pm/keyring/keyring.go

344 lines
8.7 KiB
Go
Raw Normal View History

package keyring
2018-02-25 01:45:56 -08:00
import (
2018-02-25 03:25:49 -08:00
"fmt"
"io"
2018-02-25 01:52:57 -08:00
"os"
"path/filepath"
2018-02-25 03:25:49 -08:00
"strings"
2018-02-25 01:45:56 -08:00
"github.com/pkg/errors"
"golang.org/x/crypto/openpgp"
2018-02-25 10:10:08 -08:00
"golang.org/x/crypto/openpgp/armor"
2018-02-25 01:52:57 -08:00
"mcquay.me/fs"
2018-02-25 01:45:56 -08:00
)
2018-02-25 03:11:40 -08:00
// NewKeyPair creates and adds a new OpenPGP keypair to an existing keyring.
func NewKeyPair(root, name, email string) error {
if name == "" {
return errors.New("name cannot be empty")
}
if email == "" {
return errors.New("email cannot be empty")
}
if strings.ContainsAny(email, "()<>\x00") {
return fmt.Errorf("email %q contains invalid chars", email)
}
2018-02-25 03:11:40 -08:00
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
secs, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
2018-02-25 01:52:57 -08:00
}
2018-02-25 03:11:40 -08:00
fresh, err := openpgp.NewEntity(name, "pm", email, nil)
2018-02-25 01:45:56 -08:00
if err != nil {
errors.Wrap(err, "new entity")
}
2018-02-25 03:11:40 -08:00
pr, err := os.Create(prn)
if err != nil {
return errors.Wrap(err, "opening pubring")
}
sr, err := os.Create(srn)
if err != nil {
return errors.Wrap(err, "opening secring")
}
for _, e := range secs {
if err := e.SerializePrivate(sr, nil); err != nil {
return errors.Wrapf(err, "serializing old private key: %v", e.PrimaryKey.KeyIdString())
}
}
// order is critical here; if we don't serialize the private key of fresh
// first, the later steps fail.
if err := fresh.SerializePrivate(sr, nil); err != nil {
return errors.Wrapf(err, "serializing fresh private %v", fresh.PrimaryKey.KeyIdString())
}
if err := sr.Close(); err != nil {
return errors.Wrap(err, "closing secring")
}
for _, e := range pubs {
if err := e.Serialize(pr); err != nil {
return errors.Wrapf(err, "serializing %v", e.PrimaryKey.KeyIdString())
}
}
if err := fresh.Serialize(pr); err != nil {
return errors.Wrapf(err, "serializing %v", fresh.PrimaryKey.KeyIdString())
}
if err := pr.Close(); err != nil {
return errors.Wrap(err, "closing pubring")
}
return nil
}
2018-02-25 03:25:49 -08:00
// ListKeys prints keyring information to w.
func ListKeys(root string, w io.Writer) error {
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
secs, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
}
for _, s := range secs {
names := []string{}
for _, v := range s.Identities {
names = append(names, v.Name)
}
fmt.Fprintf(w, "sec: %+v:\t%v\n", s.PrimaryKey.KeyIdShortString(), strings.Join(names, ","))
}
for _, p := range pubs {
names := []string{}
for _, v := range p.Identities {
names = append(names, v.Name)
}
fmt.Fprintf(w, "pub: %+v:\t%v\n", p.PrimaryKey.KeyIdShortString(), strings.Join(names, ","))
}
return nil
}
2018-02-25 10:10:08 -08:00
// Export prints pubkey information associated with email to w.
func Export(root string, w io.Writer, email string) error {
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
_, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
}
e, err := findKey(pubs, email)
if err != nil {
return errors.Wrap(err, "find key")
}
aw, err := armor.Encode(w, openpgp.PublicKeyType, nil)
if err != nil {
return errors.Wrap(err, "creating armor encoder")
}
if err := e.Serialize(aw); err != nil {
return errors.Wrap(err, "serializing key")
}
if err := aw.Close(); err != nil {
return errors.Wrap(err, "closing armor encoder")
}
fmt.Fprintf(w, "\n")
return nil
}
2018-02-25 11:03:40 -08:00
// Import parses public key information from w and adds it to the public
// keyring.
func Import(root string, w io.Reader) error {
el, err := openpgp.ReadArmoredKeyRing(w)
if err != nil {
return errors.Wrap(err, "reading keyring")
}
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
_, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
}
foreign := openpgp.EntityList{}
exist := map[uint64]bool{}
for _, p := range pubs {
exist[p.PrimaryKey.KeyId] = true
}
for _, e := range el {
if _, ok := exist[e.PrimaryKey.KeyId]; !ok {
foreign = append(foreign, e)
}
}
if len(foreign) < 1 {
return errors.New("no new key material found")
}
pubs = append(pubs, foreign...)
pr, err := os.Create(prn)
if err != nil {
return errors.Wrap(err, "opening pubring")
}
for _, e := range pubs {
if err := e.Serialize(pr); err != nil {
return errors.Wrapf(err, "serializing %v", e.PrimaryKey.KeyIdString())
}
}
if err := pr.Close(); err != nil {
return errors.Wrap(err, "closing pubring")
}
return nil
}
2018-02-25 19:36:13 -08:00
// Sign takes an id and a reader and writes the signature for that id to sig.
