Implement Armored Ciphertext (#116)

Author: nnathan

Cargo.toml

@@ -18,7 +18,7 @@ crate-type = ["cdylib"]
 
 [dependencies]
 age-core = "0.11"
-age = { version = "0.11.1", features = ["ssh", "plugin"] }
+age = { version = "0.11.1", features = ["ssh", "plugin", "armor"] }
 pyo3 = { version = "0.24.2", features = [
     "extension-module",
     "abi3",

dev-requirements.txt

@@ -2,3 +2,4 @@ build
 wheel
 twine
 maturin
+parameterized

pyrage-stubs/pyrage/__init__.pyi

@@ -42,9 +42,9 @@ class DecryptError(Exception):
     ...
 
 
-def encrypt(plaintext: bytes, recipients: Sequence[_Recipient]) -> bytes: ...
-def encrypt_file(infile: str, outfile: str, recipients: Sequence[_Recipient]) -> None: ...
-def encrypt_io(in_io: BufferedIOBase, out_io: BufferedIOBase, recipients: Sequence[_Recipient]) -> bytes: ...
+def encrypt(plaintext: bytes, recipients: Sequence[_Recipient], armored: bool) -> bytes: ...
+def encrypt_file(infile: str, outfile: str, recipients: Sequence[_Recipient], armored: bool) -> None: ...
+def encrypt_io(in_io: BufferedIOBase, out_io: BufferedIOBase, recipients: Sequence[_Recipient], armored: bool) -> bytes: ...
 
 def decrypt(ciphertext: bytes, identities: Sequence[_Identity]) -> bytes: ...
 def decrypt_file(infile: str, outfile: str, identities: Sequence[_Identity]) -> None: ...

pyrage-stubs/pyrage/passphrase.pyi

@@ -1,6 +1,2 @@
-def encrypt(plaintext: bytes, passphrase: str) -> bytes:
-    ...
-
-
-def decrypt(ciphertext: bytes, passphrase: str) -> bytes:
-    ...
+def encrypt(plaintext: bytes, passphrase: str, armored: bool = False) -> bytes: ...
+def decrypt(ciphertext: bytes, passphrase: str, armored: bool = False) -> bytes: ...

src/lib.rs

@@ -5,8 +5,8 @@ use std::io::Write;
 use std::{fs::File, io::Read};
 
 use age::{
-    DecryptError as RageDecryptError, EncryptError as RageEncryptError, Encryptor, Identity,
-    Recipient,
+    armor::ArmoredReader, armor::ArmoredWriter, armor::Format, DecryptError as RageDecryptError,
+    EncryptError as RageEncryptError, Encryptor, Identity, Recipient,
 };
 use age_core::format::{FileKey, Stanza};
 use pyo3::{
@@ -136,10 +136,12 @@ impl<'source> FromPyObject<'source> for Box<dyn PyrageIdentity> {
 create_exception!(pyrage, EncryptError, PyException);
 
 #[pyfunction]
+#[pyo3(signature = (plaintext, recipients, armored=false))]
 fn encrypt<'p>(
     py: Python<'p>,
     plaintext: &[u8],
     recipients: Vec<Box<dyn PyrageRecipient>>,
+    armored: bool,
 ) -> PyResult<Bound<'p, PyBytes>> {
     // This turns each `dyn PyrageRecipient` into a `dyn Recipient`, which
     // is what the underlying `age` API expects.
@@ -151,13 +153,25 @@ fn encrypt<'p>(
     let encryptor = Encryptor::with_recipients(recipients.iter().map(|r| r.as_ref()))
         .map_err(|_| EncryptError::new_err("expected at least one recipient"))?;
     let mut encrypted = vec![];
-    let mut writer = encryptor
-        .wrap_output(&mut encrypted)
-        .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
+    let mut writer = match armored {
+        true => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(
+                &mut encrypted,
+                Format::AsciiArmor,
+            )?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+        false => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(&mut encrypted, Format::Binary)?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+    };
+
     writer
         .write_all(plaintext)
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
     writer
+        .finish()
+        .map_err(|e| EncryptError::new_err(e.to_string()))?
         .finish()
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
 
