WIP: implement openpgp signing

signer/command_processor.go

@@ -2,6 +2,7 @@ package signer
 
 import (
 	"bytes"
+	"crypto"
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
@@ -18,6 +19,7 @@ import (
 
 	"git.cacert.org/cacert-gosigner/datastructures"
 	"git.cacert.org/cacert-gosigner/shared"
+	"git.cacert.org/cacert-gosigner/signer/openpgp_ops"
 	"git.cacert.org/cacert-gosigner/signer/x509_ops"
 )
 
@@ -248,7 +250,7 @@ func (p *CommandProcessor) revokeX509(system *IdSystemParameters, request []byte
 		if err != nil {
 			log.Warnf("could not generate xdelta: %v", err)
 		}
-		log.Tracef("xdelte produced %d bytes", len(content))
+		log.Tracef("xdelta produced %d bytes", len(content))
 	}
 	if content == nil {
 		content = pem.EncodeToMemory(&pem.Block{
@@ -309,7 +311,17 @@ func (p *CommandProcessor) signX509Certificate(system *IdSystemParameters, days
 }
 
 func (p *CommandProcessor) signOpenpgpKey(system *IdSystemParameters, days uint16, pubKey []byte) ([]byte, error) {
-	return nil, errors.New("signOpenpgpKey is not implemented yet")
+	openPgpRoot := system.Root.(*openpgp_ops.OpenPGPRoot)
+	signatureAlgorithm := system.MessageDigestAlgorithm.(*crypto.Hash)
+
+	log.Debugf("sign openpgp for root %s", openPgpRoot)
+
+	content, err := openPgpRoot.SignPublicKey(pubKey, signatureAlgorithm, days)
+	if err != nil {
+		return nil, fmt.Errorf("could not sign openpgp public key with root %s: %v", openPgpRoot, err)
+	}
+
+	return content, nil
 }
 
 func NewCommandProcessorSettings() *CommandProcessorSettings {

signer/openpgp_ops/operations.go

@@ -1,11 +1,82 @@
 package openpgp_ops
 
+import (
+	"bytes"
+	"crypto"
+	"fmt"
+	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/openpgp/packet"
+)
+
 type OpenPGPRoot struct {
 	Name          string
 	SecretKeyRing string
 	Identifier    string
 }
 
+func (r *OpenPGPRoot) SignPublicKey(pubKey []byte, algorithm *crypto.Hash, days uint16) ([]byte, error) {
+	signingKey, err := r.findSigningKey(r.Identifier)
+	if err != nil {
+		return nil, fmt.Errorf("could not find a signing key matching %s: %v", r.Identifier, err)
+	}
+
+	pubKeyRing, err := openpgp.ReadKeyRing(bytes.NewReader(pubKey))
+	if err != nil {
+		return nil, fmt.Errorf("could not read openpgp keyring: %v", err)
+	}
+
+	signatures := make([]*openpgp.Entity, 0)
+
+	for _, pe := range pubKeyRing {
+		log.Tracef("found %+v", pe)
+		for _, i := range pe.Identities {
+			if !i.SelfSignature.KeyExpired(time.Now()) {
+				signConfig := &packet.Config{
+					DefaultHash: *algorithm,
+					Time:        func() { return calculateExpiry(i, days) },
+				}
+				pe.SignIdentity(i.Name, signingKey, signConfig)
+			}
+		}
+	}
+}
+
+func calculateExpiry(i *openpgp.Identity, days uint16) time.Time {
+	maxExpiry := i.SelfSignature.CreationTime.Add(time.Second * time.Duration(*i.SelfSignature.KeyLifetimeSecs))
+	calcExpiry := time.Now().Add(time.Hour * 24 * time.Duration(days))
+
+	if calcExpiry.After(maxExpiry) {
+		return maxExpiry
+	}
+	return maxExpiry
+}
+
+func (r *OpenPGPRoot) findSigningKey(identifier string) (*openpgp.Entity, error) {
+	keyring, err := os.Open(r.SecretKeyRing)
+	if err != nil {
+		return nil, fmt.Errorf("could not open secret keyring: %v", err)
+	}
+	defer func() { _ = keyring.Close() }()
+
+	el, err := openpgp.ReadKeyRing(keyring)
+	if err != nil {
+		return nil, fmt.Errorf("could not read keyring: %v", err)
+	}
+	for _, e := range el {
+		log.Tracef("found %+v", e)
+		for _, i := range e.Identities {
+			if i.UserId.Email == identifier && len(e.Revocations) == 0 && !i.SelfSignature.KeyExpired(time.Now()) {
+				return e, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("no matching key found")
+}
+
 type OpenPGPProfile struct {
 	Name string
 }