func (e *Env) GetMerkleKIDs() []keybase1.KID {
slist := e.GetStringList(
func() []string { return e.cmd.GetMerkleKIDs() },
func() []string { return e.getEnvPath("KEYBASE_MERKLE_KIDS") },
func() []string { return e.config.GetMerkleKIDs() },
func() []string {
ret := MerkleProdKIDs
if e.GetRunMode() == DevelRunMode || e.GetRunMode() == StagingRunMode {
ret = append(ret, MerkleTestKIDs...)
ret = append(ret, MerkleStagingKIDs...)
}
return ret
},
)
if slist == nil {
return nil
}
var ret []keybase1.KID
for _, s := range slist {
ret = append(ret, keybase1.KIDFromString(s))
}
return ret
}
func (e *Env) GetCodeSigningKIDs() []keybase1.KID {
slist := e.GetStringList(
func() []string { return e.cmd.GetCodeSigningKIDs() },
func() []string { return e.getEnvPath("KEYBASE_CODE_SIGNING_KIDS") },
func() []string { return e.config.GetCodeSigningKIDs() },
func() []string {
ret := CodeSigningProdKIDs
if e.GetRunMode() == DevelRunMode || e.GetRunMode() == StagingRunMode {
ret = append(ret, CodeSigningTestKIDs...)
ret = append(ret, CodeSigningStagingKIDs...)
}
return ret
},
)
if slist == nil {
return nil
}
var ret []keybase1.KID
for _, s := range slist {
ret = append(ret, keybase1.KIDFromString(s))
}
return ret
}
func (e *RevokeEngine) getKIDsToRevoke(me *libkb.User) ([]keybase1.KID, error) {
if e.mode == RevokeDevice {
deviceKeys, err := me.GetComputedKeyFamily().GetAllActiveKeysForDevice(e.deviceID)
if err != nil {
return nil, err
}
return deviceKeys, nil
} else if e.mode == RevokeKey {
kid := keybase1.KIDFromString(e.kidString)
key, err := me.GetComputedKeyFamily().FindKeyWithKIDUnsafe(kid)
if err != nil {
return nil, err
}
if !libkb.IsPGP(key) {
return nil, fmt.Errorf("Key %s is not a PGP key. To revoke device keys, use the `device remove` command.", e.kidString)
}
for _, activePGPKey := range me.GetComputedKeyFamily().GetActivePGPKeys(false /* sibkeys only */) {
if activePGPKey.GetKID().Equal(kid) {
return []keybase1.KID{kid}, nil
}
}
return nil, fmt.Errorf("PGP key %s is not active", e.kidString)
} else {
return nil, fmt.Errorf("Unknown revoke mode: %d", e.mode)
}
}
// checkReverseSig verifies that the reverse sig in jw is valid
// and matches jw.
