bugfix

.gitea/workflows/registry.yml

@@ -0,0 +1,51 @@
+name: release-tag
+on:
+  push:
+    branches:
+      - 'main'
+jobs:
+  release-image:
+    runs-on: ubuntu-fast
+    env:
+      DOCKER_ORG: ${{ vars.DOCKER_ORG }}
+      DOCKER_LATEST: latest
+      RUNNER_TOOL_CACHE: /toolcache
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker BuildX
+        uses: docker/setup-buildx-action@v2
+        with: # replace it with your local IP
+          config-inline: |
+            [registry."${{ vars.DOCKER_REGISTRY }}"] 
+              http = true
+              insecure = true            
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ vars.DOCKER_REGISTRY }} # replace it with your local IP
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          
+      - name: Get Meta
+        id: meta
+        run: |
+          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
+          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT                
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: |
+            linux/amd64                       
+          push: true
+          tags: | # replace it with your local IP and tags
+            ${{ vars.DOCKER_REGISTRY }}/${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
+            ${{ vars.DOCKER_REGISTRY }}/${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}

Dockerfile

@@ -0,0 +1,27 @@
+FROM golang:1.25-alpine AS build
+WORKDIR /app
+
+# Optional: git + certs for private modules; cache modules and build cache
+RUN apk add --no-cache git ca-certificates
+
+# Go deps first (better layer caching)
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
+
+# App sources (incl. templates for go:embed)
+COPY . .
+
+# Build static binary (templates are embedded via //go:embed)
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -trimpath -ldflags "-s -w" -o /out/pgpkeygen ./
+
+### Runtime stage (distroless)
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /app
+COPY --from=build /out/pgpkeygen /app/pgpkeygen
+EXPOSE 8080
+USER nonroot:nonroot
+#export KEYSERVER_URL='http://localhost:8080'
+#export KEYSERVER_TOKEN='supersecret'
+ENTRYPOINT ["/app/pgpkeygen"]

go.mod

@@ -0,0 +1,18 @@
+module git.send.nrw/sendnrw/go-pgp-generator
+
+go 1.25.3
+
+require github.com/ProtonMail/go-crypto v1.3.0 // indirect
+
+require (
+	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	golang.org/x/text v0.22.0 // indirect
+)
+
+require (
+	github.com/ProtonMail/gopenpgp/v2 v2.9.0
+	github.com/cloudflare/circl v1.6.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+)

