func (e *Kex2Provisionee) dhKeyProof(dh libkb.GenericKey, eldestKID keybase1.KID, seqno int, linkID libkb.LinkID) (sig string, sigID keybase1.SigID, err error) {
delg := libkb.Delegator{
ExistingKey: e.eddsa,
NewKey: dh,
DelegationType: libkb.SubkeyType,
Expire: libkb.NaclDHExpireIn,
EldestKID: eldestKID,
Device: e.device,
LastSeqno: libkb.Seqno(seqno),
PrevLinkID: linkID,
SigningUser: e,
Contextified: libkb.NewContextified(e.G()),
}
jw, err := libkb.KeyProof(delg)
if err != nil {
return "", "", err
}
e.G().Log.Debug("dh key proof: %s", jw.MarshalPretty())
dhSig, dhSigID, _, err := libkb.SignJSON(jw, e.eddsa)
if err != nil {
return "", "", err
}
return dhSig, dhSigID, nil
}
// CounterSign implements CounterSign in kex2.Provisioner.
func (e *Kex2Provisioner) CounterSign(input keybase1.HelloRes) (sig []byte, err error) {
e.G().Log.Debug("+ CounterSign()")
defer func() { e.G().Log.Debug("- CounterSign() -> %s", libkb.ErrToOk(err)) }()
jw, err := jsonw.Unmarshal([]byte(input))
if err != nil {
return nil, err
}
// check the reverse signature
if err = e.checkReverseSig(jw); err != nil {
e.G().Log.Debug("provisioner failed to verify reverse sig: %s", err)
return nil, err
}
e.G().Log.Debug("provisioner verified reverse sig")
// remember some device information for ProvisionUI.ProvisionerSuccess()
if err = e.rememberDeviceInfo(jw); err != nil {
return nil, err
}
// sign the whole thing with provisioner's signing key
s, _, _, err := libkb.SignJSON(jw, e.signingKey)
if err != nil {
return nil, err
}
return []byte(s), nil
}
func (e *BTCEngine) Run(ctx *Context) (err error) {
e.G().Log.Debug("+ BTCEngine Run")
defer func() {
e.G().Log.Debug("- BTCEngine Run")
}()
_, _, err = libkb.BtcAddrCheck(e.address, nil)
if err != nil {
return err
}
me, err := libkb.LoadMe(libkb.NewLoadUserArg(e.G()))
if err != nil {
return err
}
cryptocurrencyLink := me.IDTable().ActiveCryptocurrency()
if cryptocurrencyLink != nil && !e.force {
return fmt.Errorf("User already has a cryptocurrency address. To overwrite, use --force.")
}
var sigIDToRevoke keybase1.SigID
if cryptocurrencyLink != nil {
sigIDToRevoke = cryptocurrencyLink.GetSigID()
}
ska := libkb.SecretKeyArg{
Me: me,
KeyType: libkb.DeviceSigningKeyType,
}
sigKey, err := e.G().Keyrings.GetSecretKeyWithPrompt(ctx.SecretKeyPromptArg(ska, "to register a cryptocurrency address"))
if err != nil {
return err
}
if err = sigKey.CheckSecretKey(); err != nil {
return err
}
claim, err := me.CryptocurrencySig(sigKey, e.address, sigIDToRevoke)
if err != nil {
return err
}
sig, _, _, err := libkb.SignJSON(claim, sigKey)
if err != nil {
return err
}
kid := sigKey.GetKID()
_, err = e.G().API.Post(libkb.APIArg{
Endpoint: "sig/post",
NeedSession: true,
Args: libkb.HTTPArgs{
"sig": libkb.S{Val: sig},
"signing_kid": libkb.S{Val: kid.String()},
"is_remote_proof": libkb.B{Val: false},
"type": libkb.S{Val: "cryptocurrency"},
},
})
if err != nil {
return err
}
return nil
}
func (e *RevokeEngine) Run(ctx *Context) error {
currentDevice := e.G().Env.GetDeviceID()
var deviceID keybase1.DeviceID
if e.mode == RevokeDevice {
deviceID = e.deviceID
if e.deviceID == currentDevice && !e.force {
return fmt.Errorf("Can't revoke the current device.")
}
}
me, err := libkb.LoadMe(libkb.NewLoadUserArg(e.G()))
if err != nil {
return err
}
kidsToRevoke, err := e.getKIDsToRevoke(me)
if err != nil {
return err
}
ctx.LogUI.Info("Revoking KIDs:")
for _, kid := range kidsToRevoke {
ctx.LogUI.Info(" %s", kid)
}
ska := libkb.SecretKeyArg{
Me: me,
KeyType: libkb.DeviceSigningKeyType,
}
sigKey, err := e.G().Keyrings.GetSecretKeyWithPrompt(ctx.SecretKeyPromptArg(ska, "to revoke another key"))
if err != nil {
return err
}
if err = sigKey.CheckSecretKey(); err != nil {
return err
}
proof, err := me.RevokeKeysProof(sigKey, kidsToRevoke, deviceID)
if err != nil {
return err
}
sig, _, _, err := libkb.SignJSON(proof, sigKey)
if err != nil {
return err
}
kid := sigKey.GetKID()
_, err = e.G().API.Post(libkb.APIArg{
Endpoint: "sig/revoke",
NeedSession: true,
Args: libkb.HTTPArgs{
"signing_kid": libkb.S{Val: kid.String()},
"sig": libkb.S{Val: sig},
},
})
if err != nil {
return err
}
return nil
}
func (c *PassphraseChange) updatePassphrase(ctx *Context, sigKey libkb.GenericKey, ppGen libkb.PassphraseGeneration, oldClientHalf []byte) error {
pgpKeys, err := c.findAndDecryptPrivatePGPKeys(ctx)
if err != nil {
return err
}
var acctErr error
c.G().LoginState().Account(func(a *libkb.Account) {
// Ready the update argument; almost done, but we need some more stuff.