func (e *Kex2Provisioner) checkReverseSig(jw *jsonw.Wrapper) error {
kid, err := jw.AtPath("body.sibkey.kid").GetString()
if err != nil {
return err
}
keypair, err := libkb.ImportKeypairFromKID(keybase1.KIDFromString(kid))
if err != nil {
return err
}
revsig, err := jw.AtPath("body.sibkey.reverse_sig").GetString()
if err != nil {
return err
}
// set reverse_sig to nil to verify it:
jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewNil())
msg, err := jw.Marshal()
if err != nil {
return err
}
_, err = keypair.VerifyString(revsig, msg)
if err != nil {
return err
}
// put reverse_sig back in
jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewString(revsig))
return nil
}
func ParseGenericKey(bundle string) (GenericKey, error) {
if isPGPBundle(bundle) {
// PGP key
return ReadOneKeyFromString(bundle)
}
// NaCl key
return ImportKeypairFromKID(keybase1.KIDFromString(bundle))
}
func GetKID(w *jsonw.Wrapper) (kid keybase1.KID, err error) {
var s string
s, err = w.GetString()
if err != nil {
return
}
kid = keybase1.KIDFromString(s)
return
}
func findSubkeys(parentID keybase1.KID, allKeys []keybase1.PublicKey) []keybase1.PublicKey {
ret := []keybase1.PublicKey{}
for _, key := range allKeys {
if keybase1.KIDFromString(key.ParentID).Equal(parentID) {
ret = append(ret, key)
}
}
return ret
}
func (k *ServerPrivateKey) FindActiveKey(ckf *ComputedKeyFamily) (ret *SKB, err error) {
kid := keybase1.KIDFromString(k.Kid)
if ckf.GetKeyRole(kid) != DLGSibkey {
return
}
var packet *KeybasePacket
if packet, err = DecodeArmoredPacket(k.Bundle); err != nil && packet == nil {
return
}
return packet.ToSKB()
}
func (e *Kex2Provisionee) decodeSig(sig []byte) (*decodedSig, error) {
body, err := base64.StdEncoding.DecodeString(string(sig))
if err != nil {
return nil, err
}
packet, err := libkb.DecodePacket(body)
if err != nil {
return nil, err
}
naclSig, ok := packet.Body.(*libkb.NaclSigInfo)
if !ok {
return nil, libkb.UnmarshalError{T: "Nacl signature"}
}
jw, err := jsonw.Unmarshal(naclSig.Payload)
if err != nil {
return nil, err
}
res := decodedSig{
sigID: libkb.ComputeSigIDFromSigBody(body),
linkID: libkb.ComputeLinkID(naclSig.Payload),
}
res.seqno, err = jw.AtKey("seqno").GetInt()
if err != nil {
return nil, err
}
seldestKID, err := jw.AtPath("body.key.eldest_kid").GetString()
if err != nil {
return nil, err
}
res.eldestKID = keybase1.KIDFromString(seldestKID)
ssigningKID, err := jw.AtPath("body.key.kid").GetString()
if err != nil {
return nil, err
}
res.signingKID = keybase1.KIDFromString(ssigningKID)
return &res, nil
}
func (mc *MerkleClient) findValidKIDAndSig(root *MerkleRoot) (keybase1.KID, string, error) {
if v, err := root.sigs.Keys(); err == nil {
for _, s := range v {
kid := keybase1.KIDFromString(s)
if !mc.keyring.IsValidKID(kid) {
continue
} else if sig, err := root.sigs.AtKey(s).AtKey("sig").GetString(); err == nil {
return kid, sig, nil
}
}
}
var nilKID keybase1.KID
return nilKID, "", MerkleClientError{"no known verifying key"}
}
func testBody(t *testing.T) *kex.Body {
did, err := libkb.NewDeviceID()
if err != nil {
t.Fatal(err)
}
a := kex.MsgArgs{
DeviceID: did,
DevKeyID: keybase1.KIDFromString("123456"),
}
return &kex.Body{
Name: kex.StartKexMsg,
Args: a,
}
}
func importNaclHex(s string, typ byte, bodyLen int) (ret []byte, err error) {
kid := keybase1.KIDFromString(s)
return importNaclKid(kid.ToBytes(), typ, bodyLen)
}
func doChainTest(t *testing.T, testCase TestCase) {
inputJSON, exists := testvectors.ChainTestInputs[testCase.Input]
if !exists {
t.Fatal("missing test input: " + testCase.Input)
}
// Unmarshal test input in two ways: once for the structured data and once
// for the chain link blobs.
var input TestInput
err := json.Unmarshal([]byte(inputJSON), &input)
if err != nil {
t.Fatal(err)
}
inputBlob, err := jsonw.Unmarshal([]byte(inputJSON))
if err != nil {
t.Fatal(err)
}
uid, err := UIDFromHex(input.UID)
if err != nil {
t.Fatal(err)
}
chainLen, err := inputBlob.AtKey("chain").Len()
if err != nil {
t.Fatal(err)
}
// Get the eldest key. This is assumed to be the first key in the list of
// bundles, unless the "eldest" field is given in the test description, in
// which case the eldest key is specified by name.
