|
|
|
// Copyright 2011 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package packet
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto"
|
|
|
|
"crypto/dsa"
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"encoding/binary"
|
|
|
|
"fmt"
|
|
|
|
"hash"
|
|
|
|
"io"
|
|
|
|
"strconv"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/keybase/go-crypto/openpgp/errors"
|
|
|
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
|
|
|
"github.com/keybase/go-crypto/rsa"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// See RFC 4880, section 5.2.3.21 for details.
|
|
|
|
KeyFlagCertify = 1 << iota
|
|
|
|
KeyFlagSign
|
|
|
|
KeyFlagEncryptCommunications
|
|
|
|
KeyFlagEncryptStorage
|
|
|
|
)
|
|
|
|
|
|
|
|
// Signer can be implemented by application code to do actual signing.
|
|
|
|
type Signer interface {
|
|
|
|
hash.Hash
|
|
|
|
Sign(sig *Signature) error
|
|
|
|
KeyId() uint64
|
|
|
|
PublicKeyAlgo() PublicKeyAlgorithm
|
|
|
|
}
|
|
|
|
|
|
|
|
// RevocationKey represents designated revoker packet. See RFC 4880
|
|
|
|
// section 5.2.3.15 for details.
|
|
|
|
type RevocationKey struct {
|
|
|
|
Class byte
|
|
|
|
PublicKeyAlgo PublicKeyAlgorithm
|
|
|
|
Fingerprint []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
// KeyFlagBits holds boolean whether any usage flags were provided in
|
|
|
|
// the signature and BitField with KeyFlag* flags.
|
|
|
|
type KeyFlagBits struct {
|
|
|
|
Valid bool
|
|
|
|
BitField byte
|
|
|
|
}
|
|
|
|
|
|
|
|
// Signature represents a signature. See RFC 4880, section 5.2.
|
|
|
|
type Signature struct {
|
|
|
|
SigType SignatureType
|
|
|
|
PubKeyAlgo PublicKeyAlgorithm
|
|
|
|
Hash crypto.Hash
|
|
|
|
|
|
|
|
// HashSuffix is extra data that is hashed in after the signed data.
|
|
|
|
HashSuffix []byte
|
|
|
|
// HashTag contains the first two bytes of the hash for fast rejection
|
|
|
|
// of bad signed data.
|
|
|
|
HashTag [2]byte
|
|
|
|
CreationTime time.Time
|
|
|
|
|
|
|
|
RSASignature parsedMPI
|
|
|
|
DSASigR, DSASigS parsedMPI
|
|
|
|
ECDSASigR, ECDSASigS parsedMPI
|
|
|
|
EdDSASigR, EdDSASigS parsedMPI
|
|
|
|
|
|
|
|
// rawSubpackets contains the unparsed subpackets, in order.
|
|
|
|
rawSubpackets []outputSubpacket
|
|
|
|
|
|
|
|
// The following are optional so are nil when not included in the
|
|
|
|
// signature.
|
|
|
|
|
|
|
|
SigLifetimeSecs, KeyLifetimeSecs *uint32
|
|
|
|
PreferredSymmetric, PreferredHash, PreferredCompression []uint8
|
|
|
|
PreferredKeyServer string
|
|
|
|
IssuerKeyId *uint64
|
|
|
|
IsPrimaryId *bool
|
|
|
|
IssuerFingerprint []byte
|
|
|
|
|
|
|
|
// FlagsValid is set if any flags were given. See RFC 4880, section
|
|
|
|
// 5.2.3.21 for details.
|
|
|
|
FlagsValid bool
|
|
|
|
FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool
|
|
|
|
|
|
|
|
// RevocationReason is set if this signature has been revoked.
|
|
|
|
// See RFC 4880, section 5.2.3.23 for details.
|
|
|
|
RevocationReason *uint8
|
|
|
|
RevocationReasonText string
|
|
|
|
|
|
|
|
// PolicyURI is optional. See RFC 4880, Section 5.2.3.20 for details
|
|
|
|
PolicyURI string
|
|
|
|
|
|
|
|
// Regex is a regex that can match a PGP UID. See RFC 4880, 5.2.3.14 for details
|
|
|
|
Regex string
|
|
|
|
|
|
|
|
// MDC is set if this signature has a feature packet that indicates
|
|
|
|
// support for MDC subpackets.
|
|
|
|
MDC bool
|
|
|
|
|
|
|
|
// EmbeddedSignature, if non-nil, is a signature of the parent key, by
|
|
|
|
// this key. This prevents an attacker from claiming another's signing
|
|
|
|
// subkey as their own.
