func (e *PaperKeyGen) makeSigKey(seed []byte) error {
pub, priv, err := ed25519.GenerateKey(bytes.NewBuffer(seed))
if err != nil {
return err
}
var key libkb.NaclSigningKeyPair
copy(key.Public[:], (*pub)[:])
key.Private = &libkb.NaclSigningKeyPrivate{}
copy(key.Private[:], (*priv)[:])
e.sigKey = key
return nil
}
func TestSecretKeys(t *testing.T) {
tc := SetupEngineTest(t, "secretkeys")
defer tc.Cleanup()
u := CreateAndSignupFakeUser(tc, "sk")
ctx := &Context{
LogUI: tc.G.UI.GetLogUI(),
SecretUI: u.NewSecretUI(),
}
// Get the secret keys.
e := NewSecretKeysEngine(tc.G)
err := RunEngine(e, ctx)
if err != nil {
t.Fatal(err)
}
signing := e.Result().Signing
// Now we want to check that the keys we got actually belong to the user.
// Below we just do this check with the signing key, since it's easier to
// derive the public key.
// Build the signing keypair. To do this, we exploit the fact that a NaCl
// public signing key is the last 32 bytes of the private signing key.
var public libkb.NaclSigningKeyPublic
copy(public[:], signing[32:])
pair := libkb.NaclSigningKeyPair{
Public: public,
}
// Check the signing keypair's KID is in the user's KeyFamily.
testUser, err := libkb.LoadUser(libkb.LoadUserArg{
Name: u.Username,
})
if err != nil {
t.Fatal(err)
}
if found := testUser.GetKeyFamily().AllKIDs[pair.GetKID()]; !found {
t.Fatalf("Failed to find %s in the user's key family.", pair.GetKID().String())
}
}
func (k *KexProvisioner) handlePleaseSign(ctx *Context, m *kex.Msg) error {
eddsa := m.Args().SigningKey
sig := m.Args().Sig
keypair := libkb.NaclSigningKeyPair{Public: eddsa}
sigPayload, _, err := keypair.VerifyStringAndExtract(sig)
if err != nil {
return err
}
k.G().Log.Debug("Got PleaseSign() on verified JSON blob %s\n", string(sigPayload))
// k.deviceSibkey is public only
if k.sigKey == nil {
var err error
arg := libkb.SecretKeyArg{
Me: k.user,
KeyType: libkb.DeviceSigningKeyType,
}
k.sigKey, err = k.G().Keyrings.GetSecretKeyWithPrompt(nil, arg, k.engctx.SecretUI, "new device install")
if err != nil {
return err
}
}
jw, err := jsonw.Unmarshal(sigPayload)
if err != nil {
return err
}
var newKID keybase1.KID
var newKey libkb.GenericKey
if newKID, err = libkb.GetKID(jw.AtPath("body.sibkey.kid")); err != nil {
return err
}
if newKey, err = libkb.ImportKeypairFromKID(newKID); err != nil {
return err
}
if err = k.verifyPleaseSign(jw, newKID); err != nil {
return err
}
if err = jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewString(sig)); err != nil {
return err
}
del := libkb.Delegator{
NewKey: newKey,
ExistingKey: k.sigKey,
Me: k.user,
Expire: libkb.NaclEdDSAExpireIn,
DelegationType: libkb.SibkeyType,
EldestKID: k.user.GetEldestKID(),
Contextified: libkb.NewContextified(k.G()),
}
if err = del.CheckArgs(); err != nil {
return err
}
if err = del.SignAndPost(ctx.LoginContext, jw); err != nil {
return err
}
return nil
}
