keyring -> keyer, fix misunderstanding with NIP-59 and adjust api.

2024-09-11 11:43:49 -03:00
parent 9addd57db7
commit 5e2e0bf458
7 changed files with 74 additions and 73 deletions
--- a/keyer/bunker.go
+++ b/keyer/bunker.go
@@ -0,0 +1,39 @@
+package keyer
+
+import (
+	"context"
+	"time"
+
+	"github.com/nbd-wtf/go-nostr"
+	"github.com/nbd-wtf/go-nostr/nip46"
+)
+
+// BunkerSigner is a signer that asks a bunker using NIP-46 every time it needs to do an operation.
+type BunkerSigner struct {
+	bunker *nip46.BunkerClient
+}
+
+func NewBunkerSignerFromBunkerClient(bc *nip46.BunkerClient) BunkerSigner {
+	return BunkerSigner{bc}
+}
+
+func (bs BunkerSigner) GetPublicKey(ctx context.Context) string {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*30)
+	defer cancel()
+	pk, _ := bs.bunker.GetPublicKey(ctx)
+	return pk
+}
+
+func (bs BunkerSigner) SignEvent(ctx context.Context, evt *nostr.Event) error {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*30)
+	defer cancel()
+	return bs.bunker.SignEvent(ctx, evt)
+}
+
+func (bs BunkerSigner) Encrypt(ctx context.Context, plaintext string, recipient string) (string, error) {
+	return bs.bunker.NIP44Encrypt(ctx, recipient, plaintext)
+}
+
+func (bs BunkerSigner) Decrypt(ctx context.Context, base64ciphertext string, sender string) (plaintext string, err error) {
+	return bs.bunker.NIP44Encrypt(ctx, sender, base64ciphertext)
+}
--- a/keyer/encrypted.go
+++ b/keyer/encrypted.go
@@ -0,0 +1,67 @@
+package keyer
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/nbd-wtf/go-nostr"
+	"github.com/nbd-wtf/go-nostr/nip44"
+	"github.com/nbd-wtf/go-nostr/nip49"
+)
+
+// EncryptedKeySigner is a signer that must always ask the user for a password before every operation.
+type EncryptedKeySigner struct {
+	ncryptsec string
+	pk        string
+	callback  func(context.Context) string
+}
+
+func (es *EncryptedKeySigner) GetPublicKey(ctx context.Context) string {
+	if es.pk != "" {
+		return es.pk
+	}
+	password := es.callback(ctx)
+	key, err := nip49.Decrypt(es.ncryptsec, password)
+	if err != nil {
+		return ""
+	}
+	pk, _ := nostr.GetPublicKey(key)
+	es.pk = pk
+	return pk
+}
+
+func (es *EncryptedKeySigner) SignEvent(ctx context.Context, evt *nostr.Event) error {
+	password := es.callback(ctx)
+	sk, err := nip49.Decrypt(es.ncryptsec, password)
+	if err != nil {
+		return fmt.Errorf("invalid password: %w", err)
+	}
+	es.pk = evt.PubKey
+	return evt.Sign(sk)
+}
+
+func (es EncryptedKeySigner) Encrypt(ctx context.Context, plaintext string, recipient string) (c64 string, err error) {
+	password := es.callback(ctx)
+	sk, err := nip49.Decrypt(es.ncryptsec, password)
+	if err != nil {
+		return "", fmt.Errorf("invalid password: %w", err)
+	}
+	ck, err := nip44.GenerateConversationKey(recipient, sk)
+	if err != nil {
+		return "", err
+	}
+	return nip44.Encrypt(plaintext, ck)
+}
+
+func (es EncryptedKeySigner) Decrypt(ctx context.Context, base64ciphertext string, sender string) (plaintext string, err error) {
+	password := es.callback(ctx)
+	sk, err := nip49.Decrypt(es.ncryptsec, password)
+	if err != nil {
+		return "", fmt.Errorf("invalid password: %w", err)
+	}
+	ck, err := nip44.GenerateConversationKey(sender, sk)
+	if err != nil {
+		return "", err
+	}
+	return nip44.Encrypt(plaintext, ck)
+}
--- a/keyer/lib.go
+++ b/keyer/lib.go
@@ -0,0 +1,90 @@
+package keyer
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/nbd-wtf/go-nostr"
+	"github.com/nbd-wtf/go-nostr/nip05"
+	"github.com/nbd-wtf/go-nostr/nip19"
+	"github.com/nbd-wtf/go-nostr/nip46"
+	"github.com/nbd-wtf/go-nostr/nip49"
+)
+
+type Keyer interface {
+	Signer
+	Cipher
+}
+
+// A Signer provides basic public key signing methods.
+type Signer interface {
+	GetPublicKey(context.Context) string
+	SignEvent(context.Context, *nostr.Event) error
+}
+
+// A Cipher provides NIP-44 encryption and decryption methods.
+type Cipher interface {
+	Encrypt(ctx context.Context, plaintext string, recipientPublicKey string) (base64ciphertext string, err error)
+	Decrypt(ctx context.Context, base64ciphertext string, senderPublicKey string) (plaintext string, err error)
+}
+
+type SignerOptions struct {
+	BunkerClientSecretKey string
+	BunkerSignTimeout     time.Duration
+	BunkerAuthHandler     func(string)
+
+	// if a PasswordHandler is provided the key will be stored encrypted and this function will be called
+	// every time an operation needs access to the key so the user can be prompted.