|
|
|
|
EmbeddedSignature *Signature
|
|
|
|
|
|
|
|
// StubbedOutCriticalError is not fail-stop, since it shouldn't break key parsing
|
|
|
|
// when appearing in WoT-style cross signatures. But it should prevent a signature
|
|
|
|
// from being applied to a primary or subkey.
|
|
|
|
StubbedOutCriticalError error
|
|
|
|
|
|
|
|
// DesignaterRevoker will be present if this signature certifies a
|
|
|
|
// designated revoking key id (3rd party key that can sign
|
|
|
|
// revocation for this key).
|
|
|
|
DesignatedRevoker *RevocationKey
|
|
|
|
|
|
|
|
outSubpackets []outputSubpacket
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sig *Signature) parse(r io.Reader) (err error) {
|
|
|
|
// RFC 4880, section 5.2.3
|
|
|
|
var buf [5]byte
|
|
|
|
_, err = readFull(r, buf[:1])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if buf[0] != 4 {
|
|
|
|
err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = readFull(r, buf[:5])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.SigType = SignatureType(buf[0])
|
|
|
|
sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1])
|
|
|
|
switch sig.PubKeyAlgo {
|
|
|
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA, PubKeyAlgoEdDSA:
|
|
|
|
default:
|
|
|
|
err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var ok bool
|
|
|
|
sig.Hash, ok = s2k.HashIdToHash(buf[2])
|
|
|
|
if !ok {
|
|
|
|
return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
|
|
|
|
}
|
|
|
|
|
|
|
|
hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4])
|
|
|
|
l := 6 + hashedSubpacketsLength
|
|
|
|
sig.HashSuffix = make([]byte, l+6)
|
|
|
|
sig.HashSuffix[0] = 4
|
|
|
|
copy(sig.HashSuffix[1:], buf[:5])
|
|
|
|
hashedSubpackets := sig.HashSuffix[6:l]
|
|
|
|
_, err = readFull(r, hashedSubpackets)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// See RFC 4880, section 5.2.4
|
|
|
|
trailer := sig.HashSuffix[l:]
|
|
|
|
trailer[0] = 4
|
|
|
|
trailer[1] = 0xff
|
|
|
|
trailer[2] = uint8(l >> 24)
|
|
|
|
trailer[3] = uint8(l >> 16)
|
|
|
|
trailer[4] = uint8(l >> 8)
|
|
|
|
trailer[5] = uint8(l)
|
|
|
|
|
|
|
|
err = parseSignatureSubpackets(sig, hashedSubpackets, true)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = readFull(r, buf[:2])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1])
|
|
|
|
unhashedSubpackets := make([]byte, unhashedSubpacketsLength)
|
|
|
|
_, err = readFull(r, unhashedSubpackets)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
err = parseSignatureSubpackets(sig, unhashedSubpackets, false)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = readFull(r, sig.HashTag[:2])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
switch sig.PubKeyAlgo {
|
|
|
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
|
|
|
sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
|
|
|
|
case PubKeyAlgoDSA:
|
|
|
|
sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r)
|
|
|
|
if err == nil {
|
|
|
|
sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
|
|
|
|
}
|
|
|
|
case PubKeyAlgoEdDSA:
|
|
|
|
sig.EdDSASigR.bytes, sig.EdDSASigR.bitLength, err = readMPI(r)
|
|
|
|
if err == nil {
|
|
|
|
sig.EdDSASigS.bytes, sig.EdDSASigS.bitLength, err = readMPI(r)
|
|
|
|
}
|
|
|
|
case PubKeyAlgoECDSA:
|
|
|
|
sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r)
|
|
|
|
if err == nil {
|
|
|
|
sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r)
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
panic("unreachable")
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// parseSignatureSubpackets parses subpackets of the main signature packet. See
|
|
|
|
// RFC 4880, section 5.2.3.1.
