func (e *ListTrackingEngine) Run(ctx *Context) (err error) {
var user *libkb.User
if len(e.arg.ForAssertion) > 0 {
user, err = libkb.LoadUser(libkb.NewLoadUserByNameArg(e.G(), e.arg.ForAssertion))
} else {
user, err = libkb.LoadMe(libkb.NewLoadUserArg(e.G()))
}
if err != nil {
return
}
var trackList TrackList
trackList = user.IDTable().GetTrackList()
trackList, err = filterRxx(trackList, e.arg.Filter)
if err != nil {
return
}
sort.Sort(trackList)
if e.arg.JSON {
err = e.runJSON(trackList, e.arg.Verbose)
} else {
err = e.runTable(trackList)
}
return
}
// check device key for arg.Bundles match.
func matchingDeviceKey(g *libkb.GlobalContext, secretUI libkb.SecretUI, arg keybase1.UnboxBytes32AnyArg, me *libkb.User) (key libkb.GenericKey, index int, err error) {
ekey, err := me.GetDeviceSubkey()
if err == nil {
if n, ok := kidMatch(ekey, arg.Bundles); ok {
// unlock this key
parg := libkb.SecretKeyPromptArg{
Ska: libkb.SecretKeyArg{
Me: me,
KeyType: libkb.DeviceEncryptionKeyType,
},
SecretUI: secretUI,
Reason: arg.Reason,
UseCancelCache: true,
}
key, err := g.Keyrings.GetSecretKeyWithPrompt(parg)
if err != nil {
return nil, 0, err
}
return key, n, nil
}
g.Log.Debug("matchingDeviceKey: no match found for ekey in arg.Bundles")
logNoMatch(g, ekey, arg.Bundles)
} else {
g.Log.Debug("matchingDeviceKey: ignoring error getting device subkey: %s", err)
}
return nil, 0, nil
}
func (e *UntrackEngine) storeRemoteUntrack(them *libkb.User, ctx *Context) (err error) {
e.G().Log.Debug("+ StoreRemoteUntrack")
defer e.G().Log.Debug("- StoreRemoteUntrack -> %s", libkb.ErrToOk(err))
arg := libkb.SecretKeyArg{
Me: e.arg.Me,
KeyType: libkb.DeviceSigningKeyType,
}
var signingKeyPriv libkb.GenericKey
if signingKeyPriv, err = e.G().Keyrings.GetSecretKeyWithPrompt(ctx.LoginContext, arg, ctx.SecretUI, "untracking signature"); err != nil {
return
}
var sig string
var sigid keybase1.SigID
if sig, sigid, err = signingKeyPriv.SignToString(e.untrackStatementBytes); err != nil {
return
}
_, err = e.G().API.Post(libkb.APIArg{
Endpoint: "follow",
NeedSession: true,
Args: libkb.HTTPArgs{
"sig_id_base": libkb.S{Val: sigid.ToString(false)},
"sig_id_short": libkb.S{Val: sigid.ToShortID()},
"sig": libkb.S{Val: sig},
"uid": libkb.UIDArg(them.GetUID()),
"type": libkb.S{Val: "untrack"},
"signing_kid": e.signingKeyPub.GetKID(),
},
})
return
}
// OutputSignatureSuccess prints the details of a successful verification.
func OutputSignatureSuccess(ctx *Context, fingerprint libkb.PGPFingerprint, owner *libkb.User, signatureTime time.Time) {
if signatureTime.IsZero() {
ctx.LogUI.Notice("Signature verified. Signed by %s.", owner.GetName())
} else {
ctx.LogUI.Notice("Signature verified. Signed by %s %s (%s).", owner.GetName(), humanize.Time(signatureTime), signatureTime)
}
ctx.LogUI.Notice("PGP Fingerprint: %s.", fingerprint)
}
// OutputSignatureSuccess prints the details of a successful verification.
