// Delegate marks the given ComputedKeyInfos object that the given kid is now
// delegated, as of time tm, in sigid, as signed by signingKid, etc.
func (cki *ComputedKeyInfos) Delegate(kid keybase1.KID, tm *KeybaseTime, sigid keybase1.SigID, signingKid, parentKID keybase1.KID, pgpHash string, isSibkey bool, ctime, etime time.Time) (err error) {
G.Log.Debug("ComputeKeyInfos::Delegate To %s with %s at sig %s", kid.String(), signingKid, sigid.ToDisplayString(true))
info, found := cki.Infos[kid]
if !found {
newInfo := NewComputedKeyInfo(false, false, KeyUncancelled, ctime.Unix(), etime.Unix(), pgpHash)
newInfo.DelegatedAt = tm
info = &newInfo
cki.Infos[kid] = info
} else {
info.Status = KeyUncancelled
info.CTime = ctime.Unix()
info.ETime = etime.Unix()
}
info.Delegations[sigid] = signingKid
info.Sibkey = isSibkey
cki.Sigs[sigid] = info
// If it's a subkey, make a pointer from it to its parent,
// and also from its parent to it.
if parentKID.Exists() {
info.Parent = parentKID
if parent, found := cki.Infos[parentKID]; found {
parent.Subkey = kid
}
}
return
}
func PostDeviceLKS(sr SessionReader, deviceID keybase1.DeviceID, deviceType string, serverHalf []byte,
ppGen PassphraseGeneration,
clientHalfRecovery string, clientHalfRecoveryKID keybase1.KID) error {
if len(serverHalf) == 0 {
return fmt.Errorf("PostDeviceLKS: called with empty serverHalf")
}
if ppGen < 1 {
G.Log.Warning("PostDeviceLKS: ppGen < 1 (%d)", ppGen)
debug.PrintStack()
}
arg := APIArg{
Endpoint: "device/update",
NeedSession: true,
Args: HTTPArgs{
"device_id": S{Val: deviceID.String()},
"type": S{Val: deviceType},
"lks_server_half": S{Val: hex.EncodeToString(serverHalf)},
"ppgen": I{Val: int(ppGen)},
"lks_client_half": S{Val: clientHalfRecovery},
"kid": S{Val: clientHalfRecoveryKID.String()},
},
SessionR: sr,
}
_, err := G.API.Post(arg)
return err
}
func LoadPGPKeyFromLocalDB(k keybase1.KID, g *GlobalContext) (*PGPKeyBundle, error) {
dbobj, err := g.LocalDb.Get(DbKey{
Typ: DBPGPKey,
Key: k.String(),
})
if err != nil {
return nil, err
}
if dbobj == nil {
return nil, nil
}
return GetOneKey(dbobj)
}
// Load takes a blessed KID and returns, if possible, the GenericKey
// associated with that KID, for signature verification. If the key isn't
// found in memory or on disk (in the case of PGP), then it will attempt
// to fetch the key from the keybase server.
func (sk *SpecialKeyRing) Load(kid keybase1.KID) (GenericKey, error) {
sk.G().Log.Debug("+ SpecialKeyRing.Load(%s)", kid)
if !sk.IsValidKID(kid) {
err := UnknownSpecialKIDError{kid}
return nil, err
}
if key, found := sk.keys[kid]; found {
sk.G().Log.Debug("- SpecialKeyRing.Load(%s) -> hit inmem cache", kid)
return key, nil
}
key, err := LoadPGPKeyFromLocalDB(kid, sk.G())
if err != nil || key == nil {
sk.G().Log.Debug("| Load(%s) going to network", kid)
var res *APIRes
res, err = sk.G().API.Get(APIArg{
Endpoint: "key/special",
NeedSession: false,
Args: HTTPArgs{
"kid": S{kid.String()},
},
Contextified: NewContextified(sk.G()),
})
var w *Warnings
if err == nil {
key, w, err = GetOneKey(res.Body.AtKey("bundle"))
}
if err == nil {
w.Warn(sk.G())
if e2 := key.StoreToLocalDb(sk.G()); e2 != nil {
sk.G().Log.Warning("Failed to store key: %s", e2)
}
}
} else {
sk.G().Log.Debug("| Load(%s) hit DB-backed cache", kid)
}
if err == nil && key != nil {
sk.keys[kid] = key
}
sk.G().Log.Debug("- SpecialKeyRing.Load(%s)", kid)
return key, err
}
func makeKeyArgs(sigID keybase1.SigID, sig []byte, delType libkb.DelegationType, key libkb.GenericKey, eldestKID, signingKID keybase1.KID) (*libkb.HTTPArgs, error) {
pub, err := key.Encode()
if err != nil {
return nil, err
}
args := libkb.HTTPArgs{
"sig_id_base": libkb.S{Val: sigID.ToString(false)},
"sig_id_short": libkb.S{Val: sigID.ToShortID()},
"sig": libkb.S{Val: string(sig)},
"type": libkb.S{Val: string(delType)},
"is_remote_proof": libkb.B{Val: false},
"public_key": libkb.S{Val: pub},
"eldest_kid": libkb.S{Val: eldestKID.String()},
"signing_kid": libkb.S{Val: signingKID.String()},
}
return &args, nil
}
// FindActiveEncryptionSubkey takes a given KID and finds the corresponding
// active encryption subkey in the current key family. If for any reason it
// cannot find the key, it will return an error saying why. Otherwise, it will
// return the key. In this case either key is non-nil, or err is non-nil.