|
|
|
|
func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) {
|
|
|
|
for len(subpackets) > 0 {
|
|
|
|
subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if sig.CreationTime.IsZero() {
|
|
|
|
err = errors.StructuralError("no creation time in signature")
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
type signatureSubpacketType uint8
|
|
|
|
|
|
|
|
const (
|
|
|
|
creationTimeSubpacket signatureSubpacketType = 2
|
|
|
|
signatureExpirationSubpacket signatureSubpacketType = 3
|
|
|
|
regularExpressionSubpacket signatureSubpacketType = 6
|
|
|
|
keyExpirationSubpacket signatureSubpacketType = 9
|
|
|
|
prefSymmetricAlgosSubpacket signatureSubpacketType = 11
|
|
|
|
revocationKey signatureSubpacketType = 12
|
|
|
|
issuerSubpacket signatureSubpacketType = 16
|
|
|
|
prefHashAlgosSubpacket signatureSubpacketType = 21
|
|
|
|
prefCompressionSubpacket signatureSubpacketType = 22
|
|
|
|
prefKeyServerSubpacket signatureSubpacketType = 24
|
|
|
|
primaryUserIdSubpacket signatureSubpacketType = 25
|
|
|
|
policyURISubpacket signatureSubpacketType = 26
|
|
|
|
keyFlagsSubpacket signatureSubpacketType = 27
|
|
|
|
reasonForRevocationSubpacket signatureSubpacketType = 29
|
|
|
|
featuresSubpacket signatureSubpacketType = 30
|
|
|
|
embeddedSignatureSubpacket signatureSubpacketType = 32
|
|
|
|
issuerFingerprint signatureSubpacketType = 33
|
|
|
|
)
|
|
|
|
|
|
|
|
// parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1.
|
|
|
|
func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) {
|
|
|
|
// RFC 4880, section 5.2.3.1
|
|
|
|
var (
|
|
|
|
length uint32
|
|
|
|
packetType signatureSubpacketType
|
|
|
|
isCritical bool
|
|
|
|
)
|
|
|
|
switch {
|
|
|
|
case subpacket[0] < 192:
|
|
|
|
length = uint32(subpacket[0])
|
|
|
|
subpacket = subpacket[1:]
|
|
|
|
case subpacket[0] < 255:
|
|
|
|
if len(subpacket) < 2 {
|
|
|
|
goto Truncated
|
|
|
|
}
|
|
|
|
length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192
|
|
|
|
subpacket = subpacket[2:]
|
|
|
|
default:
|
|
|
|
if len(subpacket) < 5 {
|
|
|
|
goto Truncated
|
|
|
|
}
|
|
|
|
length = uint32(subpacket[1])<<24 |
|
|
|
|
uint32(subpacket[2])<<16 |
|
|
|
|
uint32(subpacket[3])<<8 |
|
|
|
|
uint32(subpacket[4])
|
|
|
|
subpacket = subpacket[5:]
|
|
|
|
}
|
|
|
|
if length > uint32(len(subpacket)) {
|
|
|
|
goto Truncated
|
|
|
|
}
|
|
|
|
rest = subpacket[length:]
|
|
|
|
subpacket = subpacket[:length]
|
|
|
|
if len(subpacket) == 0 {
|
|
|
|
err = errors.StructuralError("zero length signature subpacket")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
packetType = signatureSubpacketType(subpacket[0] & 0x7f)
|
|
|
|
isCritical = subpacket[0]&0x80 == 0x80
|
|
|
|
subpacket = subpacket[1:]
|
|
|
|
sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket})
|
|
|
|
switch packetType {
|
|
|
|
case creationTimeSubpacket:
|
|
|
|
if !isHashed {
|
|
|
|
err = errors.StructuralError("signature creation time in non-hashed area")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) != 4 {
|
|
|
|
err = errors.StructuralError("signature creation time not four bytes")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
t := binary.BigEndian.Uint32(subpacket)
|
|
|
|
sig.CreationTime = time.Unix(int64(t), 0)
|
|
|
|
case signatureExpirationSubpacket:
|
|
|
|
// Signature expiration time, section 5.2.3.10
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) != 4 {
|
|
|
|
err = errors.StructuralError("expiration subpacket with bad length")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.SigLifetimeSecs = new(uint32)
|
|
|
|
*sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket)
|
|
|
|
case keyExpirationSubpacket:
|
|
|
|
// Key expiration time, section 5.2.3.6
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) != 4 {
|
|
|
|
err = errors.StructuralError("key expiration subpacket with bad length")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.KeyLifetimeSecs = new(uint32)
|
|
|
|
*sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket)
|
|
|
|
case prefSymmetricAlgosSubpacket:
|
|
|
|
// Preferred symmetric algorithms, section 5.2.3.7
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.PreferredSymmetric = make([]byte, len(subpacket))