func OutputSignatureSuccess(ctx *Context, fingerprint libkb.PGPFingerprint, owner *libkb.User, signatureTime time.Time) {
arg := keybase1.OutputSignatureSuccessArg{
Fingerprint: fingerprint.String(),
Username: owner.GetName(),
SignedAt: keybase1.TimeFromSeconds(signatureTime.Unix()),
}
ctx.PgpUI.OutputSignatureSuccess(context.TODO(), arg)
}
func checkTrackCommon(tc libkb.TestContext, blocks []sb, outcome *keybase1.IdentifyOutcome, them *libkb.User, ui *FakeIdentifyUI) error {
me, err := libkb.LoadMe(libkb.NewLoadUserArg(tc.G))
if err != nil {
return err
}
if them == nil {
tc.T.Fatal("checkTrackCommon called with nil 'them' user")
}
s, err := me.TrackChainLinkFor(them.GetName(), them.GetUID())
if err != nil {
return err
}
if s == nil {
tc.T.Fatal("me.TrackChainLinkFor(...) returned nil, nil")
}
tc.T.Logf("payload json:\n%s", s.GetPayloadJSON().MarshalPretty())
sbs := s.ToServiceBlocks()
if len(sbs) != len(blocks) {
return fmt.Errorf("num service blocks: %d, expected %d", len(sbs), len(blocks))
}
sort.Sort(byID(sbs))
for i, sb := range sbs {
tsb := blocks[i]
if sb.IsSocial() != tsb.social {
return fmt.Errorf("(sb %d): social: %v, expected %v", i, sb.IsSocial(), tsb.social)
}
if sb.ToIDString() != tsb.id {
return fmt.Errorf("(sb %d): id: %s, expected %s", i, sb.ToIDString(), tsb.id)
}
if sb.GetProofState() != tsb.proofState {
return fmt.Errorf("(sb %d): proof state: %d, expected %d", i, sb.GetProofState(), tsb.proofState)
}
}
if ui.Outcome.TrackStatus != outcome.TrackStatus {
return fmt.Errorf("track status: %d, expected %d", ui.Outcome.TrackStatus, outcome.TrackStatus)
}
if ui.Outcome.NumTrackFailures != outcome.NumTrackFailures {
return fmt.Errorf("num track failures: %d, expected %d", ui.Outcome.NumTrackFailures, outcome.NumTrackFailures)
}
if ui.Outcome.NumTrackChanges != outcome.NumTrackChanges {
return fmt.Errorf("num track changes: %d, expected %d", ui.Outcome.NumTrackChanges, outcome.NumTrackChanges)
}
if ui.Outcome.NumProofFailures != outcome.NumProofFailures {
return fmt.Errorf("num proof failures: %d, expected %d", ui.Outcome.NumProofFailures, outcome.NumProofFailures)
}
if ui.Outcome.NumProofSuccesses != outcome.NumProofSuccesses {
return fmt.Errorf("num proof successes: %d, expected %d", ui.Outcome.NumProofSuccesses, outcome.NumProofSuccesses)
}
if ui.Outcome.NumRevoked != outcome.NumRevoked {
return fmt.Errorf("num revoked: %d, expected %d", ui.Outcome.NumRevoked, outcome.NumRevoked)
}
return nil
}
// findPaperKeys checks if the user has paper backup keys. If he/she
// does, it prompts for a paperkey phrase. This is used to
// regenerate paper keys, which are then matched against the
// paper keys found in the keyfamily.
func findPaperKeys(ctx *Context, g *libkb.GlobalContext, me *libkb.User) (*keypair, error) {
cki := me.GetComputedKeyInfos()
if cki == nil {
return nil, fmt.Errorf("no computed key infos")
}
bdevs := cki.PaperDevices()
if len(bdevs) == 0 {
return nil, libkb.NoPaperKeysError{}
}
passphrase, err := ctx.SecretUI.GetPaperKeyPassphrase(keybase1.GetPaperKeyPassphraseArg{Username: me.GetName()})
if err != nil {
return nil, err
}
paperPhrase := libkb.NewPaperKeyPhrase(passphrase)
if paperPhrase.Version() != libkb.PaperKeyVersion {
g.Log.Debug("paper version mismatch: generated paper key version = %d, libkb version = %d", paperPhrase.Version(), libkb.PaperKeyVersion)
return nil, libkb.KeyVersionError{}
}
bkarg := &PaperKeyGenArg{
Passphrase: libkb.NewPaperKeyPhrase(passphrase),
SkipPush: true,
Me: me,
}
bkeng := NewPaperKeyGen(bkarg, g)
if err := RunEngine(bkeng, ctx); err != nil {
return nil, err
}
sigKey := bkeng.SigKey()
