@ -44,7 +44,7 @@ type GPGKey struct {
CanCertify bool
CanCertify bool
}
}
//GPGKeyImport the original import of key
// GPGKeyImport the original import of key
type GPGKeyImport struct {
type GPGKeyImport struct {
KeyID string ` xorm:"pk CHAR(16) NOT NULL" `
KeyID string ` xorm:"pk CHAR(16) NOT NULL" `
Content string ` xorm:"TEXT NOT NULL" `
Content string ` xorm:"TEXT NOT NULL" `
@ -118,9 +118,9 @@ func checkArmoredGPGKeyString(content string) (openpgp.EntityList, error) {
return list , nil
return list , nil
}
}
//addGPGKey add key, import and subkeys to database
// addGPGKey add key, import and subkeys to database
func addGPGKey ( e Engine , key * GPGKey , content string ) ( err error ) {
func addGPGKey ( e Engine , key * GPGKey , content string ) ( err error ) {
//Add GPGKeyImport
// Add GPGKeyImport
if _ , err = e . Insert ( GPGKeyImport {
if _ , err = e . Insert ( GPGKeyImport {
KeyID : key . KeyID ,
KeyID : key . KeyID ,
Content : content ,
Content : content ,
@ -140,7 +140,7 @@ func addGPGKey(e Engine, key *GPGKey, content string) (err error) {
return nil
return nil
}
}
//addGPGSubKey add subkeys to database
// addGPGSubKey add subkeys to database
func addGPGSubKey ( e Engine , key * GPGKey ) ( err error ) {
func addGPGSubKey ( e Engine , key * GPGKey ) ( err error ) {
// Save GPG primary key.
// Save GPG primary key.
if _ , err = e . Insert ( key ) ; err != nil {
if _ , err = e . Insert ( key ) ; err != nil {
@ -177,7 +177,7 @@ func AddGPGKey(ownerID int64, content string) ([]*GPGKey, error) {
return nil , ErrGPGKeyIDAlreadyUsed { ekey . PrimaryKey . KeyIdString ( ) }
return nil , ErrGPGKeyIDAlreadyUsed { ekey . PrimaryKey . KeyIdString ( ) }
}
}
//Get DB session
// Get DB session
key , err := parseGPGKey ( ownerID , ekey )
key , err := parseGPGKey ( ownerID , ekey )
if err != nil {
if err != nil {
@ -192,7 +192,7 @@ func AddGPGKey(ownerID int64, content string) ([]*GPGKey, error) {
return keys , sess . Commit ( )
return keys , sess . Commit ( )
}
}
//base64EncPubKey encode public key content to base 64
// base64EncPubKey encode public key content to base 64
func base64EncPubKey ( pubkey * packet . PublicKey ) ( string , error ) {
func base64EncPubKey ( pubkey * packet . PublicKey ) ( string , error ) {
var w bytes . Buffer
var w bytes . Buffer
err := pubkey . Serialize ( & w )
err := pubkey . Serialize ( & w )
@ -202,18 +202,18 @@ func base64EncPubKey(pubkey *packet.PublicKey) (string, error) {
return base64 . StdEncoding . EncodeToString ( w . Bytes ( ) ) , nil
return base64 . StdEncoding . EncodeToString ( w . Bytes ( ) ) , nil
}
}
//base64DecPubKey decode public key content from base 64
// base64DecPubKey decode public key content from base 64
func base64DecPubKey ( content string ) ( * packet . PublicKey , error ) {
func base64DecPubKey ( content string ) ( * packet . PublicKey , error ) {
b , err := readerFromBase64 ( content )
b , err := readerFromBase64 ( content )
if err != nil {
if err != nil {
return nil , err
return nil , err
}
}
//Read key
// Read key
p , err := packet . Read ( b )
p , err := packet . Read ( b )
if err != nil {
if err != nil {
return nil , err
return nil , err
}
}
//Check type
// Check type
pkey , ok := p . ( * packet . PublicKey )
pkey , ok := p . ( * packet . PublicKey )
if ! ok {
if ! ok {
return nil , fmt . Errorf ( "key is not a public key" )
return nil , fmt . Errorf ( "key is not a public key" )
@ -221,7 +221,7 @@ func base64DecPubKey(content string) (*packet.PublicKey, error) {
return pkey , nil
