// Sign signs the message using the keystore's private key.
func (s *KeyStore) Sign(message []byte) ([]byte, bool) {
if !s.Valid(false) || s.Locked() {
return nil, false
}
return public.Sign(s.privateKey, message)
}
// Unlock decrypts the private key stored in the keystore.
func (s *KeyStore) Unlock(passphrase []byte) bool {
if !s.Valid(true) {
return false
} else if !s.Locked() {
return true
}
priv, ok := public.UnlockKey(s.PrivateKey, passphrase)
if !ok {
return false
}
pub, err := public.MarshalPublic(priv.PublicKey)
if err != nil {
priv.Zero()
return false
}
s.privateKey = priv
s.PublicKey = pub
s.locked = false
if s.ExportKey == nil {
fmt.Println("Building export key.")
vkey := &VerifiedKey{
Public: s.PublicKey,
Signer: s.PublicKey,
Timestamp: time.Now().Unix(),
}
signatureData := vkey.SignatureData()
sig, ok := public.Sign(s.privateKey, signatureData)
if !ok {
s.Lock()
return false
}
vkey.Signature = sig
verified, err := vkey.Serialise()
if err != nil {
s.Lock()
return false
}
s.ExportKey = verified
}
return !s.Locked()
}
// AddKey adds the new peer key to the keystore, signing it with the
// owner's key. If the keystore is locked, this will fail.
func (s *KeyStore) AddKey(label string, peer []byte, metadata map[string]string) bool {
if !s.Valid(true) {
return false
} else if s.Has(label) {
return false
} else if s.Locked() {
return false
} else if _, err := public.UnmarshalPublic(peer); err != nil {
return false
}
signTime := time.Now().Unix()
vkey := &VerifiedKey{
Public: peer,
Signer: s.PublicKey,
Timestamp: signTime,
}
signatureData := vkey.SignatureData()
sig, ok := public.Sign(s.privateKey, signatureData)
if !ok {
return false
}
if !public.Verify(s.privateKey.PublicKey, signatureData, sig) {
return false
}
metadataCopy := map[string]string{}
for k, v := range metadata {
metadataCopy[k] = v
}
s.Keys[label] = &PublicKeyRecord{
Label: label,
Timestamp: time.Now().Unix(),
Keys: peer,
KeySignature: sig,
KeySigner: s.PublicKey,
SignatureTime: signTime,
Metadata: metadataCopy,
}
return true
}
// ExportVerified returns a verified key from the label. The verified
// key will be signed by the keystore owner; the key's signature chain is
// first checked before exporting.
func (s *KeyStore) ExportVerified(label string) ([]byte, bool) {
if !s.Valid(true) || !s.Has(label) || s.Locked() {
return nil, false
}
if !s.VerifyChain(label) {
return nil, false
}
var vkey *VerifiedKey
if label == "self" {
if s.ExportKey != nil {
return s.ExportKey, true
}
vkey = &VerifiedKey{
Public: s.PublicKey,
Signer: s.PublicKey,
Timestamp: time.Now().Unix(),
}
} else {
vkey = &VerifiedKey{
Public: s.Keys[label].Keys,
Signer: s.PublicKey,
Timestamp: time.Now().Unix(),
}
}
signatureData := vkey.SignatureData()
sig, ok := public.Sign(s.privateKey, signatureData)
if !ok {
return nil, false
}
vkey.Signature = sig
signedKey, err := vkey.Serialise()
return signedKey, err == nil
}
// NewPrivateKeyStore builds a keystore from a private key.
func NewPrivateKeyStore(priv *public.PrivateKey) (*KeyStore, bool) {
if !priv.Valid() {
return nil, false
}
pub, err := public.MarshalPublic(priv.PublicKey)
if err != nil {
return nil, false
}
vkey := &VerifiedKey{
Public: pub,
Signer: pub,
Timestamp: time.Now().Unix(),
}
signatureData := vkey.SignatureData()
sig, ok := public.Sign(priv, signatureData)
if !ok {
return nil, false
}
vkey.Signature = sig
verified, err := vkey.Serialise()
if err != nil {
return nil, false
}
return &KeyStore{
Version: KeyStoreVersion,
Timestamp: time.Now().Unix(),
Keys: map[string]*PublicKeyRecord{},
privateKey: priv,
locked: false,
PublicKey: pub,
ExportKey: verified,
}, true
}