|
|
|
|
copy(sig.PreferredSymmetric, subpacket)
|
|
|
|
case issuerSubpacket:
|
|
|
|
// Issuer, section 5.2.3.5
|
|
|
|
if len(subpacket) != 8 {
|
|
|
|
err = errors.StructuralError("issuer subpacket with bad length")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.IssuerKeyId = new(uint64)
|
|
|
|
*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket)
|
|
|
|
case prefHashAlgosSubpacket:
|
|
|
|
// Preferred hash algorithms, section 5.2.3.8
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.PreferredHash = make([]byte, len(subpacket))
|
|
|
|
copy(sig.PreferredHash, subpacket)
|
|
|
|
case prefCompressionSubpacket:
|
|
|
|
// Preferred compression algorithms, section 5.2.3.9
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.PreferredCompression = make([]byte, len(subpacket))
|
|
|
|
copy(sig.PreferredCompression, subpacket)
|
|
|
|
case primaryUserIdSubpacket:
|
|
|
|
// Primary User ID, section 5.2.3.19
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) != 1 {
|
|
|
|
err = errors.StructuralError("primary user id subpacket with bad length")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.IsPrimaryId = new(bool)
|
|
|
|
if subpacket[0] > 0 {
|
|
|
|
*sig.IsPrimaryId = true
|
|
|
|
}
|
|
|
|
case keyFlagsSubpacket:
|
|
|
|
// Key flags, section 5.2.3.21
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) == 0 {
|
|
|
|
err = errors.StructuralError("empty key flags subpacket")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if subpacket[0] != 0 {
|
|
|
|
sig.FlagsValid = true
|
|
|
|
if subpacket[0]&KeyFlagCertify != 0 {
|
|
|
|
sig.FlagCertify = true
|
|
|
|
}
|
|
|
|
if subpacket[0]&KeyFlagSign != 0 {
|
|
|
|
sig.FlagSign = true
|
|
|
|
}
|
|
|
|
if subpacket[0]&KeyFlagEncryptCommunications != 0 {
|
|
|
|
sig.FlagEncryptCommunications = true
|
|
|
|
}
|
|
|
|
if subpacket[0]&KeyFlagEncryptStorage != 0 {
|
|
|
|
sig.FlagEncryptStorage = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
case reasonForRevocationSubpacket:
|
|
|
|
// Reason For Revocation, section 5.2.3.23
|
|
|
|
if !isHashed {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(subpacket) == 0 {
|
|
|
|
err = errors.StructuralError("empty revocation reason subpacket")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.RevocationReason = new(uint8)
|
|
|
|
*sig.RevocationReason = subpacket[0]
|
|
|
|
sig.RevocationReasonText = string(subpacket[1:])
|
|
|
|
case featuresSubpacket:
|
|
|
|
// Features subpacket, section 5.2.3.24 specifies a very general
|
|
|
|
// mechanism for OpenPGP implementations to signal support for new
|
|
|
|
// features. In practice, the subpacket is used exclusively to
|
|
|
|
// indicate support for MDC-protected encryption.
|
|
|
|
sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1
|
|
|
|
case embeddedSignatureSubpacket:
|
|
|
|
// Only usage is in signatures that cross-certify
|
|
|
|
// signing subkeys. section 5.2.3.26 describes the
|
|
|
|
// format, with its usage described in section 11.1
|
|
|
|
if sig.EmbeddedSignature != nil {
|
|
|
|
err = errors.StructuralError("Cannot have multiple embedded signatures")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
sig.EmbeddedSignature = new(Signature)
|
|
|
|
// Embedded signatures are required to be v4 signatures see
|
|
|
|
// section 12.1. However, we only parse v4 signatures in this
|
|
|
|
// file anyway.
|
|
|
|
if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding {
|
|
|
|
return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType)))
|
|
|
|
}
|
|
|
|
case policyURISubpacket:
|
|
|
|
// See RFC 4880, Section 5.2.3.20
|
|
|
|
sig.PolicyURI = string(subpacket[:])
|
|
|
|
case regularExpressionSubpacket:
|
|
|
|
sig.Regex = string(subpacket[:])
|
|
|
|
if isCritical {
|
|
|
|
sig.StubbedOutCriticalError = errors.UnsupportedError("regex support is stubbed out")
|
|
|
|
}
|
|
|
|
case prefKeyServerSubpacket:
|
|
|
|
sig.PreferredKeyServer = string(subpacket[:])
|
|
|
|
case issuerFingerprint:
|
|
|
|
// The first byte is how many bytes the fingerprint is, but we'll just
|
|
|
|
// read until the end of the subpacket, so we'll ignore it.
|
|
|
|
sig.IssuerFingerprint = append([]byte{}, subpacket[1:]...)