return pkey , nil
}
}
//GPGKeyToEntity retrieve the imported key and the traducted entity
// GPGKeyToEntity retrieve the imported key and the traducted entity
func GPGKeyToEntity ( k * GPGKey ) ( * openpgp . Entity , error ) {
func GPGKeyToEntity ( k * GPGKey ) ( * openpgp . Entity , error ) {
impKey , err := GetGPGImportByKeyID ( k . KeyID )
impKey , err := GetGPGImportByKeyID ( k . KeyID )
if err != nil {
if err != nil {
@ -234,7 +234,7 @@ func GPGKeyToEntity(k *GPGKey) (*openpgp.Entity, error) {
return keys [ 0 ] , err
return keys [ 0 ] , err
}
}
//parseSubGPGKey parse a sub Key
// parseSubGPGKey parse a sub Key
func parseSubGPGKey ( ownerID int64 , primaryID string , pubkey * packet . PublicKey , expiry time . Time ) ( * GPGKey , error ) {
func parseSubGPGKey ( ownerID int64 , primaryID string , pubkey * packet . PublicKey , expiry time . Time ) ( * GPGKey , error ) {
content , err := base64EncPubKey ( pubkey )
content , err := base64EncPubKey ( pubkey )
if err != nil {
if err != nil {
@ -254,10 +254,10 @@ func parseSubGPGKey(ownerID int64, primaryID string, pubkey *packet.PublicKey, e
} , nil
} , nil
}
}
//getExpiryTime extract the expire time of primary key based on sig
// getExpiryTime extract the expire time of primary key based on sig
func getExpiryTime ( e * openpgp . Entity ) time . Time {
func getExpiryTime ( e * openpgp . Entity ) time . Time {
expiry := time . Time { }
expiry := time . Time { }
//Extract self-sign for expire date based on : https://github.com/golang/crypto/blob/master/openpgp/keys.go#L165
// Extract self-sign for expire date based on : https://github.com/golang/crypto/blob/master/openpgp/keys.go#L165
var selfSig * packet . Signature
var selfSig * packet . Signature
for _ , ident := range e . Identities {
for _ , ident := range e . Identities {
if selfSig == nil {
if selfSig == nil {
@ -273,12 +273,12 @@ func getExpiryTime(e *openpgp.Entity) time.Time {
return expiry
return expiry
}
}
//parseGPGKey parse a PrimaryKey entity (primary key + subs keys + self-signature)
// parseGPGKey parse a PrimaryKey entity (primary key + subs keys + self-signature)
func parseGPGKey ( ownerID int64 , e * openpgp . Entity ) ( * GPGKey , error ) {
func parseGPGKey ( ownerID int64 , e * openpgp . Entity ) ( * GPGKey , error ) {
pubkey := e . PrimaryKey
pubkey := e . PrimaryKey
expiry := getExpiryTime ( e )
expiry := getExpiryTime ( e )
//Parse Subkeys
// Parse Subkeys
subkeys := make ( [ ] * GPGKey , len ( e . Subkeys ) )
subkeys := make ( [ ] * GPGKey , len ( e . Subkeys ) )
for i , k := range e . Subkeys {
for i , k := range e . Subkeys {
subs , err := parseSubGPGKey ( ownerID , pubkey . KeyIdString ( ) , k . PublicKey , expiry )
subs , err := parseSubGPGKey ( ownerID , pubkey . KeyIdString ( ) , k . PublicKey , expiry )
@ -288,7 +288,7 @@ func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
subkeys [ i ] = subs
subkeys [ i ] = subs
}
}
//Check emails
// Check emails
userEmails , err := GetEmailAddresses ( ownerID )
userEmails , err := GetEmailAddresses ( ownerID )
if err != nil {
if err != nil {
return nil , err
return nil , err
@ -308,7 +308,7 @@ func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
}
}
}
}
//In the case no email as been found
// In the case no email as been found
if len ( emails ) == 0 {
if len ( emails ) == 0 {
failedEmails := make ( [ ] string , 0 , len ( e . Identities ) )
failedEmails := make ( [ ] string , 0 , len ( e . Identities ) )
for _ , ident := range e . Identities {
for _ , ident := range e . Identities {