encKey := bkeng.EncKey()
var match bool
ckf := me.GetComputedKeyFamily()
for _, bdev := range bdevs {
sk, err := ckf.GetSibkeyForDevice(bdev.ID)
if err != nil {
continue
}
ek, err := ckf.GetEncryptionSubkeyForDevice(bdev.ID)
if err != nil {
continue
}
if sk.GetKID().Equal(sigKey.GetKID()) && ek.GetKID().Equal(encKey.GetKID()) {
match = true
break
}
}
if !match {
return nil, libkb.PassphraseError{Msg: "no matching paper backup keys found"}
}
return &keypair{sigKey: sigKey, encKey: encKey}, nil
}
func PGPCheckMulti(me *libkb.User, allowMulti bool) (err error) {
if allowMulti {
return
}
if pgps := me.GetActivePGPKeys(false); len(pgps) > 0 {
err = libkb.KeyExistsError{Key: pgps[0].GetFingerprintP()}
}
return
}
func checkKeyedProfile(tb testing.TB, idUI *FakeIdentifyUI, them *libkb.User, name string, hasImg bool, expectedProofs map[string]string) {
if exported := them.Export(); !reflect.DeepEqual(idUI.User, exported) {
tb.Fatal("LaunchNetworkChecks User not equal to result user.", idUI.User, exported)
}
if !reflect.DeepEqual(expectedProofs, idUI.Proofs) {
tb.Fatal("Wrong proofs.", expectedProofs, idUI.Proofs)
}
}
// check all the user's paper keys for arg.Bundles match
func matchingPaperKey(g *libkb.GlobalContext, secretUI libkb.SecretUI, arg keybase1.UnboxBytes32AnyArg, me *libkb.User) (key libkb.GenericKey, index int, err error) {
cki := me.GetComputedKeyInfos()
if cki == nil {
return nil, 0, nil
}
var matchingPaper []*libkb.Device
for _, pdev := range cki.PaperDevices() {
enckey, err := me.GetComputedKeyFamily().GetEncryptionSubkeyForDevice(pdev.ID)
if err != nil {
return nil, 0, err
}
if _, ok := kidMatch(enckey, arg.Bundles); ok {
g.Log.Debug("matching paper key: %s", *pdev.Description)
matchingPaper = append(matchingPaper, pdev)
}
}
if len(matchingPaper) == 0 {
g.Log.Debug("no matching paper keys found")
return nil, 0, nil
}
phrase, err := libkb.GetPaperKeyForCryptoPassphrase(secretUI, arg.Reason, matchingPaper)
if err != nil {
return nil, 0, err
}
paperPhrase, err := libkb.NewPaperKeyPhraseCheckVersion(g, phrase)
if err != nil {
return nil, 0, err
}
bkarg := &PaperKeyGenArg{
Passphrase: paperPhrase,
SkipPush: true,
}
bkeng := NewPaperKeyGen(bkarg, g)
if err := RunEngine(bkeng, &Context{}); err != nil {
return nil, 0, err
}
// find the index for the key they entered (and make sure the key they entered matches)
if n, ok := kidMatch(bkeng.EncKey(), arg.Bundles); ok {
// this key matches, so cache this paper key
if err := g.LoginState().Account(func(a *libkb.Account) {
a.SetUnlockedPaperKey(bkeng.SigKey(), bkeng.EncKey())
}, "UnboxBytes32Any - cache paper key"); err != nil {
return nil, 0, err
}
return bkeng.EncKey(), n, nil
}
return nil, 0, nil
}
func (e *RevokeSigsEngine) getSigIDsToRevoke(me *libkb.User) ([]keybase1.SigID, error) {
ret := make([]keybase1.SigID, len(e.sigIDQueries))
for i, query := range e.sigIDQueries {
if len(query) < keybase1.SigIDQueryMin {
return nil, errors.New("sigID query too short")
}
sigID, err := me.SigIDSearch(query)
if err != nil {
return nil, err
}
ret[i] = sigID
}
return ret, nil
}
func (e *RevokeSigsEngine) getSigIDsToRevoke(me *libkb.User) ([]keybase1.SigID, error) {
ret := make([]keybase1.SigID, len(e.sigIDs))
copy(ret, e.sigIDs)
for _, sigID := range ret {
valid, err := me.IsSigIDActive(sigID)
if err != nil {
return nil, err
}
if !valid {
return nil, fmt.Errorf("Signature '%s' does not exist.", sigID)
}
}
return ret, nil
}
func (e *PGPPullEngine) exportKeysToGPG(ctx *Context, user *libkb.User, tfp map[string]bool) error {
for _, bundle := range user.GetActivePGPKeys(false) {
// Check each key against the tracked set.