@@ -166,10 +180,12 @@ fn encrypt<'p>(
 }
 
 #[pyfunction]
+#[pyo3(signature = (infile, outfile, recipients, armored=false))]
 fn encrypt_file(
     infile: String,
     outfile: String,
     recipients: Vec<Box<dyn PyrageRecipient>>,
+    armored: bool,
 ) -> PyResult<()> {
     // This turns each `dyn PyrageRecipient` into a `dyn Recipient`, which
     // is what the underlying `age` API expects.
@@ -186,13 +202,21 @@ fn encrypt_file(
 
     let encryptor = Encryptor::with_recipients(recipients.iter().map(|r| r.as_ref()))
         .map_err(|_| EncryptError::new_err("expected at least one recipient"))?;
-    let mut writer = encryptor
-        .wrap_output(&mut writer)
-        .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
+    let mut writer = match armored {
+        true => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(&mut writer, Format::AsciiArmor)?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+        false => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(&mut writer, Format::Binary)?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+    };
 
     std::io::copy(&mut reader, &mut writer).map_err(|e| EncryptError::new_err(e.to_string()))?;
 
     writer
+        .finish()
+        .map_err(|e| EncryptError::new_err(e.to_string()))?
         .finish()
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
 
@@ -209,8 +233,8 @@ fn decrypt<'p>(
 ) -> PyResult<Bound<'p, PyBytes>> {
     let identities = identities.iter().map(|pi| pi.as_ref().as_identity());
 
-    let decryptor =
-        age::Decryptor::new(ciphertext).map_err(|e| DecryptError::new_err(e.to_string()))?;
+    let decryptor = age::Decryptor::new(ArmoredReader::new(ciphertext))
+        .map_err(|e| DecryptError::new_err(e.to_string()))?;
 
     let mut decrypted = vec![];
     let mut reader = decryptor
@@ -238,8 +262,8 @@ fn decrypt_file(
     let reader = std::io::BufReader::new(reader);
     let mut writer = std::io::BufWriter::new(writer);
 
-    let decryptor =
-        age::Decryptor::new_buffered(reader).map_err(|e| DecryptError::new_err(e.to_string()))?;
+    let decryptor = age::Decryptor::new_buffered(ArmoredReader::new(reader))
+        .map_err(|e| DecryptError::new_err(e.to_string()))?;
 
     let mut reader = decryptor
         .decrypt(identities)
@@ -256,10 +280,12 @@ fn from_pyobject(file: PyObject, read_only: bool) -> PyResult<PyFileLikeObject>
 }
 
 #[pyfunction]
+#[pyo3(signature = (reader, writer, recipients, armored=false))]
 fn encrypt_io(
     reader: PyObject,
     writer: PyObject,
     recipients: Vec<Box<dyn PyrageRecipient>>,
+    armored: bool,
 ) -> PyResult<()> {
     // This turns each `dyn PyrageRecipient` into a `dyn Recipient`, which
     // is what the underlying `age` API expects.
@@ -271,15 +297,27 @@ fn encrypt_io(
     let writer = from_pyobject(writer, false)?;
     let mut reader = std::io::BufReader::new(reader);
     let mut writer = std::io::BufWriter::new(writer);
+
     let encryptor = Encryptor::with_recipients(recipients.iter().map(|r| r.as_ref()))
         .map_err(|_| EncryptError::new_err("expected at least one recipient"))?;
-    let mut writer = encryptor
-        .wrap_output(&mut writer)
-        .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
+    let mut writer = match armored {
+        true => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(&mut writer, Format::AsciiArmor)?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+        false => encryptor
+            .wrap_output(ArmoredWriter::wrap_output(&mut writer, Format::Binary)?)
+            .map_err(|e| EncryptError::new_err(e.to_string()))?,
+    };
+
     std::io::copy(&mut reader, &mut writer).map_err(|e| EncryptError::new_err(e.to_string()))?;
+
     writer
+        .finish()
+        .map_err(|e| EncryptError::new_err(e.to_string()))?
         .finish()
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
     Ok(())
 }
 
