::EncryptedIdentity`
+- Support for the new native age recipient types:
+  - `age::p256tag`
 
 ### Changed
 - MSRV is now 1.70.0.

age/CHANGELOG.md

@@ -43,9 +43,12 @@ pinentry = { workspace = true, optional = true }
 # (Breaking upgrades to these are usually backwards-compatible, but check MSRVs.)
 bech32.workspace = true
 cookie-factory.workspace = true
+hkdf.workspace = true
+hpke = { workspace = true, features = ["p256"] }
 i18n-embed-fl.workspace = true
 lazy_static.workspace = true
 nom.workspace = true
+p256.workspace = true
 rust-embed.workspace = true
 scrypt.workspace = true
 sha2.workspace = true

age/Cargo.toml

@@ -2,8 +2,7 @@ use std::io::{self, BufReader};
 
 use super::StdinGuard;
 use super::{identities::parse_identity_files, ReadError};
-use crate::identity::RecipientsAccumulator;
-use crate::{x25519, Recipient};
+use crate::{identity::RecipientsAccumulator, p256tag, x25519, Recipient};
 
 #[cfg(feature = "plugin")]
 use crate::{cli_common::UiCallbacks, plugin};
@@ -57,6 +56,8 @@ fn parse_recipient(
 ) -> Result<(), ReadError> {
     if let Ok(pk) = s.parse::<x25519::Recipient>() {
         recipients.push(Box::new(pk));
+    } else if let Ok(pk) = s.parse::<p256tag::Recipient>() {
+        recipients.push(Box::new(pk));
     } else if let Some(pk) = {
         #[cfg(feature = "ssh")]
         {

age/src/cli_common/recipients.rs

@@ -250,6 +250,7 @@ pub use simple::encrypt_and_armor;
 //
 
 mod native;
+pub use native::p256tag;
 pub use native::scrypt;
 pub use native::x25519;
 

age/src/lib.rs

@@ -1,2 +1,18 @@
+use hkdf::Hkdf;
+use sha2::{Digest, Sha256};
+
+pub mod p256tag;
 pub mod scrypt;
 pub mod x25519;
+
+fn static_tag(pk: &[u8]) -> [u8; 4] {
+    Sha256::digest(pk)[..4]
+        .try_into()
+        .expect("length is correct")
+}
+
+/// Derives a tag for the tagged age recipient formats.
+fn stanza_tag(ikm: &[u8], salt: &str) -> [u8; 4] {
+    let (tag, _) = Hkdf::<Sha256>::extract(Some(salt.as_bytes()), ikm);
+    tag[..4].try_into().expect("correct length")
+}

age/src/native.rs

@@ -0,0 +1,140 @@
+//! The "tag" recipient type, native to age.
+
+use std::collections::HashSet;
+use std::fmt;
+
+use age_core::{
+    format::{FileKey, Stanza},
+    primitives::hpke_seal,
+    secrecy::ExposeSecret,
+};
+use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
+use bech32::{ToBase32, Variant};
+use hpke::{Deserializable, Serializable};
+use p256::{
+    elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint},
+    EncodedPoint, PublicKey,
+};
+use rand::rngs::OsRng;
+
+use crate::{util::parse_bech32, EncryptError};
+
+const RECIPIENT_PREFIX: &str = "age1tag";
+
+const P256TAG_RECIPIENT_TAG: &str = "p256tag";
+const P256TAG_SALT: &str = "age-encryption.org/p256tag";
+
+type Kem = hpke::kem::DhP256HkdfSha256;
+
+/// The non-hybrid tagged age recipient type, designed for hardware keys where decryption
+/// potentially requires user presence.
+///
+/// With knowledge of the recipient, it is possible to check if a stanza was addressed to
+/// a specific recipient before attempting decryption. This offers less privacy than the
+/// untagged recipient types.
+#[derive(Clone, PartialEq, Eq)]
+pub struct Recipient {
+    /// Compressed encoding of the recipient public key.
+    compressed: EncodedPoint,
+    /// Cached in-memory representation, for HPKE.
+    pk_recip: <Kem as hpke::Kem>::PublicKey,
+}
+
+impl std::str::FromStr for Recipient {
+    type Err = &'static str;
+
+    /// Parses a recipient key from a string.
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        let (hrp, bytes) = parse_bech32(s).ok_or("invalid Bech32 encoding")?;
+
+        if hrp != RECIPIENT_PREFIX {
+            return Err("incorrect HRP");
+        }
+
+        let encoded = EncodedPoint::from_bytes(bytes).map_err(|_| "invalid SEC-1 encoding")?;
+        if !encoded.is_compressed() {
+            return Err("not a compressed SEC-1 encoding");
+        }
+
+        let point = PublicKey::from_encoded_point(&encoded)
+            .into_option()
+            .ok_or("invalid P-256 point")?;
+
+        let pk_recip =
+            <Kem as hpke::Kem>::PublicKey::from_bytes(point.to_encoded_point(false).as_bytes())
+                .expect("valid");
+
+        Ok(Self {
+            compressed: encoded,
+            pk_recip,
+        })
+    }
+}
+
+impl fmt::Display for Recipient {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(
+            f,
+            "{}",
+            bech32::encode(
+                RECIPIENT_PREFIX,
+                self.compressed.as_bytes().to_base32(),
+                Variant::Bech32
+            )
+            .expect("HRP is valid")
+        )
+    }
+}
+
+impl fmt::Debug for Recipient {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self)
+    }
+}
+
+impl crate::Recipient for Recipient {
+    fn wrap_file_key(
+        &self,
+        file_key: &FileKey,
+    ) -> Result<(Vec<Stanza>, HashSet<String>), EncryptError> {
+        let (enc, ct) = hpke_seal::<Kem, _>(
+            &self.pk_recip,
+            P256TAG_SALT.as_bytes(),
+            file_key.expose_secret(),
+            &mut OsRng,
+        );
+
+        let ikm = enc
+            .to_bytes()
+            .into_iter()
+            .chain(super::static_tag(self.compressed.as_bytes()))
+            .collect::<Vec<u8>>();
+        let tag = super::stanza_tag(&ikm, P256TAG_SALT);
+
+        let encoded_tag = BASE64_STANDARD_NO_PAD.encode(tag);
+        let encoded_enc = BASE64_STANDARD_NO_PAD.encode(enc.to_bytes());
+
+        Ok((
+            vec![Stanza {
+                tag: P256TAG_RECIPIENT_TAG.to_owned(),
+                args: vec![encoded_tag, encoded_enc],
+                body: ct,
+            }],
+            HashSet::new(),
+        ))
+    }
+}
+
+#[cfg(test)]
+pub(crate) mod tests {
+    use super::Recipient;
+
+    pub(crate) const TEST_RECIPIENT: &str =
+        "age1tag1qt8lw0ual6avlwmwatk888yqnmdamm7xfd0wak53ut6elz5c4swx2yqdj4e";
+
+    #[test]
+    fn recipient_encoding() {
+        let recipient: Recipient = TEST_RECIPIENT.parse().unwrap();
+        assert_eq!(recipient.to_string(), TEST_RECIPIENT);
+    }
+}

age/src/native/p256tag.rs

@@ -9,6 +9,9 @@ and this project adheres to Rust's notion of
 to 1.0.0 are beta releases.
 
 ## [Unreleased]
+### Added
+- Support for the new native age recipient types:
+  - `age1tag1..`
 
 ### Changed
 - MSRV is now 1.70.0.