示例#1
0
文件: keystore.go 项目: hwinkel/rkt
func checkSignature(ks *Keystore, prefix string, signed, signature io.ReadSeeker) (*openpgp.Entity, error) {
	acidentifier, err := types.NewACIdentifier(prefix)
	if err != nil {
		return nil, err
	}
	keyring, err := ks.loadKeyring(acidentifier.String())
	if err != nil {
		return nil, errwrap.Wrap(errors.New("keystore: error loading keyring"), err)
	}
	entities, err := openpgp.CheckArmoredDetachedSignature(keyring, signed, signature)
	if err == io.EOF {
		// When the signature is binary instead of armored, the error is io.EOF.
		// Let's try with binary signatures as well
		if _, err := signed.Seek(0, 0); err != nil {
			return nil, errwrap.Wrap(errors.New("error seeking ACI file"), err)
		}
		if _, err := signature.Seek(0, 0); err != nil {
			return nil, errwrap.Wrap(errors.New("error seeking signature file"), err)
		}
		entities, err = openpgp.CheckDetachedSignature(keyring, signed, signature)
	}
	if err == io.EOF {
		// otherwise, the client failure is just "EOF", which is not helpful
		return nil, fmt.Errorf("keystore: no valid signatures found in signature file")
	}
	return entities, err
}
示例#2
0
文件: smtp.go 项目: bfix/gospel
// ParseSigned reads an unencrypted, but signed message.
func ParseSigned(ct, addr string, getInfo MailUserInfo, body io.Reader) (*MailContent, error) {
	mc := new(MailContent)
	mc.Mode = modeSIGN
	boundary := extractValue(ct, "boundary")
	rdr := multipart.NewReader(body, boundary)
	for {
		if part, err := rdr.NextPart(); err == nil {
			ct = part.Header.Get("Content-Type")
			switch {
			case strings.HasPrefix(ct, "text/plain;"):
				data, err := ioutil.ReadAll(part)
				if err != nil {
					return nil, err
				}
				mc.Body = string(data)
			case strings.HasPrefix(ct, "application/pgp-signature;"):
				id := getIdentity(getInfo, infoSENDER, addr)
				if id == nil {
					mc.Mode = modeUSIGN
					continue
				}
				buf := bytes.NewBufferString(mc.Body)
				if _, err := openpgp.CheckArmoredDetachedSignature(openpgp.EntityList{id}, buf, part); err != nil {
					return nil, err
				}
				logger.Println(logger.INFO, "Signature verified OK")
			}
		} else if err == io.EOF {
			break
		} else {
			return nil, err
		}
	}
	return mc, nil
}
示例#3
0
func Verify(publicKeyFileName string, fileToVerify string, sigFileName string) error {
	signed, err := os.Open(fileToVerify)
	if err != nil {
		return err
	}
	defer signed.Close()

	var keyring openpgp.EntityList
	if keyring, err = readPublicKeyFile(publicKeyFileName); err != nil {
		return err
	}

	signature, err := os.Open(sigFileName)
	if err != nil {
		return err
	}
	defer signature.Close()

	signer, err := openpgp.CheckArmoredDetachedSignature(keyring, signed, signature)
	if err != nil {
		return err
	}
	for _, identity := range signer.Identities {
		fmt.Fprintf(os.Stderr, "Good signature from \"%s\"\n", identity.Name)
	}

	return nil
}
示例#4
0
func (o *openPGP) Verify(input *os.File, signature *os.File) (err error) {
	keyRing := openpgp.EntityList{}
	keyRing = append(keyRing, o.pubKey)

	_, err = openpgp.CheckArmoredDetachedSignature(keyRing, input, signature)

	return
}
示例#5
0
文件: keystore.go 项目: saper/jetpack
func (ks *Keystore) CheckSignature(name types.ACIdentifier, signed, signature io.Reader) (*openpgp.Entity, error) {
	kr, err := ks.GetKeysFor(name)
	if err != nil {
		return nil, errors.Trace(err)
	}
	entities, err := openpgp.CheckArmoredDetachedSignature(kr, signed, signature)
	if err == io.EOF {
		err = errors.New("No signatures found")
	}
	return entities, err
}
示例#6
0
func ApprovalCheck(PolicyFile, SignaturesFile, Id string) (bool, error) {
	var (
		commit     SignedCommit               // Commit corresponding to be verified
		developers openpgp.EntityList         // List of all developers whose public keys are in the policy file
		approvers  map[string]*openpgp.Entity // Map of developers who provided a valid signature. Indexed by public key id (openpgp.PrimaryKey.KeyIdString)
		err        error
	)

	commit.Policy.Threshold, commit.Policy.DevPubKeys, commit.Policy.CothKey, err = PolicyScanner(PolicyFile)
	checkFileError(err, PolicyFile)
	commit.Signatures, err = SigScanner(SignaturesFile)
	checkFileError(err, SignaturesFile)
	commit.CommitID = Id
	// commit.CommitID, err = CommitScanner(CommitIdFile)
	// checkFileError(err, CommitIdFile)
	// commit.Approval = false

	approvers = make(map[string]*openpgp.Entity)

