claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity

fpaste: add E2E encryption support

Browse Source 
-e/--encrypt flag encrypts content with AES-256-GCM before upload.
Key is appended to URL fragment (#...), never sent to server.
Auto-detects key fragment on retrieval and decrypts locally.
This commit is contained in:
Username
2025-12-20 06:51:35 +01:00
parent 964698428c
commit 9ccd4225dd
1 changed files with 88 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
fpaste
View File

@@ -2,6 +2,7 @@
"""FlaskPaste command-line client."""
import argparse
import base64
import hashlib
import json
import os
@@ -10,6 +11,14 @@ import urllib.error
import urllib.request
from pathlib import Path
# Optional encryption support
try:
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
HAS_CRYPTO = True
except ImportError:
HAS_CRYPTO = False
def get_config():
"""Load configuration from environment or config file."""
@@ -55,6 +64,48 @@ def die(msg, code=1):
sys.exit(code)
def encrypt_content(plaintext):
"""Encrypt content with AES-256-GCM. Returns (ciphertext, key)."""
if not HAS_CRYPTO:
die("encryption requires 'cryptography' package: pip install cryptography")
key = os.urandom(32)
nonce = os.urandom(12) # 96-bit nonce for GCM
aesgcm = AESGCM(key)
ciphertext = aesgcm.encrypt(nonce, plaintext, None)
return nonce + ciphertext, key
def decrypt_content(blob, key):
"""Decrypt AES-256-GCM encrypted content."""
if not HAS_CRYPTO:
die("decryption requires 'cryptography' package: pip install cryptography")
if len(blob) < 12:
die("encrypted content too short")
nonce, ciphertext = blob[:12], blob[12:]
aesgcm = AESGCM(key)
try:
return aesgcm.decrypt(nonce, ciphertext, None)
except Exception:
die("decryption failed (wrong key or corrupted data)")
def encode_key(key):
"""Encode key as URL-safe base64."""
return base64.urlsafe_b64encode(key).decode().rstrip("=")
def decode_key(encoded):
"""Decode URL-safe base64 key."""
# Add padding if needed
padding = 4 - (len(encoded) % 4)
if padding != 4:
encoded += "=" * padding
try:
return base64.urlsafe_b64decode(encoded)
except Exception:
die("invalid encryption key in URL")
def solve_pow(nonce, difficulty):
"""Solve proof-of-work challenge.
@@ -122,6 +173,15 @@ def cmd_create(args, config):
if not content:
die("empty content")
# Encrypt content if requested
encryption_key = None
if args.encrypt:
if not args.quiet:
print("encrypting...", end="", file=sys.stderr)
content, encryption_key = encrypt_content(content)
if not args.quiet:
print(" done", file=sys.stderr)
headers = {}
if config["cert_sha1"]:
headers["X-SSL-Client-SHA1"] = config["cert_sha1"]
@@ -133,7 +193,7 @@ def cmd_create(args, config):
print(f"solving pow (difficulty={challenge['difficulty']})...", end="", file=sys.stderr)
solution = solve_pow(challenge["nonce"], challenge["difficulty"])
if not args.quiet:
print(f" done", file=sys.stderr)
print(" done", file=sys.stderr)
headers["X-PoW-Token"] = challenge["token"]
headers["X-PoW-Solution"] = str(solution)
@@ -142,12 +202,17 @@ def cmd_create(args, config):
if status == 201:
data = json.loads(body)
# Append encryption key to URL fragment if encrypted
key_fragment = ""
if encryption_key:
key_fragment = "#" + encode_key(encryption_key)
if args.raw:
print(config["server"].rstrip("/") + data["raw"])
print(config["server"].rstrip("/") + data["raw"] + key_fragment)
elif args.quiet:
print(data["id"])
print(data["id"] + key_fragment)
else:
print(config["server"].rstrip("/") + data["url"])
print(config["server"].rstrip("/") + data["url"] + key_fragment)
else:
try:
err = json.loads(body).get("error", body.decode())
@@ -158,7 +223,17 @@ def cmd_create(args, config):
def cmd_get(args, config):
"""Retrieve a paste."""
paste_id = args.id.split("/")[-1] # Handle full URLs
# Parse URL for paste ID and optional encryption key fragment
url_input = args.id
encryption_key = None
# Extract key from URL fragment (#...)
if "#" in url_input:
url_input, key_encoded = url_input.rsplit("#", 1)
if key_encoded:
encryption_key = decode_key(key_encoded)
paste_id = url_input.split("/")[-1] # Handle full URLs
base = config["server"].rstrip("/")
if args.meta:
@@ -170,12 +245,18 @@ def cmd_get(args, config):
print(f"mime_type: {data['mime_type']}")
print(f"size: {data['size']}")
print(f"created_at: {data['created_at']}")
if encryption_key:
print(f"encrypted: yes (key in URL)")
else:
die(f"not found: {paste_id}")
else:
url = f"{base}/{paste_id}/raw"
status, body, headers = request(url)
if status == 200:
# Decrypt if encryption key was provided
if encryption_key:
body = decrypt_content(body, encryption_key)
if args.output:
Path(args.output).write_bytes(body)
print(f"saved: {args.output}", file=sys.stderr)
@@ -241,6 +322,7 @@ def main():
# create
p_create = subparsers.add_parser("create", aliases=["c", "new"], help="create paste")
p_create.add_argument("file", nargs="?", help="file to upload (- for stdin)")
p_create.add_argument("-e", "--encrypt", action="store_true", help="encrypt content (E2E)")
p_create.add_argument("-r", "--raw", action="store_true", help="output raw URL")
p_create.add_argument("-q", "--quiet", action="store_true", help="output ID only")
@@ -268,6 +350,7 @@ def main():
if not sys.stdin.isatty():
args.command = "create"
args.file = None
args.encrypt = False
args.raw = False
args.quiet = False
else: