write.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418
  1. // Copyright 2011 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package openpgp
  5. import (
  6. "crypto"
  7. "hash"
  8. "io"
  9. "strconv"
  10. "time"
  11. "golang.org/x/crypto/openpgp/armor"
  12. "golang.org/x/crypto/openpgp/errors"
  13. "golang.org/x/crypto/openpgp/packet"
  14. "golang.org/x/crypto/openpgp/s2k"
  15. )
  16. // DetachSign signs message with the private key from signer (which must
  17. // already have been decrypted) and writes the signature to w.
  18. // If config is nil, sensible defaults will be used.
  19. func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
  20. return detachSign(w, signer, message, packet.SigTypeBinary, config)
  21. }
  22. // ArmoredDetachSign signs message with the private key from signer (which
  23. // must already have been decrypted) and writes an armored signature to w.
  24. // If config is nil, sensible defaults will be used.
  25. func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) {
  26. return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config)
  27. }
  28. // DetachSignText signs message (after canonicalising the line endings) with
  29. // the private key from signer (which must already have been decrypted) and
  30. // writes the signature to w.
  31. // If config is nil, sensible defaults will be used.
  32. func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
  33. return detachSign(w, signer, message, packet.SigTypeText, config)
  34. }
  35. // ArmoredDetachSignText signs message (after canonicalising the line endings)
  36. // with the private key from signer (which must already have been decrypted)
  37. // and writes an armored signature to w.
  38. // If config is nil, sensible defaults will be used.
  39. func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
  40. return armoredDetachSign(w, signer, message, packet.SigTypeText, config)
  41. }
  42. func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
  43. out, err := armor.Encode(w, SignatureType, nil)
  44. if err != nil {
  45. return
  46. }
  47. err = detachSign(out, signer, message, sigType, config)
  48. if err != nil {
  49. return
  50. }
  51. return out.Close()
  52. }
  53. func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
  54. if signer.PrivateKey == nil {
  55. return errors.InvalidArgumentError("signing key doesn't have a private key")
  56. }
  57. if signer.PrivateKey.Encrypted {
  58. return errors.InvalidArgumentError("signing key is encrypted")
  59. }
  60. sig := new(packet.Signature)
  61. sig.SigType = sigType
  62. sig.PubKeyAlgo = signer.PrivateKey.PubKeyAlgo
  63. sig.Hash = config.Hash()
  64. sig.CreationTime = config.Now()
  65. sig.IssuerKeyId = &signer.PrivateKey.KeyId
  66. h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType)
  67. if err != nil {
  68. return
  69. }
  70. io.Copy(wrappedHash, message)
  71. err = sig.Sign(h, signer.PrivateKey, config)
  72. if err != nil {
  73. return
  74. }
  75. return sig.Serialize(w)
  76. }
  77. // FileHints contains metadata about encrypted files. This metadata is, itself,
  78. // encrypted.
  79. type FileHints struct {
  80. // IsBinary can be set to hint that the contents are binary data.
  81. IsBinary bool
  82. // FileName hints at the name of the file that should be written. It's
  83. // truncated to 255 bytes if longer. It may be empty to suggest that the
  84. // file should not be written to disk. It may be equal to "_CONSOLE" to
  85. // suggest the data should not be written to disk.
  86. FileName string
  87. // ModTime contains the modification time of the file, or the zero time if not applicable.
  88. ModTime time.Time
  89. }
  90. // SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase.
  91. // The resulting WriteCloser must be closed after the contents of the file have
  92. // been written.
  93. // If config is nil, sensible defaults will be used.
  94. func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
  95. if hints == nil {
  96. hints = &FileHints{}
  97. }
  98. key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config)
  99. if err != nil {
  100. return
  101. }
  102. w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config)
  103. if err != nil {
  104. return
  105. }
  106. literaldata := w
  107. if algo := config.Compression(); algo != packet.CompressionNone {
  108. var compConfig *packet.CompressionConfig
  109. if config != nil {
  110. compConfig = config.CompressionConfig
  111. }
  112. literaldata, err = packet.SerializeCompressed(w, algo, compConfig)
  113. if err != nil {
  114. return
  115. }
  116. }
  117. var epochSeconds uint32
  118. if !hints.ModTime.IsZero() {
  119. epochSeconds = uint32(hints.ModTime.Unix())
  120. }
  121. return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds)
  122. }
  123. // intersectPreferences mutates and returns a prefix of a that contains only
  124. // the values in the intersection of a and b. The order of a is preserved.