func (ckf ComputedKeyFamily) FindActiveEncryptionSubkey(kid keybase1.KID) (GenericKey, error) {
ki, err := ckf.getCkiIfActiveNow(kid)
if err != nil {
return nil, err
}
if ki.Sibkey {
return nil, BadKeyError{fmt.Sprintf("The key '%s' was delegated as a sibkey", kid.String())}
}
key, err := ckf.FindKeyWithKIDUnsafe(kid)
if err != nil {
return nil, err
}
if !CanEncrypt(key) {
return nil, BadKeyError{fmt.Sprintf("The key '%s' cannot encrypt", kid.String())}
}
return key, nil
}
func (e *loginProvision) uidByKID(kid keybase1.KID) (keybase1.UID, error) {
var nilUID keybase1.UID
arg := libkb.APIArg{
Endpoint: "key/owner",
NeedSession: false,
Contextified: libkb.NewContextified(e.G()),
Args: libkb.HTTPArgs{"kid": libkb.S{Val: kid.String()}},
}
res, err := e.G().API.Get(arg)
if err != nil {
return nilUID, err
}
suid, err := res.Body.AtPath("uid").GetString()
if err != nil {
return nilUID, err
}
return keybase1.UIDFromString(suid)
}
func (k SKBKeyringFile) SearchWithComputedKeyFamily(ckf *ComputedKeyFamily, ska SecretKeyArg) []*SKB {
var kid keybase1.KID
G.Log.Debug("+ SKBKeyringFile.SearchWithComputedKeyFamily")
defer func() {
var res string
if kid.Exists() {
res = kid.String()
} else {
res = "<nil>"
}
G.Log.Debug("- SKBKeyringFile.SearchWithComputedKeyFamily -> %s\n", res)
}()
G.Log.Debug("| Searching %d possible blocks", len(k.Blocks))
var blocks []*SKB
for i := len(k.Blocks) - 1; i >= 0; i-- {
G.Log.Debug("| trying key index# -> %d", i)
if key, err := k.Blocks[i].GetPubKey(); err == nil && key != nil {
kid = key.GetKID()
active := ckf.GetKeyRole(kid)
G.Log.Debug("| Checking KID: %s -> %d", kid, int(active))
if !ska.KeyType.nonDeviceKeyMatches(key) {
G.Log.Debug("| Skipped, doesn't match type=%s", ska.KeyType)
} else if !KeyMatchesQuery(key, ska.KeyQuery, ska.ExactMatch) {
G.Log.Debug("| Skipped, doesn't match query=%s", ska.KeyQuery)
} else if active != DLGSibkey {
G.Log.Debug("| Skipped, active=%d", int(active))
} else {
blocks = append(blocks, k.Blocks[i])
}
} else {
G.Log.Debug("| failed --> %v", err)
}
}
return blocks
}
func (e *LoginProvision) loadUserByKID(kid keybase1.KID) (*libkb.User, error) {
arg := libkb.APIArg{
Endpoint: "key/owner",
NeedSession: false,
Contextified: libkb.NewContextified(e.G()),
Args: libkb.HTTPArgs{"kid": libkb.S{Val: kid.String()}},
}
res, err := e.G().API.Get(arg)
if err != nil {
return nil, err
}
suid, err := res.Body.AtPath("uid").GetString()
if err != nil {
return nil, err
}
uid, err := keybase1.UIDFromString(suid)
if err != nil {
return nil, err
}
e.G().Log.Debug("key/owner result uid: %s", uid)
loadArg := libkb.NewLoadUserArg(e.G())
loadArg.UID = uid
return libkb.LoadUser(loadArg)
}