|
|
|
|
case revocationKey:
|
|
|
|
// Authorizes the specified key to issue revocation signatures
|
|
|
|
// for a key.
|
|
|
|
|
|
|
|
// TODO: Class octet must have bit 0x80 set. If the bit 0x40
|
|
|
|
// is set, then this means that the revocation information is
|
|
|
|
// sensitive.
|
|
|
|
sig.DesignatedRevoker = &RevocationKey{
|
|
|
|
Class: subpacket[0],
|
|
|
|
PublicKeyAlgo: PublicKeyAlgorithm(subpacket[1]),
|
|
|
|
Fingerprint: append([]byte{}, subpacket[2:]...),
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
if isCritical {
|
|
|
|
err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return
|
|
|
|
|
|
|
|
Truncated:
|
|
|
|
err = errors.StructuralError("signature subpacket truncated")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// subpacketLengthLength returns the length, in bytes, of an encoded length value.
|
|
|
|
func subpacketLengthLength(length int) int {
|
|
|
|
if length < 192 {
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
if length < 16320 {
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
return 5
|
|
|
|
}
|
|
|
|
|
|
|
|
// serializeSubpacketLength marshals the given length into to.
|
|
|
|
func serializeSubpacketLength(to []byte, length int) int {
|
|
|
|
// RFC 4880, Section 4.2.2.
|
|
|
|
if length < 192 {
|
|
|
|
to[0] = byte(length)
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
if length < 16320 {
|
|
|
|
length -= 192
|
|
|
|
to[0] = byte((length >> 8) + 192)
|
|
|
|
to[1] = byte(length)
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
to[0] = 255
|
|
|
|
to[1] = byte(length >> 24)
|
|
|
|
to[2] = byte(length >> 16)
|
|
|
|
to[3] = byte(length >> 8)
|
|
|
|
to[4] = byte(length)
|
|
|
|
return 5
|
|
|
|
}
|
|
|
|
|
|
|
|
// subpacketsLength returns the serialized length, in bytes, of the given
|
|
|
|
// subpackets.
|
|
|
|
func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) {
|
|
|
|
for _, subpacket := range subpackets {
|
|
|
|
if subpacket.hashed == hashed {
|
|
|
|
length += subpacketLengthLength(len(subpacket.contents) + 1)
|
|
|
|
length += 1 // type byte
|
|
|
|
length += len(subpacket.contents)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// serializeSubpackets marshals the given subpackets into to.
|
|
|
|
func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) {
|
|
|
|
for _, subpacket := range subpackets {
|
|
|
|
if subpacket.hashed == hashed {
|
|
|
|
n := serializeSubpacketLength(to, len(subpacket.contents)+1)
|
|
|
|
to[n] = byte(subpacket.subpacketType)
|
|
|
|
to = to[1+n:]
|
|
|
|
n = copy(to, subpacket.contents)
|
|
|
|
to = to[n:]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// KeyExpired returns whether sig is a self-signature of a key that has
|
|
|
|
// expired.
|
|
|
|
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
|
|
|
|
if sig.KeyLifetimeSecs == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second)
|
|
|
|
return currentTime.After(expiry)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ExpiresBeforeOther checks if other signature has expiration at
|
|
|
|
// later date than sig.
|
|
|
|
func (sig *Signature) ExpiresBeforeOther(other *Signature) bool {
|
|
|
|
if sig.KeyLifetimeSecs == nil {
|
|
|
|
// This sig never expires, or has infinitely long expiration
|
|
|
|
// time.
|
|
|
|
return false
|
|
|
|
} else if other.KeyLifetimeSecs == nil {
|
|
|
|
// This sig expires at some non-infinite point, but the other
|
|
|
|
// sig never expires.
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
getExpiryDate := func(s *Signature) time.Time {
|
|
|
|
return s.CreationTime.Add(time.Duration(*s.KeyLifetimeSecs) * time.Second)
|
|
|
|
}
|
|
|
|
|
|
|
|
return getExpiryDate(other).After(getExpiryDate(sig))
|
|
|
|
}
|
|
|
|
|
|
|
|
// buildHashSuffix constructs the HashSuffix member of sig in preparation for signing.