go.sum

@@ -0,0 +1,55 @@
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
+github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
+github.com/ProtonMail/gopenpgp/v2 v2.9.0 h1:ruLzBmwe4dR1hdnrsEJ/S7psSBmV15gFttFUPP/+/kE=
+github.com/ProtonMail/gopenpgp/v2 v2.9.0/go.mod h1:IldDyh9Hv1ZCCYatTuuEt1XZJ0OPjxLpTarDfglih7s=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -0,0 +1,293 @@
+package main
+
+import (
+	"bytes"
+	"embed"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"html/template"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/ProtonMail/gopenpgp/v2/crypto"
+)
+
+//go:embed templates/*
+var templateFS embed.FS
+
+var (
+	indexTmpl  = mustParse("templates/index.html")
+	resultTmpl = mustParse("templates/result.html")
+)
+
+func mustParse(path string) *template.Template {
+	t, err := template.ParseFS(templateFS, path)
+	if err != nil {
+		log.Fatalf("template parse error for %s: %v", path, err)
+	}
+	return t
+}
+
+type genInput struct {
+	Name       string
+	Email      string
+	Comment    string
+	RSABits    int
+	Passphrase string
+}
+
+type genResult struct {
+	genInput
+	PublicArmored  string
+	PrivateArmored string
+	Fingerprint    string
+	Created        time.Time
+	UIDOnKey       string // tatsächliche UID im Schlüssel
+}
+
+type apiUploadReq struct {
+	Name          string `json:"name"`
+	Email         string `json:"email"`
+	Fingerprint   string `json:"fingerprint"`
+	PublicArmored string `json:"public_armored"`
+	Filename      string `json:"filename,omitempty"`
+}
+
+type apiUploadResp struct {
+	ID          string `json:"id"`
+	Email       string `json:"email"`
+	Fingerprint string `json:"fingerprint"`
+	WKDHash     string `json:"wkd_hash"`
+	Domain      string `json:"domain"`
+	Local       string `json:"local"`
+}
+
+func getenv(k, d string) string {
+	if v := os.Getenv(k); v != "" {
+		return v
+	}
+	return d
+}
+
+func enabled(k string, def bool) bool {
+	b, err := strconv.ParseBool(strings.ToLower(os.Getenv(k)))
+	if err != nil {
+		return def
+	}
+	return b
+}
+
+func uploadPublicKey(res *genResult) (*apiUploadResp, error) {
+	base := strings.TrimSpace(getenv("KEYSERVER_URL", "http://127.0.0.1:8080"))
+	token := strings.TrimSpace(getenv("KEYSERVER_TOKEN", "12345678"))
+	if base == "" || token == "" {
+		return nil, nil // Upload deaktiviert
+	}
+
+	u, err := url.Parse(base)
+	if err != nil {
+		return nil, fmt.Errorf("invalid KEYSERVER_URL: %w", err)
+	}
+	u.Path = strings.TrimRight(u.Path, "/") + "/api/v1/keys"
+
+	reqBody := apiUploadReq{
+		Name:          res.Name,
+		Email:         res.Email,
+		Fingerprint:   res.Fingerprint,
+		PublicArmored: res.PublicArmored,
+		Filename:      res.Fingerprint + ".asc",
+	}
+
+	b, _ := json.Marshal(reqBody)
+	httpReq, err := http.NewRequest(http.MethodPost, u.String(), bytes.NewReader(b))
+	if err != nil {
+		return nil, err
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+	httpReq.Header.Set("Authorization", "Bearer "+token)
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	httpRes, err := client.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+	defer httpRes.Body.Close()
+
+	if httpRes.StatusCode != http.StatusCreated {
+		msg, _ := io.ReadAll(io.LimitReader(httpRes.Body, 8<<10))
+		return nil, fmt.Errorf("keyserver returned %d: %s", httpRes.StatusCode, strings.TrimSpace(string(msg)))
+	}
+
+	var out apiUploadResp
+	if err := json.NewDecoder(httpRes.Body).Decode(&out); err != nil {
+		return nil, fmt.Errorf("decode response: %w", err)
+	}
+	return &out, nil
+}
+
+func main() {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", handleIndex)
+	mux.HandleFunc("/generate", handleGenerate)
+	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200); _, _ = w.Write([]byte("ok")) })
+
+	addr := ":8081"
+	log.Printf("PGP Keygen läuft auf http://localhost%s", addr)
+	if err := http.ListenAndServe(addr, securityHeaders(mux)); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func handleIndex(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Redirect(w, r, "/", http.StatusSeeOther)
+		return
+	}
+	_ = indexTmpl.Execute(w, map[string]any{})
+}
+
+func handleGenerate(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "Ungültige Eingaben", http.StatusBadRequest)
+		return
+	}
+
+	in := genInput{
+		Name:       strings.TrimSpace(r.FormValue("name")),
+		Email:      strings.TrimSpace(r.FormValue("email")),
+		Comment:    strings.TrimSpace(r.FormValue("comment")),
+		Passphrase: r.FormValue("passphrase"),
+	}
+
+	bitsStr := r.FormValue("rsabits")
+	if bitsStr == "" {
+		bitsStr = "4096"
+	}
+	bits, err := strconv.Atoi(bitsStr)
+	if err != nil || (bits != 2048 && bits != 3072 && bits != 4096) {
+		bits = 4096
+	}
+	in.RSABits = bits
+
+	res, err := generatePGP(in)
+	if err != nil {
+		log.Printf("generate error: %v", err)
+		http.Error(w, fmt.Sprintf("Fehler beim Erzeugen der Schlüssel: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	// Optional: Upload zum Keyserver
+	if up, upErr := uploadPublicKey(res); upErr != nil {
+		log.Printf("upload failed: %v", upErr)
+		// Du kannst hier entscheiden: Fehler anzeigen oder nur loggen
+		// http.Error(w, "Upload fehlgeschlagen: "+upErr.Error(), 502); return
+	} else if up != nil {
+		// optional: im UI anzeigen
+		res.Comment += fmt.Sprintf(" (Uploaded: %s)", up.ID)
+	}
+
+	_ = resultTmpl.Execute(w, res)
+}
+
+// sanitizeName entfernt verbotene Zeichen aus Name/Comment-Feldern, die vom OpenPGP-Format für UID reserviert sind
+func sanitizeName(s string) string {
+	s = strings.TrimSpace(s)
+	// Entferne reservierte und Steuerzeichen, die in der UID nicht vorkommen dürfen
+	replacer := strings.NewReplacer("<", "", ">", "", "(", "", ")", "", "\r", "", "\n", "")
+	s = replacer.Replace(s)
+	// trim doppelte Spaces
+	for strings.Contains(s, "  ") {
+		s = strings.ReplaceAll(s, "  ", " ")
+	}
+	return s
+}
+
+func sanitizeEmail(s string) string {
+	s = strings.TrimSpace(s)
+	s = strings.ReplaceAll(s, " ", "") // keine Spaces
+	replacer := strings.NewReplacer("<", "", ">", "", "(", "", ")", "", "\r", "", "\n", "")
+	s = replacer.Replace(s)
+	return s
+}
+
+func validateEmailBasic(s string) bool {
+	if s == "" {
+		return false
+	}
+	if strings.ContainsAny(s, " <>()\r\n\t") {
+		return false
+	}
+	// sehr einfache Plausibilitätsprüfung
+	at := strings.IndexByte(s, '@')
+	if at <= 0 || at == len(s)-1 {
+		return false
+	}
+	if strings.Contains(s[at+1:], "@") {
+		return false
+	}
+	return true
+}
+
+func generatePGP(in genInput) (*genResult, error) {
+	// Kommentar nicht in UID einbetten (gopenpgp's GenerateKey nimmt nur Name+Email)
+	name := sanitizeName(in.Name)
+	email := sanitizeEmail(in.Email)
+	if !validateEmailBasic(email) {
+		return nil, errors.New("ungültige E-Mail-Adresse")
+	}
+	if name == "" {
+		return nil, errors.New("Name darf nicht leer sein")
+	}
+
+	// 1) Schlüssel erzeugen (UID = "Name <email>")
+	key, err := crypto.GenerateKey(name, email, "rsa", in.RSABits)
+	if err != nil {
+		return nil, fmt.Errorf("GenerateKey: %w", err)
+	}
+
+	// 2) Optional mit Passphrase sperren
+	if in.Passphrase != "" {
+		if _, err := key.Lock([]byte(in.Passphrase)); err != nil {
+			return nil, fmt.Errorf("Passphrase setzen fehlgeschlagen: %w", err)
+		}
+	}
+
+	// 3) Armored ausgeben
+	armoredPriv, err := key.Armor()
+	if err != nil {
+		return nil, fmt.Errorf("armor private: %w", err)
+	}
+	armoredPub, err := key.GetArmoredPublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("armor public: %w", err)
+	}
+
+	fp := strings.ToUpper(key.GetFingerprint())
+	created := time.Now()
+
+	return &genResult{
+		genInput:       in,
+		PublicArmored:  armoredPub,
+		PrivateArmored: armoredPriv,
+		Fingerprint:    fp,
+		Created:        created,
+		UIDOnKey:       fmt.Sprintf("%s <%s>", name, email),
+	}, nil
+}
+
+// --- security headers middleware ---
+func securityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Referrer-Policy", "no-referrer")
+		next.ServeHTTP(w, r)
+	})
+}