@@ -294,8 +332,8 @@ fn decrypt_io(
     let writer = from_pyobject(writer, false)?;
     let reader = std::io::BufReader::new(reader);
     let mut writer = std::io::BufWriter::new(writer);
-    let decryptor =
-        age::Decryptor::new_buffered(reader).map_err(|e| DecryptError::new_err(e.to_string()))?;
+    let decryptor = age::Decryptor::new_buffered(ArmoredReader::new(reader))
+        .map_err(|e| DecryptError::new_err(e.to_string()))?;
     let mut reader = decryptor
         .decrypt(identities)
         .map_err(|e| DecryptError::new_err(e.to_string()))?;

src/passphrase.rs

@@ -3,22 +3,44 @@ use std::{
     iter,
 };
 
-use age::{scrypt, Decryptor, Encryptor};
+use age::{
+    armor::ArmoredReader, armor::ArmoredWriter, armor::Format, scrypt, Decryptor, Encryptor,
+};
 use pyo3::{prelude::*, types::PyBytes};
 
 use crate::{DecryptError, EncryptError};
 
 #[pyfunction]
-fn encrypt<'p>(py: Python<'p>, plaintext: &[u8], passphrase: &str) -> PyResult<Bound<'p, PyBytes>> {
+#[pyo3(signature = (plaintext, passphrase, armored=false))]
+fn encrypt<'p>(
+    py: Python<'p>,
+    plaintext: &[u8],
+    passphrase: &str,
+    armored: bool,
+) -> PyResult<Bound<'p, PyBytes>> {
     let encryptor = Encryptor::with_user_passphrase(passphrase.into());
     let mut encrypted = vec![];
-    let mut writer = encryptor
-        .wrap_output(&mut encrypted)
-        .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
+    let writer_result = match armored {
+        true => encryptor.wrap_output(
+            ArmoredWriter::wrap_output(&mut encrypted, Format::AsciiArmor)
+                .map_err(|e| EncryptError::new_err(e.to_string()))?,
+        ),
+        false => encryptor.wrap_output(
+            ArmoredWriter::wrap_output(&mut encrypted, Format::Binary)
+                .map_err(|e| EncryptError::new_err(e.to_string()))?,
+        ),
+    };
+
+    let mut writer = writer_result.map_err(|e| EncryptError::new_err(e.to_string()))?;
+
     writer
         .write_all(plaintext)
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
+
     writer
+        .finish()
+        .map_err(|e| EncryptError::new_err(e.to_string()))?
         .finish()
         .map_err(|e| EncryptError::new_err(e.to_string()))?;
 
@@ -31,7 +53,8 @@ fn decrypt<'p>(
     ciphertext: &[u8],
     passphrase: &str,
 ) -> PyResult<Bound<'p, PyBytes>> {
-    let decryptor = Decryptor::new(ciphertext).map_err(|e| DecryptError::new_err(e.to_string()))?;
+    let decryptor = Decryptor::new_buffered(ArmoredReader::new(ciphertext))
+        .map_err(|e| DecryptError::new_err(e.to_string()))?;
     let mut decrypted = vec![];
     let mut reader = decryptor
         .decrypt(iter::once(&scrypt::Identity::new(passphrase.into()) as _))

test/test_passphrase.py

@@ -1,12 +1,15 @@
 import unittest
 
+from parameterized import parameterized
+
 from pyrage import passphrase
 
 
 class TestPassphrase(unittest.TestCase):
-    def test_roundtrip(self):
+    @parameterized.expand([(False,), (True,)])
+    def test_roundtrip(self, armored):
         plaintext = b"junk"
-        encrypted = passphrase.encrypt(plaintext, "some password")
+        encrypted = passphrase.encrypt(plaintext, "some password", armored=armored)
         decrypted = passphrase.decrypt(encrypted, "some password")
 
         self.assertEqual(plaintext, decrypted)