func (e *Env) GetMerkleKIDs() []keybase1.KID { slist := e.GetStringList( func() []string { return e.cmd.GetMerkleKIDs() }, func() []string { return e.getEnvPath("KEYBASE_MERKLE_KIDS") }, func() []string { return e.config.GetMerkleKIDs() }, func() []string { ret := MerkleProdKIDs if e.GetRunMode() == DevelRunMode || e.GetRunMode() == StagingRunMode { ret = append(ret, MerkleTestKIDs...) ret = append(ret, MerkleStagingKIDs...) } return ret }, ) if slist == nil { return nil } var ret []keybase1.KID for _, s := range slist { ret = append(ret, keybase1.KIDFromString(s)) } return ret }
func (e *Env) GetCodeSigningKIDs() []keybase1.KID { slist := e.GetStringList( func() []string { return e.cmd.GetCodeSigningKIDs() }, func() []string { return e.getEnvPath("KEYBASE_CODE_SIGNING_KIDS") }, func() []string { return e.config.GetCodeSigningKIDs() }, func() []string { ret := CodeSigningProdKIDs if e.GetRunMode() == DevelRunMode || e.GetRunMode() == StagingRunMode { ret = append(ret, CodeSigningTestKIDs...) ret = append(ret, CodeSigningStagingKIDs...) } return ret }, ) if slist == nil { return nil } var ret []keybase1.KID for _, s := range slist { ret = append(ret, keybase1.KIDFromString(s)) } return ret }
func (e *RevokeEngine) getKIDsToRevoke(me *libkb.User) ([]keybase1.KID, error) { if e.mode == RevokeDevice { deviceKeys, err := me.GetComputedKeyFamily().GetAllActiveKeysForDevice(e.deviceID) if err != nil { return nil, err } return deviceKeys, nil } else if e.mode == RevokeKey { kid := keybase1.KIDFromString(e.kidString) key, err := me.GetComputedKeyFamily().FindKeyWithKIDUnsafe(kid) if err != nil { return nil, err } if !libkb.IsPGP(key) { return nil, fmt.Errorf("Key %s is not a PGP key. To revoke device keys, use the `device remove` command.", e.kidString) } for _, activePGPKey := range me.GetComputedKeyFamily().GetActivePGPKeys(false /* sibkeys only */) { if activePGPKey.GetKID().Equal(kid) { return []keybase1.KID{kid}, nil } } return nil, fmt.Errorf("PGP key %s is not active", e.kidString) } else { return nil, fmt.Errorf("Unknown revoke mode: %d", e.mode) } }
// checkReverseSig verifies that the reverse sig in jw is valid // and matches jw. func (e *Kex2Provisioner) checkReverseSig(jw *jsonw.Wrapper) error { kid, err := jw.AtPath("body.sibkey.kid").GetString() if err != nil { return err } keypair, err := libkb.ImportKeypairFromKID(keybase1.KIDFromString(kid)) if err != nil { return err } revsig, err := jw.AtPath("body.sibkey.reverse_sig").GetString() if err != nil { return err } // set reverse_sig to nil to verify it: jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewNil()) msg, err := jw.Marshal() if err != nil { return err } _, err = keypair.VerifyString(revsig, msg) if err != nil { return err } // put reverse_sig back in jw.SetValueAtPath("body.sibkey.reverse_sig", jsonw.NewString(revsig)) return nil }
func ParseGenericKey(bundle string) (GenericKey, error) { if isPGPBundle(bundle) { // PGP key return ReadOneKeyFromString(bundle) } // NaCl key return ImportKeypairFromKID(keybase1.KIDFromString(bundle)) }
func GetKID(w *jsonw.Wrapper) (kid keybase1.KID, err error) { var s string s, err = w.GetString() if err != nil { return } kid = keybase1.KIDFromString(s) return }
func findSubkeys(parentID keybase1.KID, allKeys []keybase1.PublicKey) []keybase1.PublicKey { ret := []keybase1.PublicKey{} for _, key := range allKeys { if keybase1.KIDFromString(key.ParentID).Equal(parentID) { ret = append(ret, key) } } return ret }
func (k *ServerPrivateKey) FindActiveKey(ckf *ComputedKeyFamily) (ret *SKB, err error) { kid := keybase1.KIDFromString(k.Kid) if ckf.GetKeyRole(kid) != DLGSibkey { return } var packet *KeybasePacket if packet, err = DecodeArmoredPacket(k.Bundle); err != nil && packet == nil { return } return packet.ToSKB() }
func (e *Kex2Provisionee) decodeSig(sig []byte) (*decodedSig, error) { body, err := base64.StdEncoding.DecodeString(string(sig)) if err != nil { return nil, err } packet, err := libkb.DecodePacket(body) if err != nil { return nil, err } naclSig, ok := packet.Body.(*libkb.NaclSigInfo) if !ok { return nil, libkb.UnmarshalError{T: "Nacl signature"} } jw, err := jsonw.Unmarshal(naclSig.Payload) if err != nil { return nil, err } res := decodedSig{ sigID: libkb.ComputeSigIDFromSigBody(body), linkID: libkb.ComputeLinkID(naclSig.Payload), } res.seqno, err = jw.AtKey("seqno").GetInt() if err != nil { return nil, err } seldestKID, err := jw.AtPath("body.key.eldest_kid").GetString() if err != nil { return nil, err } res.eldestKID = keybase1.KIDFromString(seldestKID) ssigningKID, err := jw.AtPath("body.key.kid").GetString() if err != nil { return nil, err } res.signingKID = keybase1.KIDFromString(ssigningKID) return &res, nil }