templates/index.html

@@ -0,0 +1,65 @@
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>PGP Keygenerator (Go)</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Inter,sans-serif;max-width:960px;margin:2rem auto;padding:0 1rem;color:#e2e8f0;background: #0f172a}
+    header{display:flex;justify-content:space-between;align-items:center;margin-bottom:1.5rem}
+    .card{border:1px solid #e2e8f0;border-radius:14px;padding:1rem 1.25rem;box-shadow:0 1px 2px rgba(0,0,0,0.04)}
+    .grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(280px,1fr));gap:1rem;align-items:start}
+    label{font-size:.9rem;color:#334155;display:block;margin-bottom:0.25rem}
+    input, select{box-sizing:border-box;display:block;width:100%;padding:0.6rem 0.7rem;border-radius:10px;border:1px solid #cbd5e1}
+    select{background:#fff}
+    textarea{width:100%;min-height:9rem;border-radius:10px;border:1px solid #cbd5e1;padding:.6rem .7rem;font-family:ui-monospace,SFMono-Regular,Menlo,monospace;box-sizing:border-box}
+    button{background:#0ea5e9;color:white;border:none;border-radius:12px;padding:.75rem 1rem;font-weight:600;cursor:pointer}
+    button:hover{background:#0284c7}
+    small.muted{color:#64748b;display:block;margin-top:0.25rem}
+    .footer{margin-top:2rem;color:#64748b;font-size:.9rem}
+    .row{display:flex;gap:1rem;flex-wrap:wrap;align-items:center}
+  </style>
+</head>
+<body>
+  <header>
+    <h1>🔐 PGP Keygenerator</h1>
+    <a href="https://www.openpgp.org/" target="_blank" rel="noopener">OpenPGP</a>
+  </header>
+
+  <form class="card" method="post" action="/generate" autocomplete="off">
+    <div class="grid">
+      <div>
+        <label for="name">Name</label>
+        <input id="name" name="name" placeholder="Max Mustermann" required />
+      </div>
+      <div>
+        <label for="email">E-Mail</label>
+        <input id="email" name="email" type="email" placeholder="max@example.org" required />
+      </div>
+      <div>
+        <label for="comment">Kommentar (optional)</label>
+        <input id="comment" name="comment" placeholder="z.B. Laptop-Key" />
+      </div>
+      <div>
+        <label for="rsabits">RSA-Schlüssellänge</label>
+        <select id="rsabits" name="rsabits">
+          <option value="2048">2048</option>
+          <option value="3072">3072</option>
+          <option value="4096" selected>4096</option>
+        </select>
+      </div>
+      <div style="grid-column:1/-1">
+        <label for="passphrase">Passphrase (empfohlen)</label>
+        <input id="passphrase" name="passphrase" type="password" placeholder="••••••••" />
+        <small class="muted">Wird zum Verschlüsseln des privaten Schlüssels verwendet.</small>
+      </div>
+    </div>
+    <div style="margin-top:1rem" class="row">
+      <button type="submit">Schlüssel erzeugen</button>
+      <small class="muted">Die Erzeugung erfolgt serverseitig - nur lokal auf diesem Host. Schlüssel werden nicht gespeichert.</small>
+    </div>
+  </form>
+
+  <p class="footer">Hinweis: Für maximale Sicherheit sollten PGP-Schlüssel auf einem vertrauenswürdigen, isolierten System erzeugt werden.</p>
+</body>
+</html>