+	PasswordHandler func(context.Context) string
+
+	// if instead a Password is provided along with a ncryptsec, then the key will be decrypted and stored in plaintext.
+	Password string
+}
+
+func New(ctx context.Context, pool *nostr.SimplePool, input string, opts *SignerOptions) (Keyer, error) {
+	if opts == nil {
+		opts = &SignerOptions{}
+	}
+
+	if strings.HasPrefix(input, "ncryptsec") {
+		if opts.PasswordHandler != nil {
+			return &EncryptedKeySigner{input, "", opts.PasswordHandler}, nil
+		}
+		sec, err := nip49.Decrypt(input, opts.Password)
+		if err != nil {
+			if opts.Password == "" {
+				return nil, fmt.Errorf("failed to decrypt with blank password: %w", err)
+			}
+			return nil, fmt.Errorf("failed to decrypt with given password: %w", err)
+		}
+		pk, _ := nostr.GetPublicKey(sec)
+		return KeySigner{sec, pk, make(map[string][32]byte)}, nil
+	} else if nip46.IsValidBunkerURL(input) || nip05.IsValidIdentifier(input) {
+		bcsk := nostr.GeneratePrivateKey()
+		oa := func(url string) { println("auth_url received but not handled") }
+
+		if opts.BunkerClientSecretKey != "" {
+			bcsk = opts.BunkerClientSecretKey
+		}
+		if opts.BunkerAuthHandler != nil {
+			oa = opts.BunkerAuthHandler
+		}
+
+		bunker, err := nip46.ConnectBunker(ctx, bcsk, input, pool, oa)
+		if err != nil {
+			return nil, err
+		}
+		return BunkerSigner{bunker}, nil
+	} else if prefix, parsed, err := nip19.Decode(input); err == nil && prefix == "nsec" {
+		sec := parsed.(string)
+		pk, _ := nostr.GetPublicKey(sec)
+		return KeySigner{sec, pk, make(map[string][32]byte)}, nil
+	} else if nostr.IsValid32ByteHex(input) {
+		pk, _ := nostr.GetPublicKey(input)
+		return KeySigner{input, pk, make(map[string][32]byte)}, nil
+	}
+
+	return nil, fmt.Errorf("unsupported input '%s'", input)
+}
--- a/keyer/manual.go
+++ b/keyer/manual.go
@@ -0,0 +1,33 @@
+package keyer
+
+import (
+	"context"
+
+	"github.com/nbd-wtf/go-nostr"
+)
+
+// ManualSigner is a signer that doesn't really do anything, it just calls the functions given to it.
+// It can be used when an app for some reason wants to ask the user to manually provide a signed event
+// by copy-and-paste, for example.
+type ManualSigner struct {
+	ManualGetPublicKey func(context.Context) string
+	ManualSignEvent    func(context.Context, *nostr.Event) error
+	ManualEncrypt      func(ctx context.Context, plaintext string, recipientPublicKey string) (base64ciphertext string, err error)
+	ManualDecrypt      func(ctx context.Context, base64ciphertext string, senderPublicKey string) (plaintext string, err error)
+}
+
+func (ms ManualSigner) SignEvent(ctx context.Context, evt *nostr.Event) error {
+	return ms.ManualSignEvent(ctx, evt)
+}
+
+func (ms ManualSigner) GetPublicKey(ctx context.Context) string {
+	return ms.ManualGetPublicKey(ctx)
+}
+
+func (ms ManualSigner) Encrypt(ctx context.Context, plaintext string, recipient string) (c64 string, err error) {
+	return ms.ManualEncrypt(ctx, plaintext, recipient)
+}
+
+func (ms ManualSigner) Decrypt(ctx context.Context, base64ciphertext string, sender string) (plaintext string, err error) {
+	return ms.ManualDecrypt(ctx, base64ciphertext, sender)
+}
--- a/keyer/plain.go
+++ b/keyer/plain.go
@@ -0,0 +1,44 @@
+package keyer
+
+import (
+	"context"
+
+	"github.com/nbd-wtf/go-nostr"
+	"github.com/nbd-wtf/go-nostr/nip44"
+)
+
+// Keysigner is a signer that holds the private key in memory and can do all the operations instantly and easily.
+type KeySigner struct {
+	sk string
+	pk string
+
+	conversationKeys map[string][32]byte
+}
+
+func (ks KeySigner) SignEvent(ctx context.Context, evt *nostr.Event) error { return evt.Sign(ks.sk) }
+func (ks KeySigner) GetPublicKey(ctx context.Context) string               { return ks.pk }
+
+func (ks KeySigner) Encrypt(ctx context.Context, plaintext string, recipient string) (c64 string, err error) {
+	ck, ok := ks.conversationKeys[recipient]
+	if !ok {
+		ck, err = nip44.GenerateConversationKey(recipient, ks.sk)
+		if err != nil {
+			return "", err
+		}
+		ks.conversationKeys[recipient] = ck
+	}
+	return nip44.Encrypt(plaintext, ck)
+}
+
+func (ks KeySigner) Decrypt(ctx context.Context, base64ciphertext string, sender string) (plaintext string, err error) {
+	ck, ok := ks.conversationKeys[sender]
+	if !ok {
+		var err error
+		ck, err = nip44.GenerateConversationKey(sender, ks.sk)
+		if err != nil {
+			return "", err
+		}
+		ks.conversationKeys[sender] = ck
+	}
+	return nip44.Encrypt(plaintext, ck)
+}