func (mc *MerkleClient) findValidKIDAndSig(root *MerkleRoot) (keybase1.KID, string, error) { if v, err := root.sigs.Keys(); err == nil { for _, s := range v { kid := keybase1.KIDFromString(s) if !mc.keyring.IsValidKID(kid) { continue } else if sig, err := root.sigs.AtKey(s).AtKey("sig").GetString(); err == nil { return kid, sig, nil } } } var nilKID keybase1.KID return nilKID, "", MerkleClientError{"no known verifying key"} }
func testBody(t *testing.T) *kex.Body { did, err := libkb.NewDeviceID() if err != nil { t.Fatal(err) } a := kex.MsgArgs{ DeviceID: did, DevKeyID: keybase1.KIDFromString("123456"), } return &kex.Body{ Name: kex.StartKexMsg, Args: a, } }
func importNaclHex(s string, typ byte, bodyLen int) (ret []byte, err error) { kid := keybase1.KIDFromString(s) return importNaclKid(kid.ToBytes(), typ, bodyLen) }
func doChainTest(t *testing.T, testCase TestCase) { inputJSON, exists := testvectors.ChainTestInputs[testCase.Input] if !exists { t.Fatal("missing test input: " + testCase.Input) } // Unmarshal test input in two ways: once for the structured data and once // for the chain link blobs. var input TestInput err := json.Unmarshal([]byte(inputJSON), &input) if err != nil { t.Fatal(err) } inputBlob, err := jsonw.Unmarshal([]byte(inputJSON)) if err != nil { t.Fatal(err) } uid, err := UIDFromHex(input.UID) if err != nil { t.Fatal(err) } chainLen, err := inputBlob.AtKey("chain").Len() if err != nil { t.Fatal(err) } // Get the eldest key. This is assumed to be the first key in the list of // bundles, unless the "eldest" field is given in the test description, in // which case the eldest key is specified by name. var eldestKID keybase1.KID if testCase.Eldest == "" { eldestKey, err := ParseGenericKey(input.Keys[0]) if err != nil { t.Fatal(err) } eldestKID = eldestKey.GetKID() } else { eldestKIDStr, found := input.LabelKids[testCase.Eldest] if !found { t.Fatalf("No KID found for label %s", testCase.Eldest) } eldestKID = keybase1.KIDFromString(eldestKIDStr) } // Parse all the key bundles. keyFamily, err := createKeyFamily(input.Keys) if err != nil { t.Fatal(err) } // Run the actual sigchain parsing and verification. This is most of the // code that's actually being tested. var sigchainErr error ckf := ComputedKeyFamily{kf: keyFamily} sigchain := SigChain{username: NewNormalizedUsername(input.Username), uid: uid, loadedFromLinkOne: true} for i := 0; i < chainLen; i++ { linkBlob := inputBlob.AtKey("chain").AtIndex(i) link, err := ImportLinkFromServer(&sigchain, linkBlob, uid) if err != nil { sigchainErr = err break } sigchain.chainLinks = append(sigchain.chainLinks, link) } if sigchainErr == nil { _, sigchainErr = sigchain.VerifySigsAndComputeKeys(eldestKID, &ckf) } // Some tests expect an error. If we get one, make sure it's the right // type. if testCase.ErrType != "" { if sigchainErr == nil { t.Fatalf("Expected %s error from VerifySigsAndComputeKeys. No error returned.", testCase.ErrType) } foundType := reflect.TypeOf(sigchainErr) expectedTypes := getErrorTypesMap()[testCase.ErrType] if expectedTypes == nil || len(expectedTypes) == 0 { msg := "No Go error types defined for expected failure %s.\n" + "This could be because of new test cases in github.com/keybase/keybase-test-vectors.\n" + "Go error returned: %s" t.Fatalf(msg, testCase.ErrType, foundType) } if expectedTypes[foundType] { // Success! We found the error we expected. This test is done. G.Log.Debug("EXPECTED error encountered", sigchainErr) return } // Got an error, but one of the wrong type. Tests with error names // that are missing from the map (maybe because we add new test // cases in the future) will also hit this branch. t.Fatalf("Wrong error type encountered. Expected %v (%s), got %s: %s", expectedTypes, testCase.ErrType, foundType, sigchainErr) } // Tests that expected an error terminated above. Tests that get here // should succeed without errors. if sigchainErr != nil { t.Fatal(err) } // Check the expected results: total unrevoked links, sibkeys, and subkeys. unrevokedCount := 0 // XXX we should really contextify this idtable, err := NewIdentityTable(nil, eldestKID, &sigchain, nil) if err != nil { t.Fatal(err) } for _, link := range idtable.links { if !link.IsRevoked() { unrevokedCount++ } } if unrevokedCount != testCase.Len { t.Fatalf("Expected %d unrevoked links, but found %d.", testCase.Len, unrevokedCount) } // Don't use the current time to get keys, because that will cause test // failures 5 years from now :-D testTime := getCurrentTimeForTest(sigchain, keyFamily) numSibkeys := len(ckf.GetAllActiveSibkeysAtTime(testTime)) if numSibkeys != testCase.Sibkeys { t.Fatalf("Expected %d sibkeys, got %d", testCase.Sibkeys, numSibkeys) } numSubkeys := len(ckf.GetAllActiveSubkeysAtTime(testTime)) if numSubkeys != testCase.Subkeys { t.Fatalf("Expected %d subkeys, got %d", testCase.Subkeys, numSubkeys) } // Success! }