	// Creating openpgp entitylist from list of public keys
	developers = make(openpgp.EntityList, 0)
	for _, pubkey := range commit.Policy.DevPubKeys {
		keybuf, err := openpgp.ReadArmoredKeyRing(strings.NewReader(pubkey))
		if err != nil {
			dbg.Error("Could not decode armored public key", err)
		}
		for _, entity := range keybuf {
			developers = append(developers, entity)
		}
	}

	// Verifying every signature in the list and counting valid ones
	for _, signature := range commit.Signatures {
		result, err := openpgp.CheckArmoredDetachedSignature(developers, bytes.NewBufferString(commit.CommitID), strings.NewReader(signature))
		if err != nil {
			dbg.Lvl1("The signature is invalid or cannot be verified due to", err)
		} else {
			if approvers[result.PrimaryKey.KeyIdString()] == nil { // We need to check that this is a unique signature
				approvers[result.PrimaryKey.KeyIdString()] = result
				dbg.Lvl3("Approver: %+v", result.Identities)
			}
		}
	}

	dbg.Lvl3("Is release approved? ", len(approvers) >= commit.Policy.Threshold)
	// commit.Approval = (len(approvers) >= commit.Policy.Threshold)

	return len(approvers) >= commit.Policy.Threshold, err
	// return commit, err
}
示例#7
0
//ValidateSignature is exported for plugin authoring
func (s *SigningManager) ValidateSignature(keyringFiles []string, signedFile string, signature []byte) error {
	var signedby string
	var e error
	var checked *openpgp.Entity

	signed, err := os.Open(signedFile)
	if err != nil {
		return fmt.Errorf("%v: %v\n%v", ErrSignedFileNotFound, signedFile, err)
	}
	defer signed.Close()

	//Go through all the keyrings til either signature is valid or end of keyrings
	for _, keyringFile := range keyringFiles {
		keyringf, err := os.Open(keyringFile)
		if err != nil {
			return fmt.Errorf("%v: %v\n%v", ErrKeyringFileNotFound, keyringFile, err)
		}
		defer keyringf.Close()

		//Read both armored and unarmored keyrings
		keyring, err := openpgp.ReadArmoredKeyRing(keyringf)
		if err != nil {
			keyringf.Seek(0, 0)
			keyring, err = openpgp.ReadKeyRing(keyringf)
			if err != nil {
				return fmt.Errorf("%v: %v\n%v", ErrUnableToReadKeyring, keyringFile, err)
			}
		}

		//Check the armored detached signature
		checked, e = openpgp.CheckArmoredDetachedSignature(keyring, signed, bytes.NewReader(signature))
		if e == nil {
			for k := range checked.Identities {
				signedby = signedby + k
			}
			fmt.Printf("Signature made %v using RSA key ID %v\nGood signature from %v\n", time.Now().Format(time.RFC1123), checked.PrimaryKey.KeyIdShortString(), signedby)
			return nil
		}
		signed.Seek(0, 0)
	}
	return fmt.Errorf("%v\n%v", ErrCheckSignature, e)
}
示例#8
0
func TestLoadGPGSigner(t *testing.T) {
	signer, err := LoadGPGSigner("fixtures/secring.gpg", "test")
	assert.Nil(t, err)
	// assert that:
	// - fixture private key is read from a key ring file
	// - fixture encrypted private key is decrypted by passphrase
	// - Signer signs a message which can be verified by OpenPGP
	expectedMessage := "Hello World!"
	signature := new(bytes.Buffer)
	fmt.Println(signature)
	err = signer.Sign(signature, strings.NewReader(expectedMessage))
	assert.Nil(t, err)
	// valid signature
	// gpg --no-default-keyring --secret-keyring fixtures/secring.gpg --verify sig msg
	kring, err := os.Open("fixtures/secring.gpg")
	assert.Nil(t, err)
	defer kring.Close()
	entities, err := openpgp.ReadKeyRing(kring)
	assert.Nil(t, err)
	_, err = openpgp.CheckArmoredDetachedSignature(entities, strings.NewReader(expectedMessage), signature)
	assert.Nil(t, err)
}
示例#9
0
func (s *Signature) Verify() error {
	signed, err := s.script.Body()
	if err != nil {
		return err
	}
	defer signed.Close()

	signature, err := s.Body()
	if err != nil {
		return err
	}
	defer signature.Close()

	if _, err := openpgp.CheckDetachedSignature(s.key, signed, signature); err == nil {
		return nil
	}

	signature.Seek(0, 0) // i'm sure there's a good reason i don't need to reset the script...
	if _, err := openpgp.CheckArmoredDetachedSignature(s.key, signed, signature); err == nil {
		return nil
	}

	return errors.New("Failed to verify signature")
}
示例#10
0
//codes as below are implemented to support ACI storage
func VerifyAciSignature(acipath, signpath, pubkeyspath string) error {
	files, err := ioutil.ReadDir(pubkeyspath)
	if err != nil {
		return fmt.Errorf("Read pubkeys directory failed: %v", err.Error())
	}

