feat(crypto): named-var key loaders (admin/agent) + NewDEK

Replace KeyFromEnv with AgentKeyFromEnv/AdminKeyFromEnv reading EMCLI_KEY and EMCLI_ADMIN_KEY; add NewDEK for envelope encryption. Seal/Open double as DEK wrap/unwrap. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 22:47:05 +01:00
parent 77ba5a146f
commit c52f30898b
2 changed files with 52 additions and 20 deletions
@@ -7,28 +7,41 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 )
-var (
+// keyFromEnv reads and validates a base64-encoded 32-byte AES key from the
-	ErrNoKey  = errors.New("EMCLI_KEY is not set")
+// named environment variable. Errors name the variable so callers get a
-	ErrBadKey = errors.New("EMCLI_KEY must be base64 of exactly 32 bytes")
+// role-appropriate message.
-)
+func keyFromEnv(varName string) ([]byte, error) {
-
+	raw := os.Getenv(varName)
 // KeyFromEnv reads and validates the AES-256 key from EMCLI_KEY.
 func KeyFromEnv() ([]byte, error) {
 	raw := os.Getenv("EMCLI_KEY")
 	if raw == "" {
-		return nil, ErrNoKey
+		return nil, fmt.Errorf("%s is not set", varName)
 	}
 	key, err := base64.StdEncoding.DecodeString(raw)
 	if err != nil || len(key) != 32 {
-		return nil, ErrBadKey
+		return nil, fmt.Errorf("%s must be base64 of exactly 32 bytes", varName)
 	}
 	return key, nil
 }
 // AgentKeyFromEnv reads the agent KEK from EMCLI_KEY (agent commands only).
 func AgentKeyFromEnv() ([]byte, error) { return keyFromEnv("EMCLI_KEY") }
 // AdminKeyFromEnv reads the admin KEK from EMCLI_ADMIN_KEY (all commands).
 func AdminKeyFromEnv() ([]byte, error) { return keyFromEnv("EMCLI_ADMIN_KEY") }
 // NewDEK returns a fresh random 32-byte data-encryption key.
 func NewDEK() ([]byte, error) {
 	dek := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, dek); err != nil {
 		return nil, err
 	}
 	return dek, nil
 }
 func newGCM(key []byte) (cipher.AEAD, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -3,6 +3,7 @@ package crypto
 import (
 	"bytes"
 	"encoding/base64"
 	"strings"
 	"testing"
 )
@@ -50,20 +51,38 @@ func TestOpenWrongKeyFails(t *testing.T) {
 	}
 }
-func TestKeyFromEnv(t *testing.T) {
+func TestAgentAndAdminKeyFromEnv(t *testing.T) {
-	t.Setenv("EMCLI_KEY", base64.StdEncoding.EncodeToString(testKey()))
+	good := base64.StdEncoding.EncodeToString(testKey())
-	k, err := KeyFromEnv()
+
-	if err != nil || len(k) != 32 {
+	t.Setenv("EMCLI_KEY", good)
-		t.Fatalf("KeyFromEnv: key=%d err=%v", len(k), err)
+	if k, err := AgentKeyFromEnv(); err != nil || len(k) != 32 {
 		t.Fatalf("AgentKeyFromEnv: key=%d err=%v", len(k), err)
 	}
 	t.Setenv("EMCLI_ADMIN_KEY", good)
 	if k, err := AdminKeyFromEnv(); err != nil || len(k) != 32 {
 		t.Fatalf("AdminKeyFromEnv: key=%d err=%v", len(k), err)
 	}
-	t.Setenv("EMCLI_KEY", "")
+	t.Setenv("EMCLI_ADMIN_KEY", "")
-	if _, err := KeyFromEnv(); err != ErrNoKey {
+	if _, err := AdminKeyFromEnv(); err == nil ||
-		t.Fatalf("empty key: want ErrNoKey, got %v", err)
+		!strings.Contains(err.Error(), "EMCLI_ADMIN_KEY") {
 		t.Fatalf("empty admin key: want EMCLI_ADMIN_KEY error, got %v", err)
 	}
 	t.Setenv("EMCLI_KEY", base64.StdEncoding.EncodeToString([]byte("tooshort")))
-	if _, err := KeyFromEnv(); err != ErrBadKey {
+	if _, err := AgentKeyFromEnv(); err == nil ||
-		t.Fatalf("short key: want ErrBadKey, got %v", err)
+		!strings.Contains(err.Error(), "32 bytes") {
 		t.Fatalf("short key: want length error, got %v", err)
 	}
 }
 func TestNewDEKIsRandom32(t *testing.T) {
 	a, err := NewDEK()
 	if err != nil || len(a) != 32 {
 		t.Fatalf("NewDEK: len=%d err=%v", len(a), err)
 	}
 	b, _ := NewDEK()
 	if bytes.Equal(a, b) {
 		t.Fatal("two DEKs must differ")
 	}
 }