  125. func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
  126. var j int
  127. for _, v := range a {
  128. for _, v2 := range b {
  129. if v == v2 {
  130. a[j] = v
  131. j++
  132. break
  133. }
  134. }
  135. }
  136. return a[:j]
  137. }
  138. func hashToHashId(h crypto.Hash) uint8 {
  139. v, ok := s2k.HashToHashId(h)
  140. if !ok {
  141. panic("tried to convert unknown hash")
  142. }
  143. return v
  144. }
  145. // writeAndSign writes the data as a payload package and, optionally, signs
  146. // it. hints contains optional information, that is also encrypted,
  147. // that aids the recipients in processing the message. The resulting
  148. // WriteCloser must be closed after the contents of the file have been
  149. // written. If config is nil, sensible defaults will be used.
  150. func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
  151. var signer *packet.PrivateKey
  152. if signed != nil {
  153. signKey, ok := signed.signingKey(config.Now())
  154. if !ok {
  155. return nil, errors.InvalidArgumentError("no valid signing keys")
  156. }
  157. signer = signKey.PrivateKey
  158. if signer == nil {
  159. return nil, errors.InvalidArgumentError("no private key in signing key")
  160. }
  161. if signer.Encrypted {
  162. return nil, errors.InvalidArgumentError("signing key must be decrypted")
  163. }
  164. }
  165. var hash crypto.Hash
  166. for _, hashId := range candidateHashes {
  167. if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
  168. hash = h
  169. break
  170. }
  171. }
  172. // If the hash specified by config is a candidate, we'll use that.
  173. if configuredHash := config.Hash(); configuredHash.Available() {
  174. for _, hashId := range candidateHashes {
  175. if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
  176. hash = h
  177. break
  178. }
  179. }
  180. }
  181. if hash == 0 {
  182. hashId := candidateHashes[0]
  183. name, ok := s2k.HashIdToString(hashId)
  184. if !ok {
  185. name = "#" + strconv.Itoa(int(hashId))
  186. }
  187. return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
  188. }
  189. if signer != nil {
  190. ops := &packet.OnePassSignature{
  191. SigType: packet.SigTypeBinary,
  192. Hash: hash,
  193. PubKeyAlgo: signer.PubKeyAlgo,
  194. KeyId: signer.KeyId,
  195. IsLast: true,
  196. }
  197. if err := ops.Serialize(payload); err != nil {
  198. return nil, err
  199. }
  200. }
  201. if hints == nil {
  202. hints = &FileHints{}
  203. }
  204. w := payload
  205. if signer != nil {
  206. // If we need to write a signature packet after the literal
  207. // data then we need to stop literalData from closing
  208. // encryptedData.
  209. w = noOpCloser{w}
  210. }
  211. var epochSeconds uint32
  212. if !hints.ModTime.IsZero() {
  213. epochSeconds = uint32(hints.ModTime.Unix())
  214. }
  215. literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
  216. if err != nil {
  217. return nil, err
  218. }
  219. if signer != nil {
  220. return signatureWriter{payload, literalData, hash, hash.New(), signer, config}, nil
  221. }
  222. return literalData, nil
  223. }
  224. // Encrypt encrypts a message to a number of recipients and, optionally, signs
  225. // it. hints contains optional information, that is also encrypted, that aids
  226. // the recipients in processing the message. The resulting WriteCloser must
  227. // be closed after the contents of the file have been written.
  228. // If config is nil, sensible defaults will be used.
  229. func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
  230. if len(to) == 0 {
  231. return nil, errors.InvalidArgumentError("no encryption recipient provided")
  232. }
  233. // These are the possible ciphers that we'll use for the message.
  234. candidateCiphers := []uint8{
  235. uint8(packet.CipherAES128),
  236. uint8(packet.CipherAES256),
  237. uint8(packet.CipherCAST5),
  238. }
  239. // These are the possible hash functions that we'll use for the signature.
  240. candidateHashes := []uint8{
  241. hashToHashId(crypto.SHA256),
  242. hashToHashId(crypto.SHA384),
  243. hashToHashId(crypto.SHA512),
  244. hashToHashId(crypto.SHA1),
  245. hashToHashId(crypto.RIPEMD160),
  246. }
  247. // In the event that a recipient doesn't specify any supported ciphers
  248. // or hash functions, these are the ones that we assume that every
  249. // implementation supports.