@ -340,9 +340,9 @@ func parseGPGKey(ownerID int64, e *openpgp.Entity) (*GPGKey, error) {
// deleteGPGKey does the actual key deletion
// deleteGPGKey does the actual key deletion
func deleteGPGKey ( e * xorm . Session , keyID string ) ( int64 , error ) {
func deleteGPGKey ( e * xorm . Session , keyID string ) ( int64 , error ) {
if keyID == "" {
if keyID == "" {
return 0 , fmt . Errorf ( "empty KeyId forbidden" ) //Should never happen but just to be sure
return 0 , fmt . Errorf ( "empty KeyId forbidden" ) // Should never happen but just to be sure
}
}
//Delete imported key
// Delete imported key
n , err := e . Where ( "key_id=?" , keyID ) . Delete ( new ( GPGKeyImport ) )
n , err := e . Where ( "key_id=?" , keyID ) . Delete ( new ( GPGKeyImport ) )
if err != nil {
if err != nil {
return n , err
return n , err
@ -452,11 +452,11 @@ func extractSignature(s string) (*packet.Signature, error) {
}
}
func verifySign ( s * packet . Signature , h hash . Hash , k * GPGKey ) error {
func verifySign ( s * packet . Signature , h hash . Hash , k * GPGKey ) error {
//Check if key can sign
// Check if key can sign
if ! k . CanSign {
if ! k . CanSign {
return fmt . Errorf ( "key can not sign" )
return fmt . Errorf ( "key can not sign" )
}
}
//Decode key
// Decode key
pkey , err := base64DecPubKey ( k . Content )
pkey , err := base64DecPubKey ( k . Content )
if err != nil {
if err != nil {
return err
return err
@ -465,9 +465,9 @@ func verifySign(s *packet.Signature, h hash.Hash, k *GPGKey) error {
}
}
func hashAndVerify ( sig * packet . Signature , payload string , k * GPGKey , committer , signer * User , email string ) * CommitVerification {
func hashAndVerify ( sig * packet . Signature , payload string , k * GPGKey , committer , signer * User , email string ) * CommitVerification {
//Generating hash of commit
// Generating hash of commit
hash , err := populateHash ( sig . Hash , [ ] byte ( payload ) )
hash , err := populateHash ( sig . Hash , [ ] byte ( payload ) )
if err != nil { //Skipping failed to generate hash
if err != nil { // Skipping failed to generate hash
log . Error ( "PopulateHash: %v" , err )
log . Error ( "PopulateHash: %v" , err )
return & CommitVerification {
return & CommitVerification {
CommittingUser : committer ,
CommittingUser : committer ,
@ -477,7 +477,7 @@ func hashAndVerify(sig *packet.Signature, payload string, k *GPGKey, committer,
}
}
if err := verifySign ( sig , hash , k ) ; err == nil {
if err := verifySign ( sig , hash , k ) ; err == nil {
return & CommitVerification { //Everything is ok
return & CommitVerification { // Everything is ok
CommittingUser : committer ,
CommittingUser : committer ,
Verified : true ,
Verified : true ,
Reason : fmt . Sprintf ( "%s / %s" , signer . Name , k . KeyID ) ,
Reason : fmt . Sprintf ( "%s / %s" , signer . Name , k . KeyID ) ,
@ -495,7 +495,7 @@ func hashAndVerifyWithSubKeys(sig *packet.Signature, payload string, k *GPGKey,
return commitVerification
return commitVerification
}
}
//And test also SubsKey
// And test also SubsKey
for _ , sk := range k . SubsKey {
for _ , sk := range k . SubsKey {
commitVerification := hashAndVerify ( sig , payload , sk , committer , signer , email )
commitVerification := hashAndVerify ( sig , payload , sk , committer , signer , email )
if commitVerification != nil {
if commitVerification != nil {
@ -620,9 +620,9 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
var committer * User
var committer * User
if c . Committer != nil {
if c . Committer != nil {
var err error