if tfp != nil && !tfp[bundle.GetFingerprint().String()] {
ctx.LogUI.Warning("Keybase says that %s owns key %s, but you have not tracked this fingerprint before.", user.GetName(), bundle.GetFingerprint())
continue
}
if err := e.gpgClient.ExportKey(*bundle, false /* export public key only */); err != nil {
return err
}
ctx.LogUI.Info("Imported key for %s.", user.GetName())
}
return nil
}
func (e *SaltpackDecrypt) makeMessageInfo(me *libkb.User, mki *saltpack.MessageKeyInfo) {
if mki == nil {
return
}
ckf := me.GetComputedKeyFamily()
for _, nr := range mki.NamedReceivers {
kid := keybase1.KIDFromRawKey(nr, libkb.KIDNaclDH)
if dev, _ := ckf.GetDeviceForKID(kid); dev != nil {
edev := dev.ProtExport()
edev.EncryptKey = kid
e.res.Devices = append(e.res.Devices, *edev)
}
}
e.res.NumAnonReceivers = mki.NumAnonReceivers
e.res.ReceiverIsAnon = mki.ReceiverIsAnon
}
func sigVer(ss *libkb.SignatureStatus, owner *libkb.User) keybase1.PGPSigVerification {
var res keybase1.PGPSigVerification
if ss.IsSigned {
res.IsSigned = ss.IsSigned
res.Verified = ss.Verified
if owner != nil {
signer := owner.Export()
if signer != nil {
res.Signer = *signer
}
}
if ss.Entity != nil {
bundle := libkb.NewPGPKeyBundle(ss.Entity)
res.SignKey = bundle.Export()
}
}
return res
}
// check device key for arg.Bundles match.
func matchingDeviceKey(g *libkb.GlobalContext, secretUI libkb.SecretUI, arg keybase1.UnboxBytes32AnyArg, me *libkb.User) (key libkb.GenericKey, index int, err error) {
ekey, err := me.GetDeviceSubkey()
if err == nil {
if n, ok := kidMatch(ekey, arg.Bundles); ok {
// unlock this key
skarg := libkb.SecretKeyArg{
Me: me,
KeyType: libkb.DeviceEncryptionKeyType,
}
key, err := g.Keyrings.GetSecretKeyWithPrompt(nil, skarg, secretUI, arg.Reason)
if err != nil {
return nil, 0, err
}
return key, n, nil
}
}
return nil, 0, nil
}
func (e *RevokeEngine) getKIDsToRevoke(me *libkb.User) ([]keybase1.KID, error) {
if e.mode == RevokeDevice {
deviceKeys, err := me.GetComputedKeyFamily().GetAllActiveKeysForDevice(e.deviceID)
if err != nil {
return nil, err
}
if len(deviceKeys) == 0 {
return nil, fmt.Errorf("No active keys to revoke for device %s.", e.deviceID)
}
return deviceKeys, nil
} else if e.mode == RevokeKey {
kid := e.kid
key, err := me.GetComputedKeyFamily().FindKeyWithKIDUnsafe(kid)
if err != nil {
return nil, err
}
if !libkb.IsPGP(key) {
return nil, fmt.Errorf("Key %s is not a PGP key. To revoke device keys, use the `device remove` command.", e.kid)
}
for _, activePGPKey := range me.GetComputedKeyFamily().GetActivePGPKeys(false /* sibkeys only */) {
if activePGPKey.GetKID().Equal(kid) {
return []keybase1.KID{kid}, nil
}
}
return nil, fmt.Errorf("PGP key %s is not active", e.kid)
} else {
return nil, fmt.Errorf("Unknown revoke mode: %d", e.mode)
}
}
func newProblemSetDevices(u *libkb.User, pset keybase1.ProblemSet) (keybase1.ProblemSetDevices, error) {
var set keybase1.ProblemSetDevices
set.ProblemSet = pset
ckf := u.GetComputedKeyFamily()
dset := make(map[keybase1.DeviceID]bool)
for _, f := range pset.Tlfs {
for _, kid := range f.Solution_kids {
dev, err := ckf.GetDeviceForKID(kid)
if err != nil {
return keybase1.ProblemSetDevices{}, err
}
if dset[dev.ID] {
continue
}
dset[dev.ID] = true
set.Devices = append(set.Devices, *(dev.ProtExport()))
}
}
return set, nil
}
func (e *UntrackEngine) storeLocalUntrack(them *libkb.User) error {
return libkb.RemoveLocalTrack(e.arg.Me.GetUID(), them.GetUID(), e.G())
}
func (e *UntrackEngine) storeLocalUntrack(them *libkb.User) error {
// Also do a removal in case of expiring local tracks
return libkb.RemoveLocalTracks(e.arg.Me.GetUID(), them.GetUID(), e.G())
}