|
|
|
|
func (sig *Signature) buildHashSuffix() (err error) {
|
|
|
|
hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true)
|
|
|
|
|
|
|
|
var ok bool
|
|
|
|
l := 6 + hashedSubpacketsLen
|
|
|
|
sig.HashSuffix = make([]byte, l+6)
|
|
|
|
sig.HashSuffix[0] = 4
|
|
|
|
sig.HashSuffix[1] = uint8(sig.SigType)
|
|
|
|
sig.HashSuffix[2] = uint8(sig.PubKeyAlgo)
|
|
|
|
sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash)
|
|
|
|
if !ok {
|
|
|
|
sig.HashSuffix = nil
|
|
|
|
return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash)))
|
|
|
|
}
|
|
|
|
sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8)
|
|
|
|
sig.HashSuffix[5] = byte(hashedSubpacketsLen)
|
|
|
|
serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true)
|
|
|
|
trailer := sig.HashSuffix[l:]
|
|
|
|
trailer[0] = 4
|
|
|
|
trailer[1] = 0xff
|
|
|
|
trailer[2] = byte(l >> 24)
|
|
|
|
trailer[3] = byte(l >> 16)
|
|
|
|
trailer[4] = byte(l >> 8)
|
|
|
|
trailer[5] = byte(l)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) {
|
|
|
|
err = sig.buildHashSuffix()
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
h.Write(sig.HashSuffix)
|
|
|
|
digest = h.Sum(nil)
|
|
|
|
copy(sig.HashTag[:], digest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sign signs a message with a private key. The hash, h, must contain
|
|
|
|
// the hash of the message to be signed and will be mutated by this function.
|
|
|
|
// On success, the signature is stored in sig. Call Serialize to write it out.
|
|
|
|
// If config is nil, sensible defaults will be used.
|
|
|
|
func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) {
|
|
|
|
signer, hashIsSigner := h.(Signer)
|
|
|
|
|
|
|
|
if !hashIsSigner && (priv == nil || priv.PrivateKey == nil) {
|
|
|
|
err = errors.InvalidArgumentError("attempting to sign with nil PrivateKey")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
sig.outSubpackets = sig.buildSubpackets()
|
|
|
|
digest, err := sig.signPrepareHash(h)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if hashIsSigner {
|
|
|
|
err = signer.Sign(sig)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parameter check, if this is wrong we will make a signature but
|
|
|
|
// not serialize it later.
|
|
|
|
if sig.PubKeyAlgo != priv.PubKeyAlgo {
|
|
|
|
err = errors.InvalidArgumentError("signature pub key algo does not match priv key")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
switch priv.PubKeyAlgo {
|
|
|
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
|
|
|
sig.RSASignature.bytes, err = rsa.SignPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), sig.Hash, digest)
|
|
|
|
sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes))
|
|
|
|
case PubKeyAlgoDSA:
|
|
|
|
dsaPriv := priv.PrivateKey.(*dsa.PrivateKey)
|
|
|
|
|
|
|
|
// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
|
|
|
|
subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8
|
|
|
|
if len(digest) > subgroupSize {
|
|
|
|
digest = digest[:subgroupSize]
|
|
|
|
}
|
|
|
|
r, s, err := dsa.Sign(config.Random(), dsaPriv, digest)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
sig.DSASigR.bytes = r.Bytes()
|
|
|
|
sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes))
|
|
|
|
sig.DSASigS.bytes = s.Bytes()
|
|
|
|
sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes))
|
|
|
|
case PubKeyAlgoECDSA:
|
|
|
|
r, s, err := ecdsa.Sign(config.Random(), priv.PrivateKey.(*ecdsa.PrivateKey), digest)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
sig.ECDSASigR = FromBig(r)
|
|
|
|
sig.ECDSASigS = FromBig(s)
|
|
|
|
case PubKeyAlgoEdDSA:
|
|
|
|
r, s, err := priv.PrivateKey.(*EdDSAPrivateKey).Sign(digest)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
sig.EdDSASigR = FromBytes(r)
|
|
|
|
sig.EdDSASigS = FromBytes(s)
|
|
|
|
default:
|
|
|
|
err = errors.UnsupportedError("public key algorithm for signing: " + strconv.Itoa(int(priv.PubKeyAlgo)))
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// SignUserId computes a signature from priv, asserting that pub is a valid
|
|
|
|
// key for the identity id. On success, the signature is stored in sig. Call
|
|
|
|
// Serialize to write it out.
|
|
|
|
// If config is nil, sensible defaults will be used.
|
|
|
|
func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error {
|
|
|
|
h, err := userIdSignatureHash(id, pub, sig.Hash)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return sig.Sign(h, priv, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SignUserIdWithSigner computes a signature from priv, asserting that pub is a
|
|
|
|
// valid key for the identity id. On success, the signature is stored in sig.
|
|
|
|
// Call Serialize to write it out.
|
|
|
|
// If config is nil, sensible defaults will be used.