payload, err := c.commonArgs(a, oldClientHalf, pgpKeys, ppGen)
if err != nil {
acctErr = err
return
}
// get the new passphrase hash out of the args
pwh, ok := payload["pwh"].(string)
if !ok || len(pwh) == 0 {
acctErr = fmt.Errorf("no pwh found in common args")
return
}
// Generate a signature with our unlocked sibling key from device.
proof, err := c.me.UpdatePassphraseProof(sigKey, pwh, ppGen+1)
if err != nil {
acctErr = err
return
}
sig, _, _, err := libkb.SignJSON(proof, sigKey)
if err != nil {
acctErr = err
return
}
payload["sig"] = sig
payload["signing_kid"] = sigKey.GetKID()
postArg := libkb.APIArg{
Endpoint: "passphrase/sign",
NeedSession: true,
JSONPayload: payload,
SessionR: a.LocalSession(),
}
_, err = c.G().API.PostJSON(postArg)
if err != nil {
acctErr = fmt.Errorf("api post to passphrase/sign error: %s", err)
return
}
}, "PassphraseChange.runForcedUpdate")
if acctErr != nil {
return acctErr
}
return nil
}
// revSig generates a reverse signature using X's device key id.
func (k *KexNewDevice) revSig(eddsa libkb.NaclKeyPair) (sig string, err error) {
delg := libkb.Delegator{
ExistingKey: k.xDevKey,
NewKey: eddsa,
Me: k.args.User,
DelegationType: libkb.SibkeyType,
Expire: libkb.NaclEdDSAExpireIn,
Device: k.GetDevice(),
}
var jw *jsonw.Wrapper
if jw, err = libkb.KeyProof(delg); err != nil {
return
}
sig, _, _, err = libkb.SignJSON(jw, eddsa)
return
}
func (e *RevokeSigsEngine) Run(ctx *Context) error {
me, err := libkb.LoadMe(libkb.NewLoadUserArg(e.G()))
if err != nil {
return err
}
sigIDsToRevoke, err := e.getSigIDsToRevoke(me)
if err != nil {
return err
}
ska := libkb.SecretKeyArg{
Me: me,
KeyType: libkb.DeviceSigningKeyType,
}
sigKey, err := e.G().Keyrings.GetSecretKeyWithPrompt(ctx.SecretKeyPromptArg(ska, "to revoke a signature"))
if sigKey == nil {
return fmt.Errorf("Revocation signing key is nil.")
}
if err = sigKey.CheckSecretKey(); err != nil {
return err
}
proof, err := me.RevokeSigsProof(sigKey, sigIDsToRevoke)
if err != nil {
return err
}
sig, _, _, err := libkb.SignJSON(proof, sigKey)
if err != nil {
return err
}
kid := sigKey.GetKID()
_, err = e.G().API.Post(libkb.APIArg{
Endpoint: "sig/revoke",
NeedSession: true,
Args: libkb.HTTPArgs{
"signing_kid": libkb.S{Val: kid.String()},
"sig": libkb.S{Val: sig},
},
})
if err != nil {
return err
}
return nil
}
func (e *Kex2Provisionee) reverseSig(jw *jsonw.Wrapper) error {
// need to set reverse_sig to nil before making reverse sig:
if err := jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewNil()); err != nil {
return err
}
sig, _, _, err := libkb.SignJSON(jw, e.eddsa)
if err != nil {
return err
}
// put the signature in reverse_sig
if err := jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewString(sig)); err != nil {
return err
}
return nil
}
func (p *Prove) generateProof(ctx *Context) (err error) {
ska := libkb.SecretKeyArg{
Me: p.me,
KeyType: libkb.DeviceSigningKeyType,
}
p.signingKey, err = p.G().Keyrings.GetSecretKeyWithPrompt(ctx.SecretKeyPromptArg(ska, "tracking signature"))
if err != nil {
return err
}
if p.proof, err = p.me.ServiceProof(p.signingKey, p.st, p.remoteNameNormalized); err != nil {
return
}
if p.sig, p.sigID, _, err = libkb.SignJSON(p.proof, p.signingKey); err != nil {
return
}
return
}
func (p *Prove) generateProof(ctx *Context) (err error) {
ska := libkb.SecretKeyArg{
Me: p.me,
KeyType: libkb.DeviceSigningKeyType,
}
seckey, locked, err := p.G().Keyrings.GetSecretKeyAndSKBWithPrompt(ctx.SecretKeyPromptArg(ska, "proof signature"))
if err != nil {
return
}
if p.signingKey, err = locked.GetPubKey(); err != nil {
return
}
if p.proof, err = p.me.ServiceProof(p.signingKey, p.st, p.usernameNormalized); err != nil {
return
}
if p.sig, p.sigID, _, err = libkb.SignJSON(p.proof, seckey); err != nil {
return
}
return
}
