Return an error if we try to sign with an encrypted key

Fixes #3

Author: jedisct1

src/errors.rs

@@ -21,6 +21,7 @@ pub enum ErrorKind {
     KDF,
     RNG,
     Encoding,
+    EncryptedKey,
 }
 
 /// Error structure for the `minisign` crate.
@@ -45,6 +46,11 @@ impl PError {
             err: err.into(),
         }
     }
+
+    /// Get the kind of error.
+    pub fn kind(&self) -> &ErrorKind {
+        &self.kind
+    }
 }
 
 impl fmt::Display for PError {
@@ -59,6 +65,7 @@ impl fmt::Display for PError {
             ErrorKind::KDF => write!(f, "{}", self.err),
             ErrorKind::RNG => write!(f, "{}", self.err),
             ErrorKind::Encoding => write!(f, "{}", self.err),
+            ErrorKind::EncryptedKey => write!(f, "{}", self.err),
         }
     }
 }
@@ -74,6 +81,7 @@ impl StdError for PError {
             ErrorKind::KDF => "key derivation error",
             ErrorKind::RNG => "random number generator error",
             ErrorKind::Encoding => "encoding error",
+            ErrorKind::EncryptedKey => "encrypted key error",
         }
     }
 }

src/lib.rs

@@ -76,6 +76,12 @@ pub fn sign<R>(
 where
     R: Read,
 {
+    if sk.is_encrypted() {
+        return Err(PError::new(
+            ErrorKind::EncryptedKey,
+            "Cannot sign with an encrypted secret key. The key must be decrypted first. Options include: SecretKeyBox::into_secret_key(password), SecretKey::from_box(box, password), SecretKey::from_file(path, password), or use KeyPair::generate_unencrypted_keypair() for passwordless keys.",
+        ));
+    }
     let data = prehash(&mut data_reader)?;
     let trusted_comment = match trusted_comment {
         Some(trusted_comment) => trusted_comment.to_string(),

src/secret_key.rs

@@ -145,6 +145,25 @@ impl SecretKey {
         &self.keynum_sk.keynum[..]
     }
 
+    /// Returns `true` if this secret key is encrypted and requires a password to use.
+    /// This checks both the encryption algorithm and whether the key material has been properly decrypted.
+    pub fn is_encrypted(&self) -> bool {
+        if self.kdf_alg == KDF_NONE {
+            return false;
+        }
+
+        // For encrypted keys, verify that the key material is valid by checking the checksum
+        // If the checksum doesn't match, the key is still encrypted
+        match self.read_checksum() {
+            Ok(checksum_vec) => {
+                let mut expected_chk = [0u8; CHK_BYTES];
+                expected_chk.copy_from_slice(&checksum_vec[..]);
+                expected_chk != self.keynum_sk.chk
+            }
+            Err(_) => true, // If we can't read checksum, assume encrypted
+        }
+    }
+
     /// Deserialize a `SecretKey`.
     ///
     /// For storage, a `SecretKeyBox` is usually what you need instead.

src/tests.rs

@@ -95,6 +95,71 @@ fn signature() {
     assert!(verify(&pk, &signature_box, Cursor::new(data), true, false, false).is_err());
 }
 
+#[test]
+fn encrypted_key_signing_fails() {
+    use std::io::Cursor;
+
+    use crate::{sign, ErrorKind, KeyPair};
+
+    let KeyPair { sk, .. } =
+        KeyPair::generate_encrypted_keypair(Some("password".to_string())).unwrap();
+    let data = b"test";
+    let result = sign(None, &sk, Cursor::new(data), None, None);
+
+    assert!(result.is_err());
+    if let Err(err) = result {
+        // Check that we get the specific EncryptedKey error
+        match err.kind() {
+            ErrorKind::EncryptedKey => {
+                // This is expected - we should get an EncryptedKey error
+            }
+            _ => panic!("Expected EncryptedKey error, got: {:?}", err.kind()),
+        }
+    }
+}
+
+#[test]
+fn is_encrypted_detection() {
+    use crate::KeyPair;
+
+    let KeyPair {
+        sk: unencrypted_sk, ..
+    } = KeyPair::generate_unencrypted_keypair().unwrap();
+    assert!(!unencrypted_sk.is_encrypted());
+
+    let KeyPair {
+        sk: encrypted_sk, ..
+    } = KeyPair::generate_encrypted_keypair(Some("password".to_string())).unwrap();
+    assert!(encrypted_sk.is_encrypted());
+}
+
+#[test]
+fn decrypt_key_process() {
+    use crate::{KeyPair, SecretKeyBox};
+
+    // Generate encrypted keypair
+    let KeyPair {
+        sk: encrypted_sk, ..
+    } = KeyPair::generate_encrypted_keypair(Some("password".to_string())).unwrap();
+    assert!(
+        encrypted_sk.is_encrypted(),
+        "Generated key should be encrypted"
+    );
+
+    // Convert to box
+    let sk_box_str = encrypted_sk.to_box(None).unwrap().to_string();
+    let sk_box = SecretKeyBox::from_string(&sk_box_str).unwrap();
+
+    // Decrypt the key
+    let decrypted_sk = sk_box
+        .into_secret_key(Some("password".to_string()))
+        .unwrap();
+    assert!(
+        !decrypted_sk.is_encrypted(),
+        "Decrypted key should not be encrypted"
+    );
+}
+
 #[test]
 fn signature_bones() {
     use std::io::Cursor;