|
|
|
|
func (sig *Signature) SignUserIdWithSigner(id string, pub *PublicKey, s Signer, config *Config) error {
|
|
|
|
updateUserIdSignatureHash(id, pub, s)
|
|
|
|
|
|
|
|
return sig.Sign(s, nil, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SignKey computes a signature from priv, asserting that pub is a subkey. On
|
|
|
|
// success, the signature is stored in sig. Call Serialize to write it out.
|
|
|
|
// If config is nil, sensible defaults will be used.
|
|
|
|
func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error {
|
|
|
|
h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return sig.Sign(h, priv, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SignKeyWithSigner computes a signature using s, asserting that
|
|
|
|
// signeePubKey is a subkey. On success, the signature is stored in sig. Call
|
|
|
|
// Serialize to write it out. If config is nil, sensible defaults will be used.
|
|
|
|
func (sig *Signature) SignKeyWithSigner(signeePubKey *PublicKey, signerPubKey *PublicKey, s Signer, config *Config) error {
|
|
|
|
updateKeySignatureHash(signerPubKey, signeePubKey, s)
|
|
|
|
|
|
|
|
return sig.Sign(s, nil, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// CrossSignKey creates PrimaryKeyBinding signature in sig.EmbeddedSignature by
|
|
|
|
// signing `primary` key's hash using `priv` subkey private key. Primary public
|
|
|
|
// key is the `signee` here.
|
|
|
|
func (sig *Signature) CrossSignKey(primary *PublicKey, priv *PrivateKey, config *Config) error {
|
|
|
|
if len(sig.outSubpackets) > 0 {
|
|
|
|
return fmt.Errorf("outSubpackets already exists, looks like CrossSignKey was called after Sign")
|
|
|
|
}
|
|
|
|
|
|
|
|
sig.EmbeddedSignature = &Signature{
|
|
|
|
CreationTime: sig.CreationTime,
|
|
|
|
SigType: SigTypePrimaryKeyBinding,
|
|
|
|
PubKeyAlgo: priv.PubKeyAlgo,
|
|
|
|
Hash: sig.Hash,
|
|
|
|
}
|
|
|
|
|
|
|
|
h, err := keySignatureHash(primary, &priv.PublicKey, sig.Hash)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return sig.EmbeddedSignature.Sign(h, priv, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
|
|
|
|
// called first.
|
|
|
|
func (sig *Signature) Serialize(w io.Writer) (err error) {
|
|
|
|
if len(sig.outSubpackets) == 0 {
|
|
|
|
sig.outSubpackets = sig.rawSubpackets
|
|
|
|
}
|
|
|
|
if sig.RSASignature.bytes == nil &&
|
|
|
|
sig.DSASigR.bytes == nil &&
|
|
|
|
sig.ECDSASigR.bytes == nil &&
|
|
|
|
sig.EdDSASigR.bytes == nil {
|
|
|
|
return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
|
|
|
|
}
|
|
|
|
|
|
|
|
sigLength := 0
|
|
|
|
switch sig.PubKeyAlgo {
|
|
|
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
|
|
|
sigLength = 2 + len(sig.RSASignature.bytes)
|
|
|
|
case PubKeyAlgoDSA:
|
|
|
|
sigLength = 2 + len(sig.DSASigR.bytes)
|
|
|
|
sigLength += 2 + len(sig.DSASigS.bytes)
|
|
|
|
case PubKeyAlgoEdDSA:
|
|
|
|
sigLength = 2 + len(sig.EdDSASigR.bytes)
|
|
|
|
sigLength += 2 + len(sig.EdDSASigS.bytes)
|
|
|
|
case PubKeyAlgoECDSA:
|
|
|
|
sigLength = 2 + len(sig.ECDSASigR.bytes)
|
|
|
|
sigLength += 2 + len(sig.ECDSASigS.bytes)
|
|
|
|
default:
|
|
|
|
panic("impossible")
|
|
|
|
}
|
|
|
|
|
|
|
|
unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false)
|
|
|
|
length := len(sig.HashSuffix) - 6 /* trailer not included */ +
|
|
|
|
2 /* length of unhashed subpackets */ + unhashedSubpacketsLen +
|
|
|
|
2 /* hash tag */ + sigLength
|
|
|
|
err = serializeHeader(w, packetTypeSignature, length)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen)
|
|
|
|
unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8)
|
|
|
|
unhashedSubpackets[1] = byte(unhashedSubpacketsLen)
|
|
|
|
serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false)
|
|
|
|
|
|
|
|
_, err = w.Write(unhashedSubpackets)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
_, err = w.Write(sig.HashTag[:])
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
switch sig.PubKeyAlgo {
|
|
|
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
|
|
|
err = writeMPIs(w, sig.RSASignature)
|
|
|
|
case PubKeyAlgoDSA:
|
|
|
|
err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
|
|
|
|
case PubKeyAlgoEdDSA:
|
|
|
|
err = writeMPIs(w, sig.EdDSASigR, sig.EdDSASigS)
|
|
|
|
case PubKeyAlgoECDSA:
|
|
|
|
err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS)
|
|
|
|
default:
|
|
|
|
panic("impossible")
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// outputSubpacket represents a subpacket to be marshaled.