var eldestKID keybase1.KID
if testCase.Eldest == "" {
eldestKey, err := ParseGenericKey(input.Keys[0])
if err != nil {
t.Fatal(err)
}
eldestKID = eldestKey.GetKID()
} else {
eldestKIDStr, found := input.LabelKids[testCase.Eldest]
if !found {
t.Fatalf("No KID found for label %s", testCase.Eldest)
}
eldestKID = keybase1.KIDFromString(eldestKIDStr)
}
// Parse all the key bundles.
keyFamily, err := createKeyFamily(input.Keys)
if err != nil {
t.Fatal(err)
}
// Run the actual sigchain parsing and verification. This is most of the
// code that's actually being tested.
var sigchainErr error
ckf := ComputedKeyFamily{kf: keyFamily}
sigchain := SigChain{username: NewNormalizedUsername(input.Username), uid: uid, loadedFromLinkOne: true}
for i := 0; i < chainLen; i++ {
linkBlob := inputBlob.AtKey("chain").AtIndex(i)
link, err := ImportLinkFromServer(&sigchain, linkBlob, uid)
if err != nil {
sigchainErr = err
break
}
sigchain.chainLinks = append(sigchain.chainLinks, link)
}
if sigchainErr == nil {
_, sigchainErr = sigchain.VerifySigsAndComputeKeys(eldestKID, &ckf)
}
// Some tests expect an error. If we get one, make sure it's the right
// type.
if testCase.ErrType != "" {
if sigchainErr == nil {
t.Fatalf("Expected %s error from VerifySigsAndComputeKeys. No error returned.", testCase.ErrType)
}
foundType := reflect.TypeOf(sigchainErr)
expectedTypes := getErrorTypesMap()[testCase.ErrType]
if expectedTypes == nil || len(expectedTypes) == 0 {
msg := "No Go error types defined for expected failure %s.\n" +
"This could be because of new test cases in github.com/keybase/keybase-test-vectors.\n" +
"Go error returned: %s"
t.Fatalf(msg, testCase.ErrType, foundType)
}
if expectedTypes[foundType] {
// Success! We found the error we expected. This test is done.
G.Log.Debug("EXPECTED error encountered", sigchainErr)
return
}
// Got an error, but one of the wrong type. Tests with error names
// that are missing from the map (maybe because we add new test
// cases in the future) will also hit this branch.
t.Fatalf("Wrong error type encountered. Expected %v (%s), got %s: %s",
expectedTypes, testCase.ErrType, foundType, sigchainErr)
}
// Tests that expected an error terminated above. Tests that get here
// should succeed without errors.
if sigchainErr != nil {
t.Fatal(err)
}
// Check the expected results: total unrevoked links, sibkeys, and subkeys.
unrevokedCount := 0
// XXX we should really contextify this
idtable, err := NewIdentityTable(nil, eldestKID, &sigchain, nil)
if err != nil {
t.Fatal(err)
}
for _, link := range idtable.links {
if !link.IsRevoked() {
unrevokedCount++
}
}
if unrevokedCount != testCase.Len {
t.Fatalf("Expected %d unrevoked links, but found %d.", testCase.Len, unrevokedCount)
}
// Don't use the current time to get keys, because that will cause test
// failures 5 years from now :-D
testTime := getCurrentTimeForTest(sigchain, keyFamily)
numSibkeys := len(ckf.GetAllActiveSibkeysAtTime(testTime))
if numSibkeys != testCase.Sibkeys {
t.Fatalf("Expected %d sibkeys, got %d", testCase.Sibkeys, numSibkeys)
}
numSubkeys := len(ckf.GetAllActiveSubkeysAtTime(testTime))
if numSubkeys != testCase.Subkeys {
t.Fatalf("Expected %d subkeys, got %d", testCase.Subkeys, numSubkeys)
}
// Success!
}