templates/result.html

@@ -0,0 +1,68 @@
+<!doctype html>
+<html lang="de">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>PGP Schlüssel - Ergebnis</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Inter,sans-serif;max-width:960px;margin:2rem auto;padding:0 1rem;color:#0f172a}
+    .card{border:1px solid #e2e8f0;border-radius:14px;padding:1rem 1.25rem;box-shadow:0 1px 2px rgba(0,0,0,0.04);margin-bottom:1rem}
+    textarea{width:100%;min-height:12rem;border-radius:10px;border:1px solid #cbd5e1;padding:.6rem .7rem;font-family:ui-monospace,SFMono-Regular,Menlo,monospace}
+    .row{display:flex;gap:.75rem;flex-wrap:wrap}
+    button{background:#0ea5e9;color:white;border:none;border-radius:12px;padding:.6rem .8rem;font-weight:600;cursor:pointer}
+    button:hover{background:#0284c7}
+    .muted{color:#64748b}
+  </style>
+</head>
+<body>
+  <header style="display:flex;justify-content:space-between;align-items:center">
+    <h1>✅ Schlüssel erzeugt</h1>
+    <a href="/">Neuen Schlüssel erzeugen</a>
+  </header>
+
+  <div class="card">
+    <div><strong>Fingerprint:</strong> {{.Fingerprint}}</div>
+    <div><strong>Erstellt:</strong> {{.Created.Format "2006-01-02 15:04:05"}}</div>
+    <div class="muted">User ID im Schlüssel: {{if .UIDOnKey}}{{.UIDOnKey}}{{else}}{{.Name}} &lt;{{.Email}}&gt;{{end}} • RSA {{.RSABits}}</div>
+    {{if .Comment}}
+    <div class="muted">Kommentar (nur Anzeige, nicht in UID eingebettet): {{.Comment}}</div>
+    {{end}}
+  </div>
+
+  <div class="card">
+    <h2>Öffentlicher Schlüssel</h2>
+    <textarea id="pub" readonly>{{.PublicArmored}}</textarea>
+    <div class="row" style="margin-top:.5rem">
+      <button onclick="copy('#pub')">Kopieren</button>
+      <button onclick="download('#pub','public.asc')">Als Datei speichern</button>
+    </div>
+  </div>
+
+  <div class="card">
+    <h2>Privater Schlüssel (geheim halten!)</h2>
+    <textarea id="priv" readonly>{{.PrivateArmored}}</textarea>
+    <div class="row" style="margin-top:.5rem">
+      <button onclick="copy('#priv')">Kopieren</button>
+      <button onclick="download('#priv','private.asc')">Als Datei speichern</button>
+    </div>
+    <p class="muted">Verwahren Sie den privaten Schlüssel sicher. Teilen Sie ihn niemals.</p>
+  </div>
+
+  <script>
+    async function copy(sel){
+      const el=document.querySelector(sel);
+      el.select(); el.setSelectionRange(0, 999999);
+      await navigator.clipboard.writeText(el.value);
+      alert('In die Zwischenablage kopiert.');
+    }
+    function download(sel, filename){
+      const text = document.querySelector(sel).value;
+      const blob = new Blob([text], {type:'text/plain'});
+      const url = URL.createObjectURL(blob);
+      const a = document.createElement('a');
+      a.href = url; a.download = filename; a.click();
+      URL.revokeObjectURL(url);
+    }
+  </script>
+</body>
+</html>