|
|
|
|
type outputSubpacket struct {
|
|
|
|
hashed bool // true if this subpacket is in the hashed area.
|
|
|
|
subpacketType signatureSubpacketType
|
|
|
|
isCritical bool
|
|
|
|
contents []byte
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) {
|
|
|
|
creationTime := make([]byte, 4)
|
|
|
|
binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix()))
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime})
|
|
|
|
|
|
|
|
if sig.IssuerKeyId != nil {
|
|
|
|
keyId := make([]byte, 8)
|
|
|
|
binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId)
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId})
|
|
|
|
}
|
|
|
|
|
|
|
|
if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 {
|
|
|
|
sigLifetime := make([]byte, 4)
|
|
|
|
binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs)
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime})
|
|
|
|
}
|
|
|
|
|
|
|
|
// Key flags may only appear in self-signatures or certification signatures.
|
|
|
|
|
|
|
|
if sig.FlagsValid {
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{sig.GetKeyFlags().BitField}})
|
|
|
|
}
|
|
|
|
|
|
|
|
// The following subpackets may only appear in self-signatures
|
|
|
|
|
|
|
|
if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 {
|
|
|
|
keyLifetime := make([]byte, 4)
|
|
|
|
binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs)
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime})
|
|
|
|
}
|
|
|
|
|
|
|
|
if sig.IsPrimaryId != nil && *sig.IsPrimaryId {
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}})
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(sig.PreferredSymmetric) > 0 {
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric})
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(sig.PreferredHash) > 0 {
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash})
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(sig.PreferredCompression) > 0 {
|
|
|
|
subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression})
|
|
|
|
}
|
|
|
|
|
|
|
|
if sig.EmbeddedSignature != nil {
|
|
|
|
buf := bytes.NewBuffer(nil)
|
|
|
|
if err := sig.EmbeddedSignature.Serialize(buf); err == nil {
|
|
|
|
byteContent := buf.Bytes()[2:] // skip 2-byte length header
|
|
|
|
subpackets = append(subpackets, outputSubpacket{false, embeddedSignatureSubpacket, true, byteContent})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sig *Signature) GetKeyFlags() (ret KeyFlagBits) {
|
|
|
|
if !sig.FlagsValid {
|
|
|
|
return ret
|
|
|
|
}
|
|
|
|
|
|
|
|
ret.Valid = true
|
|
|
|
if sig.FlagCertify {
|
|
|
|
ret.BitField |= KeyFlagCertify
|
|
|
|
}
|
|
|
|
if sig.FlagSign {
|
|
|
|
ret.BitField |= KeyFlagSign
|
|
|
|
}
|
|
|
|
if sig.FlagEncryptCommunications {
|
|
|
|
ret.BitField |= KeyFlagEncryptCommunications
|
|
|
|
}
|
|
|
|
if sig.FlagEncryptStorage {
|
|
|
|
ret.BitField |= KeyFlagEncryptStorage
|
|
|
|
}
|
|
|
|
return ret
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *KeyFlagBits) HasFlagCertify() bool {
|
|
|
|
return f.BitField&KeyFlagCertify != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *KeyFlagBits) HasFlagSign() bool {
|
|
|
|
return f.BitField&KeyFlagSign != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *KeyFlagBits) HasFlagEncryptCommunications() bool {
|
|
|
|
return f.BitField&KeyFlagEncryptCommunications != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *KeyFlagBits) HasFlagEncryptStorage() bool {
|
|
|
|
return f.BitField&KeyFlagEncryptStorage != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *KeyFlagBits) Merge(other KeyFlagBits) {
|
|
|
|
if other.Valid {
|
|
|
|
f.Valid = true
|
|
|
|
f.BitField |= other.BitField
|
|
|
|
}
|
|
|
|
}
|