  250. defaultCiphers := candidateCiphers[len(candidateCiphers)-1:]
  251. defaultHashes := candidateHashes[len(candidateHashes)-1:]
  252. encryptKeys := make([]Key, len(to))
  253. for i := range to {
  254. var ok bool
  255. encryptKeys[i], ok = to[i].encryptionKey(config.Now())
  256. if !ok {
  257. return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys")
  258. }
  259. sig := to[i].primaryIdentity().SelfSignature
  260. preferredSymmetric := sig.PreferredSymmetric
  261. if len(preferredSymmetric) == 0 {
  262. preferredSymmetric = defaultCiphers
  263. }
  264. preferredHashes := sig.PreferredHash
  265. if len(preferredHashes) == 0 {
  266. preferredHashes = defaultHashes
  267. }
  268. candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric)
  269. candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
  270. }
  271. if len(candidateCiphers) == 0 || len(candidateHashes) == 0 {
  272. return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common algorithms")
  273. }
  274. cipher := packet.CipherFunction(candidateCiphers[0])
  275. // If the cipher specified by config is a candidate, we'll use that.
  276. configuredCipher := config.Cipher()
  277. for _, c := range candidateCiphers {
  278. cipherFunc := packet.CipherFunction(c)
  279. if cipherFunc == configuredCipher {
  280. cipher = cipherFunc
  281. break
  282. }
  283. }
  284. symKey := make([]byte, cipher.KeySize())
  285. if _, err := io.ReadFull(config.Random(), symKey); err != nil {
  286. return nil, err
  287. }
  288. for _, key := range encryptKeys {
  289. if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil {
  290. return nil, err
  291. }
  292. }
  293. payload, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
  294. if err != nil {
  295. return
  296. }
  297. return writeAndSign(payload, candidateHashes, signed, hints, config)
  298. }
  299. // Sign signs a message. The resulting WriteCloser must be closed after the
  300. // contents of the file have been written. hints contains optional information
  301. // that aids the recipients in processing the message.
  302. // If config is nil, sensible defaults will be used.
  303. func Sign(output io.Writer, signed *Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error) {
  304. if signed == nil {
  305. return nil, errors.InvalidArgumentError("no signer provided")
  306. }
  307. // These are the possible hash functions that we'll use for the signature.
  308. candidateHashes := []uint8{
  309. hashToHashId(crypto.SHA256),
  310. hashToHashId(crypto.SHA384),
  311. hashToHashId(crypto.SHA512),
  312. hashToHashId(crypto.SHA1),
  313. hashToHashId(crypto.RIPEMD160),
  314. }
  315. defaultHashes := candidateHashes[len(candidateHashes)-1:]
  316. preferredHashes := signed.primaryIdentity().SelfSignature.PreferredHash
  317. if len(preferredHashes) == 0 {
  318. preferredHashes = defaultHashes
  319. }
  320. candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
  321. return writeAndSign(noOpCloser{output}, candidateHashes, signed, hints, config)
  322. }
  323. // signatureWriter hashes the contents of a message while passing it along to
  324. // literalData. When closed, it closes literalData, writes a signature packet
  325. // to encryptedData and then also closes encryptedData.
  326. type signatureWriter struct {
  327. encryptedData io.WriteCloser
  328. literalData io.WriteCloser
  329. hashType crypto.Hash
  330. h hash.Hash
  331. signer *packet.PrivateKey
  332. config *packet.Config
  333. }
  334. func (s signatureWriter) Write(data []byte) (int, error) {
  335. s.h.Write(data)
  336. return s.literalData.Write(data)
  337. }
  338. func (s signatureWriter) Close() error {
  339. sig := &packet.Signature{
  340. SigType: packet.SigTypeBinary,
  341. PubKeyAlgo: s.signer.PubKeyAlgo,
  342. Hash: s.hashType,
  343. CreationTime: s.config.Now(),
  344. IssuerKeyId: &s.signer.KeyId,
  345. }
  346. if err := sig.Sign(s.h, s.signer, s.config); err != nil {
  347. return err
  348. }
  349. if err := s.literalData.Close(); err != nil {
  350. return err
  351. }
  352. if err := sig.Serialize(s.encryptedData); err != nil {
  353. return err
  354. }
  355. return s.encryptedData.Close()
  356. }
  357. // noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
  358. // TODO: we have two of these in OpenPGP packages alone. This probably needs
  359. // to be promoted somewhere more common.
  360. type noOpCloser struct {
  361. w io.Writer
  362. }
  363. func (c noOpCloser) Write(data []byte) (n int, err error) {
  364. return c.w.Write(data)
  365. }
  366. func (c noOpCloser) Close() error {
  367. return nil
  368. }