2018-02-27 20:41:57 -08:00
func Sign(key *openpgp.Entity, in io.Reader, sig io.Writer) error {
if err := openpgp.ArmoredDetachSign(sig, key, in, nil); err != nil {
2018-02-25 19:36:13 -08:00
return errors.Wrap(err, "armored detach sign")
}
fmt.Fprintf(sig, "\n")
return nil
}
2018-02-25 19:56:04 -08:00
// Verify verifies a file's deatched signature.
func Verify(root string, file, sig io.Reader) error {
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
_, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
}
if _, err = openpgp.CheckArmoredDetachedSignature(pubs, file, sig); err != nil {
return errors.Wrap(err, "check sig")
}
return nil
}
2018-02-26 19:31:31 -08:00
// Remove removes public key information for a given id.
//
// It skips public keys that have matching secret keys, and does not effect
// private keys.
func Remove(root string, id string) error {
if err := ensureDir(root); err != nil {
return errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
secs, pubs, err := getELs(srn, prn)
if err != nil {
return errors.Wrap(err, "getting existing keyrings")
}
victim, err := findKey(pubs, id)
if err != nil {
return errors.Wrapf(err, "finding key %q", id)
}
pr, err := os.Create(prn)
if err != nil {
return errors.Wrap(err, "opening pubring")
}
var rerr error
for _, p := range pubs {
if victim.PrimaryKey.KeyId == p.PrimaryKey.KeyId {
if len(secs.KeysById(victim.PrimaryKey.KeyId)) == 0 {
continue
}
rerr = fmt.Errorf("skipping pubkey with matching privkey: %v", p.PrimaryKey.KeyIdShortString())
}
if err := p.Serialize(pr); err != nil {
return errors.Wrapf(err, "serializing %v", p.PrimaryKey.KeyIdString())
}
}
if err := pr.Close(); err != nil {
return errors.Wrap(err, "closing pubring")
}
return rerr
}
2018-02-25 03:11:40 -08:00
func pGPDir(root string) string {
return filepath.Join(root, "var", "lib", "pm", "pgp")
}
func ensureDir(root string) error {
d := pGPDir(root)
if !fs.Exists(d) {
if err := os.MkdirAll(d, 0700); err != nil {
return errors.Wrap(err, "mk pgp dir")
}
}
return nil
}
func getNames(root string) (string, string) {
srn := filepath.Join(pGPDir(root), "secring.gpg")
prn := filepath.Join(pGPDir(root), "pubring.gpg")
return srn, prn
}
func getELs(secring, pubring string) (openpgp.EntityList, openpgp.EntityList, error) {
var sr, pr openpgp.EntityList
if fs.Exists(secring) {
f, err := os.Open(secring)
if err != nil {
return nil, nil, errors.Wrap(err, "opening secring")
}
sr, err = openpgp.ReadKeyRing(f)
if err != nil {
return nil, nil, errors.Wrap(err, "read sec key ring")
}
if err := f.Close(); err != nil {
return nil, nil, errors.Wrap(err, "closing keyring")
}
}
if fs.Exists(pubring) {
f, err := os.Open(pubring)
if err != nil {
return nil, nil, errors.Wrap(err, "opening pubring")
}
pr, err = openpgp.ReadKeyRing(f)
if err != nil {
return nil, nil, errors.Wrap(err, "read pub key ring")
}
if err := f.Close(); err != nil {
return nil, nil, errors.Wrap(err, "closing keyring")
}
}
return sr, pr, nil
}
2018-02-25 10:10:08 -08:00
func findKey(el openpgp.EntityList, id string) (*openpgp.Entity, error) {
var e *openpgp.Entity
if strings.Contains(id, "@") {
es := openpgp.EntityList{}
for _, p := range el {
for _, v := range p.Identities {
if id == v.UserId.Email {
es = append(es, p)
}
}
}
if len(es) == 1 {
return es[0], nil
}
if len(es) > 1 {
return nil, errors.New("too many keys matched; try searching by key id?")
}
} else {
for _, p := range el {
if id == p.PrimaryKey.KeyIdShortString() {
return p, nil
}
}
}
return e, fmt.Errorf("key %q not found", id)
}
2018-02-26 20:07:47 -08:00
// FindSecretEntity searches for id in the secret keyring.
func FindSecretEntity(root, id string) (*openpgp.Entity, error) {
2018-02-27 18:45:25 -08:00
if err := ensureDir(root); err != nil {
return nil, errors.Wrap(err, "can't find or create pgp dir")
}
srn, prn := getNames(root)
secs, _, err := getELs(srn, prn)
if err != nil {
return nil, errors.Wrap(err, "getting existing keyrings")
}
return findKey(secs, id)
2018-02-26 20:07:47 -08:00
}