decrypt and verify on the receiving end

author: Sam Anthony <sam@samanthony.xyz> 2025-04-18 17:59:55 -0400
committer: Sam Anthony <sam@samanthony.xyz> 2025-04-18 17:59:55 -0400
commit: 67b550d22eb8cd312d282898d0d22bbe368d6d7a (patch)
tree: 61e7874cf0ae056968511d7b0db84950c9a490e7
parent: 247b434074b5ade8d4f05614f94db48f3a699135 (diff)
download: hose-67b550d22eb8cd312d282898d0d22bbe368d6d7a.zip
2 files changed, 43 insertions, 13 deletions
diff --git a/key/keyring.go b/key/keyring.go
index 9448460..d287f90 100644
--- a/key/keyring.go
+++ b/key/keyring.go
@@ -6,17 +6,17 @@ import (
 	"slices"
 )
 
-type keyring struct {
+type Keyring struct {
 	keyCreator saltpack.EphemeralKeyCreator
 	boxKeys    []BoxKeypair   // list of box keypairs sorted by public key.
 	sigPubKeys []SigPublicKey // sorted list of public verification keys.
 }
 
-func NewKeyring() saltpack.SigncryptKeyring {
-	return new(keyring)
+func NewKeyring() *Keyring {
+	return new(Keyring)
 }
 
-func (ring *keyring) ImportBoxKeypair(pair BoxKeypair) {
+func (ring *Keyring) ImportBoxKeypair(pair BoxKeypair) {
 	i, ok := slices.BinarySearchFunc(ring.boxKeys, pair.Public, cmpBoxKeypairPubKey)
 	if ok {
 		return // key already in keyring.
@@ -24,7 +24,7 @@ func (ring *keyring) ImportBoxKeypair(pair BoxKeypair) {
 	ring.boxKeys = slices.Insert(ring.boxKeys, i, pair)
 }
 
-func (ring *keyring) ImportSigPublicKey(key SigPublicKey) {
+func (ring *Keyring) ImportSigPublicKey(key SigPublicKey) {
 	i, ok := slices.BinarySearchFunc(ring.sigPubKeys, key, cmpSigPublicKey)
 	if ok {
 		return // key already in keyring.
@@ -32,11 +32,11 @@ func (ring *keyring) ImportSigPublicKey(key SigPublicKey) {
 	ring.sigPubKeys = slices.Insert(ring.sigPubKeys, i, key)
 }
 
-func (ring *keyring) CreateEphemeralKey() (saltpack.BoxSecretKey, error) {
+func (ring *Keyring) CreateEphemeralKey() (saltpack.BoxSecretKey, error) {
 	return ring.keyCreator.CreateEphemeralKey()
 }
 
-func (ring *keyring) LookupBoxSecretKey(kids [][]byte) (int, saltpack.BoxSecretKey) {
+func (ring *Keyring) LookupBoxSecretKey(kids [][]byte) (int, saltpack.BoxSecretKey) {
 	for _, kid := range kids {
 		var pub BoxPublicKey
 		if len(kid) != len(pub) {
@@ -51,7 +51,7 @@ func (ring *keyring) LookupBoxSecretKey(kids [][]byte) (int, saltpack.BoxSecretK
 	return -1, nil
 }
 
-func (ring *keyring) LookupBoxPublicKey(kid []byte) saltpack.BoxPublicKey {
+func (ring *Keyring) LookupBoxPublicKey(kid []byte) saltpack.BoxPublicKey {
 	var pub BoxPublicKey
 	if len(kid) != len(pub) {
 		return nil
@@ -64,7 +64,7 @@ func (ring *keyring) LookupBoxPublicKey(kid []byte) saltpack.BoxPublicKey {
 	return ring.boxKeys[i].Public
 }
 
-func (ring *keyring) GetAllBoxSecretKeys() []saltpack.BoxSecretKey {
+func (ring *Keyring) GetAllBoxSecretKeys() []saltpack.BoxSecretKey {
 	secrets := make([]saltpack.BoxSecretKey, len(ring.boxKeys))
 	for i := range ring.boxKeys {
 		secrets[i] = ring.boxKeys[i]
@@ -72,13 +72,13 @@ func (ring *keyring) GetAllBoxSecretKeys() []saltpack.BoxSecretKey {
 	return secrets
 }
 
-func (ring *keyring) ImportBoxEphemeralKey(kid []byte) saltpack.BoxPublicKey {
+func (ring *Keyring) ImportBoxEphemeralKey(kid []byte) saltpack.BoxPublicKey {
 	var pub BoxPublicKey
 	copy(pub[:], kid)
 	return pub
 }
 
-func (ring *keyring) LookupSigningPublicKey(kid []byte) saltpack.SigningPublicKey {
+func (ring *Keyring) LookupSigningPublicKey(kid []byte) saltpack.SigningPublicKey {
 	if len(kid) != len(SigPublicKey{}) {
 		return nil
 	}
diff --git a/main.go b/main.go
index f52f60e..148f672 100644
--- a/main.go
+++ b/main.go
@@ -52,6 +52,15 @@ func main() {
 
 // recv pipes data from the remote host to stdout.
 func recv() error {
+	// Load private decryption key.
+	keyring := key.NewKeyring()
+	boxKeypair, err := key.LoadBoxKeypair()
+	if err != nil {
+		return err
+	}
+	keyring.ImportBoxKeypair(boxKeypair)
+
+	// Accept connection from remote host.
 	laddr := net.JoinHostPort("", fmt.Sprintf("%d", port))
 	ln, err := net.Listen(network, laddr)
 	if err != nil {
@@ -59,7 +68,6 @@ func recv() error {
 	}
 	defer ln.Close()
 	util.Logf("listening on %s", laddr)
-
 	conn, err := ln.Accept()
 	if err != nil {
 		return err
@@ -67,7 +75,29 @@ func recv() error {
 	defer conn.Close()
 	util.Logf("accepted connection from %s", conn.RemoteAddr())
 
-	n, err := io.Copy(os.Stdout, conn)
+	// Load remote host's signature verification key.
+	rhost, _, err := net.SplitHostPort(conn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	raddr, err := netip.ParseAddr(rhost)
+	if err != nil {
+		return err
+	}
+	host, err := hosts.Lookup(raddr)
+	if err != nil {
+		return err
+	}
+	keyring.ImportSigPublicKey(host.SigPublicKey)
+
+	// Decrypt and verify stream.
+	_, plaintext, err := saltpack.NewSigncryptOpenStream(conn, keyring, nil)
+	if err != nil {
+		return err
+	}
+
+	// Read data.
+	n, err := io.Copy(os.Stdout, plaintext)
 	util.Logf("received %.2f", units.Bytes(n)*units.B)
 	return err
 }
author	Sam Anthony <sam@samanthony.xyz>	2025-04-18 17:59:55 -0400
committer	Sam Anthony <sam@samanthony.xyz>	2025-04-18 17:59:55 -0400
commit	67b550d22eb8cd312d282898d0d22bbe368d6d7a (patch)
tree	61e7874cf0ae056968511d7b0db84950c9a490e7
parent	247b434074b5ade8d4f05614f94db48f3a699135 (diff)
download	hose-67b550d22eb8cd312d282898d0d22bbe368d6d7a.zip