	if len(files) <= 0 {
		return fmt.Errorf("No pubkey file found in %v", pubkeyspath)
	}

	var keyring openpgp.EntityList
	for _, file := range files {
		pubkeyfile, err := os.Open(pubkeyspath + "/" + file.Name())
		if err != nil {
			return err
		}
		defer pubkeyfile.Close()

		keyList, err := openpgp.ReadArmoredKeyRing(pubkeyfile)
		if err != nil {
			return err
		}

		if len(keyList) < 1 {
			return fmt.Errorf("Missing opengpg entity")
		}

		keyring = append(keyring, keyList[0])
	}

	acifile, err := os.Open(acipath)
	if err != nil {
		return fmt.Errorf("Open ACI file failed: %v", err.Error())
	}
	defer acifile.Close()

	signfile, err := os.Open(signpath)
	if err != nil {
		return fmt.Errorf("Open signature file failed: %v", err.Error())
	}
	defer signfile.Close()

	if _, err := acifile.Seek(0, 0); err != nil {
		return fmt.Errorf("Seek ACI file failed: %v", err)
	}
	if _, err := signfile.Seek(0, 0); err != nil {
		return fmt.Errorf("Seek signature file: %v", err)
	}

	//Verify detached signature which default is ASCII format
	_, err = openpgp.CheckArmoredDetachedSignature(keyring, acifile, signfile)
	if err == io.EOF {
		if _, err := acifile.Seek(0, 0); err != nil {
			return fmt.Errorf("Seek ACI file failed: %v", err)
		}
		if _, err := signfile.Seek(0, 0); err != nil {
			return fmt.Errorf("Seek signature file: %v", err)
		}

		//try to verify detached signature with binary format
		_, err = openpgp.CheckDetachedSignature(keyring, acifile, signfile)
	}
	if err == io.EOF {
		return fmt.Errorf("Signature format is invalid")
	}

	return err
}
示例#11
0
func checkGPG(file *File) (state SigState, err error) {
	var signer *openpgp.Entity
	var cs *clearsign.Block
	keypath := path.Join(os.Getenv("HOME"), "/.gnupg/pubring.gpg")
	keys, err := os.Open(keypath)
	if err != nil {
		fmt.Printf("Could not open public keyring at %s\n", keypath)
		os.Exit(2)
	}

	keyring, err := openpgp.ReadKeyRing(keys)

	if err != nil {
		fmt.Printf("Error reading public keyring: %s\n", err)
		os.Exit(2)
	}

	if *flagClear {
		cs, _ = clearsign.Decode(file.content)
		if cs == nil {
			fmt.Printf("Problem decoding clearsign signature from file %s\n", file.name)
			os.Exit(2)
		}

		lsig, err := ioutil.ReadAll(cs.ArmoredSignature.Body)

		if err != nil {
			fmt.Printf("Problem reading signature from %s.  Are you sure this file is clearsigned?: %s\n", file.name, err)
			os.Exit(2)
		}
		if len(lsig) > 0 {
			file.signature = lsig
			file.content = cs.Bytes
			*flagBin = true
		}

	}

	if *flagBin {
		signer, err = openpgp.CheckDetachedSignature(keyring, bytes.NewReader(file.content), bytes.NewReader(file.signature))
	} else {
		signer, err = openpgp.CheckArmoredDetachedSignature(keyring, bytes.NewReader(file.content), bytes.NewReader(file.signature))
	}
	if err != nil {
		fmt.Printf("Invalid signature or public key not present: %s\n", err)
		os.Exit(2)
	}

	state.sig = signer.PrimaryKey.KeyIdString()

	l := len(*flagKeyid)
	if l > 0 {
		var rid string

		// Force the local id to be all uppercase
		lid := strings.ToUpper(*flagKeyid)

		// check the number of chars on the remote id to see if it's a
		// short or long id. If it's not 8 or 16, it's not valid.
		switch l {
		case 8:
			fmt.Println("WARNING: The use of short ids is NOT secure.  See https://evil32.com for more info.")
			fmt.Println("Refusing to use insecure key mechanism. Exiting.")
			os.Exit(1)
		case 16:
			fmt.Println("WARNING: The use of long ids is NOT considered to be secure.  See https://evil32.com for more info.")
			rid = signer.PrimaryKey.KeyIdString()
		}
		if len(rid) == 0 {
			fmt.Printf("You did not specify a valid GPG keyid length. Must be 8 or 16 characters.")
			os.Exit(2)
		}

		if lid != rid {
			fmt.Printf("The remote file was not signed by the expected GPG Public key. Expected %s and got %s\n", lid, rid)
			os.Exit(2)
		}
	}

	// Due to how clearsign works, the detached signature has to be
	// processed using the Bytes field, but the stripped content is located
	// in the Plaintext field. As we've verified the signature was valid
	// we can now fix the content

	if *flagClear {
		file.content = cs.Plaintext
	}

	state.success = true
	return state, nil
}