Finish implementation of openpgp signing
This commit is contained in:
parent
c8e6792622
commit
6cd132b3f7
4 changed files with 50 additions and 19 deletions
|
|
@ -312,7 +312,7 @@ func (p *CommandProcessor) signX509Certificate(system *IdSystemParameters, days
|
|||
|
||||
func (p *CommandProcessor) signOpenpgpKey(system *IdSystemParameters, days uint16, pubKey []byte) ([]byte, error) {
|
||||
openPgpRoot := system.Root.(*openpgp_ops.OpenPGPRoot)
|
||||
signatureAlgorithm := system.MessageDigestAlgorithm.(*crypto.Hash)
|
||||
signatureAlgorithm := system.MessageDigestAlgorithm.(crypto.Hash)
|
||||
|
||||
log.Debugf("sign openpgp for root %s", openPgpRoot)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"golang.org/x/crypto/openpgp"
|
||||
"golang.org/x/crypto/openpgp/armor"
|
||||
"golang.org/x/crypto/openpgp/packet"
|
||||
)
|
||||
|
||||
|
|
@ -18,7 +19,7 @@ type OpenPGPRoot struct {
|
|||
Identifier string
|
||||
}
|
||||
|
||||
func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm *crypto.Hash, days uint16) ([]byte, error) {
|
||||
func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm crypto.Hash, days uint16) ([]byte, error) {
|
||||
signingKey, err := r.findSigningKey(r.Identifier)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not find a signing key matching %s: %v", r.Identifier, err)
|
||||
|
|
@ -29,30 +30,60 @@ func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm *crypto.Hash, days
|
|||
return nil, fmt.Errorf("could not read openpgp keyring: %v", err)
|
||||
}
|
||||
|
||||
signatures := make([]*openpgp.Entity, 0)
|
||||
output := bytes.NewBuffer([]byte{})
|
||||
armorOutput, err := armor.Encode(output, "PGP PUBLIC KEY BLOCK", map[string]string{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not create ASCII armor wrapper for openpgp output: %v", err)
|
||||
}
|
||||
|
||||
for _, pe := range pubKeyRing {
|
||||
log.Tracef("found %+v", pe)
|
||||
log.Tracef("found %+v", pe.PrimaryKey.KeyIdString())
|
||||
for _, i := range pe.Identities {
|
||||
expiry := calculateExpiry(i, days)
|
||||
if !i.SelfSignature.KeyExpired(time.Now()) {
|
||||
signConfig := &packet.Config{
|
||||
DefaultHash: *algorithm,
|
||||
Time: func() { return calculateExpiry(i, days) },
|
||||
sig := &packet.Signature{
|
||||
SigType: packet.SigTypeGenericCert,
|
||||
PubKeyAlgo: signingKey.PrivateKey.PubKeyAlgo,
|
||||
Hash: algorithm,
|
||||
CreationTime: time.Now(),
|
||||
SigLifetimeSecs: expiry,
|
||||
IssuerKeyId: &signingKey.PrivateKey.KeyId,
|
||||
}
|
||||
pe.SignIdentity(i.Name, signingKey, signConfig)
|
||||
if err := sig.SignUserId(i.Name, pe.PrimaryKey, signingKey.PrivateKey, &packet.Config{
|
||||
DefaultHash: algorithm,
|
||||
}); err != nil {
|
||||
return nil, fmt.Errorf("could not sign identity %s: %v", i.Name, err)
|
||||
}
|
||||
i.Signatures = append(i.Signatures, sig)
|
||||
}
|
||||
}
|
||||
if err = pe.Serialize(armorOutput); err != nil {
|
||||
return nil, fmt.Errorf(
|
||||
"could not write signed public key %s to output: %v",
|
||||
pe.PrimaryKey.KeyIdString(),
|
||||
err,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
if err = armorOutput.Close(); err != nil {
|
||||
return nil, fmt.Errorf("could not close output stream: %v", err)
|
||||
}
|
||||
|
||||
log.Tracef("signed public key\n%s", output.String())
|
||||
|
||||
return output.Bytes(), nil
|
||||
}
|
||||
|
||||
func calculateExpiry(i *openpgp.Identity, days uint16) time.Time {
|
||||
maxExpiry := i.SelfSignature.CreationTime.Add(time.Second * time.Duration(*i.SelfSignature.KeyLifetimeSecs))
|
||||
calcExpiry := time.Now().Add(time.Hour * 24 * time.Duration(days))
|
||||
func calculateExpiry(i *openpgp.Identity, days uint16) *uint32 {
|
||||
maxExpiry := time.Second * time.Duration(*i.SelfSignature.KeyLifetimeSecs)
|
||||
calcExpiry := time.Hour * 24 * time.Duration(days)
|
||||
|
||||
if calcExpiry.After(maxExpiry) {
|
||||
return maxExpiry
|
||||
if calcExpiry > maxExpiry {
|
||||
calcExpiry = maxExpiry
|
||||
}
|
||||
return maxExpiry
|
||||
expirySeconds := uint32(calcExpiry.Seconds())
|
||||
return &expirySeconds
|
||||
}
|
||||
|
||||
func (r *OpenPGPRoot) findSigningKey(identifier string) (*openpgp.Entity, error) {
|
||||
|
|
@ -67,7 +98,7 @@ func (r *OpenPGPRoot) findSigningKey(identifier string) (*openpgp.Entity, error)
|
|||
return nil, fmt.Errorf("could not read keyring: %v", err)
|
||||
}
|
||||
for _, e := range el {
|
||||
log.Tracef("found %+v", e)
|
||||
log.Tracef("found %s", e.PrimaryKey.KeyIdString())
|
||||
for _, i := range e.Identities {
|
||||
if i.UserId.Email == identifier && len(e.Revocations) == 0 && !i.SelfSignature.KeyExpired(time.Now()) {
|
||||
return e, nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue