Add sig encrypt command

sig/src/main.rs

@@ -23,11 +23,41 @@ fn main() -> Result<(), Box<dyn Error>> {
 
     match cli.command {
         Command::Strip(args) => strip(args)?,
+        Command::Encrypt(args) => encrypt(args)?,
     }
 
     Ok(())
 }
 
+/// Execute the `encrypt` subcommand.
+///
+/// The command reads a plaintext payload, wraps it with a fresh-IV encrypted
+/// `.sig` header via [`crypto::pack_sig`], and writes the resulting container.
+fn encrypt(args: cli::EncryptArgs) -> Result<(), Box<dyn Error>> {
+    let raw = fs::read(&args.input)?;
+    let filename = match args.filename {
+        Some(filename) => filename,
+        None => args
+            .input
+            .file_name()
+            .ok_or("input path does not have a file name")?
+            .to_string_lossy()
+            .into_owned(),
+    };
+    let packed = if let Some(template) = args.template {
+        let template = fs::read(template)?;
+        crypto::pack_sig_with_template(&raw, &filename, &template)?
+    } else {
+        crypto::pack_sig(&raw, &filename)?
+    };
+    let output_path = args.output.unwrap_or_else(|| sig_output_path(&args.input));
+
+    fs::write(&output_path, packed)?;
+    println!("wrote {}", output_path.display());
+
+    Ok(())
+}
+
 /// Execute the `strip` subcommand.
 ///
 /// `strip` removes the 512-byte `.sig` wrapper and writes the contained package
@@ -59,3 +89,16 @@ fn default_output_path(input: &std::path::Path) -> PathBuf {
         input.with_extension("decrypted")
     }
 }
+
+/// Derive the default output path for `encrypt`.
+///
+/// Unlike [`default_output_path`], encryption appends an extension instead of
+/// replacing one: `firmware.zip` becomes `firmware.zip.sig`.
+fn sig_output_path(input: &std::path::Path) -> PathBuf {
+    let mut filename = input
+        .file_name()
+        .map(|name| name.to_os_string())
+        .unwrap_or_else(|| "output".into());
+    filename.push(".sig");
+    input.with_file_name(filename)
+}