var err error
//Find Committer account
// Find Committer account
committer , err = GetUserByEmail ( c . Committer . Email ) //This finds the user by primary email or activated email so commit will not be valid if email is not
committer , err = GetUserByEmail ( c . Committer . Email ) // This finds the user by primary email or activated email so commit will not be valid if email is not
if err != nil { //Skipping not user for commiter
if err != nil { // Skipping not user for commiter
committer = & User {
committer = & User {
Name : c . Committer . Name ,
Name : c . Committer . Name ,
Email : c . Committer . Email ,
Email : c . Committer . Email ,
@ -645,14 +645,14 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
if c . Signature == nil {
if c . Signature == nil {
return & CommitVerification {
return & CommitVerification {
CommittingUser : committer ,
CommittingUser : committer ,
Verified : false , //Default value
Verified : false , // Default value
Reason : "gpg.error.not_signed_commit" , //Default value
Reason : "gpg.error.not_signed_commit" , // Default value
}
}
}
}
//Parsing signature
// Parsing signature
sig , err := extractSignature ( c . Signature . Signature )
sig , err := extractSignature ( c . Signature . Signature )
if err != nil { //Skipping failed to extract sign
if err != nil { // Skipping failed to extract sign
log . Error ( "SignatureRead err: %v" , err )
log . Error ( "SignatureRead err: %v" , err )
return & CommitVerification {
return & CommitVerification {
CommittingUser : committer ,
CommittingUser : committer ,
@ -688,7 +688,7 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
// Now try to associate the signature with the committer, if present
// Now try to associate the signature with the committer, if present
if committer . ID != 0 {
if committer . ID != 0 {
keys , err := ListGPGKeys ( committer . ID , ListOptions { } )
keys , err := ListGPGKeys ( committer . ID , ListOptions { } )
if err != nil { //Skipping failed to get gpg keys of user
if err != nil { // Skipping failed to get gpg keys of user
log . Error ( "ListGPGKeys: %v" , err )
log . Error ( "ListGPGKeys: %v" , err )
return & CommitVerification {
return & CommitVerification {
CommittingUser : committer ,
CommittingUser : committer ,
@ -698,7 +698,7 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
}
}
for _ , k := range keys {
for _ , k := range keys {
//Pre-check (& optimization) that emails attached to key can be attached to the commiter email and can validate
// Pre-check (& optimization) that emails attached to key can be attached to the commiter email and can validate
canValidate := false
canValidate := false
email := ""
email := ""
for _ , e := range k . Emails {
for _ , e := range k . Emails {
@ -709,7 +709,7 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
}
}
}
}
if ! canValidate {
if ! canValidate {
continue //Skip this key
continue // Skip this key
}
}
commitVerification := hashAndVerifyWithSubKeys ( sig , c . Signature . Payload , k , committer , committer , email )
commitVerification := hashAndVerifyWithSubKeys ( sig , c . Signature . Payload , k , committer , committer , email )
@ -753,7 +753,7 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
}
}
}
}
return & CommitVerification { //Default at this stage
return & CommitVerification { // Default at this stage
CommittingUser : committer ,
CommittingUser : committer ,
Verified : false ,
Verified : false ,
Warning : defaultReason != NoKeyFound ,
Warning : defaultReason != NoKeyFound ,