passforios-gopenpgp/crypto/sign_detached.go

package crypto

import (
	"bytes"
	"errors"
	"strings"
	"time"

	"github.com/ProtonMail/go-pm-crypto/internal"
	"golang.org/x/crypto/openpgp"
	errors2 "golang.org/x/crypto/openpgp/errors"
	"golang.org/x/crypto/openpgp/packet"
	"io"
)

// SignTextDetached sign detached text type
func (pm *PmCrypto) SignTextDetached(plainText string, privateKey string, passphrase string, trim bool) (string, error) {
	//sign with 0x01 text
	var signEntity *openpgp.Entity

	if trim {
		plainText = internal.TrimNewlines(plainText)
	}

	signerReader := strings.NewReader(privateKey)
	signerEntries, err := openpgp.ReadArmoredKeyRing(signerReader)
	if err != nil {
		return "", err
	}

	for _, e := range signerEntries {
		// Entity.PrivateKey must be a signing key
		if e.PrivateKey != nil {
			if e.PrivateKey.Encrypted {
				e.PrivateKey.Decrypt([]byte(passphrase))
			}
			if !e.PrivateKey.Encrypted {
				signEntity = e
				break
			}
		}
	}

	if signEntity == nil {
		return "", errors.New("cannot sign message, signer key is not unlocked")
	}

	config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}

	att := strings.NewReader(plainText)

	var outBuf bytes.Buffer
	//SignText
	if err = openpgp.ArmoredDetachSignText(&outBuf, signEntity, att, config); err != nil {
		return "", err
	}

	return outBuf.String(), nil
}

// SignTextDetachedBinKey ...
func (pm *PmCrypto) SignTextDetachedBinKey(plainText string, privateKey []byte, passphrase string, trim bool) (string, error) {
	//sign with 0x01
	var signEntity *openpgp.Entity

	if trim {
		plainText = internal.TrimNewlines(plainText)
	}

	signerReader := bytes.NewReader(privateKey)
	signerEntries, err := openpgp.ReadKeyRing(signerReader)
	if err != nil {
		return "", err
	}

	for _, e := range signerEntries {
		// Entity.PrivateKey must be a signing key
		if e.PrivateKey != nil {
			if e.PrivateKey.Encrypted {
				e.PrivateKey.Decrypt([]byte(passphrase))
			}
			if !e.PrivateKey.Encrypted {
				signEntity = e
				break
			}
		}
	}

	if signEntity == nil {
		return "", errors.New("cannot sign message, singer key is not unlocked")
	}

	config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}

	att := strings.NewReader(plainText)

	var outBuf bytes.Buffer
	//sign text
	if err = openpgp.ArmoredDetachSignText(&outBuf, signEntity, att, config); err != nil {
		return "", err
	}

	return outBuf.String(), nil
}

// SignBinDetached sign bin data
func (pm *PmCrypto) SignBinDetached(plainData []byte, privateKey string, passphrase string) (string, error) {
	//sign with 0x00
	var signEntity *openpgp.Entity

	signerReader := strings.NewReader(privateKey)
	signerEntries, err := openpgp.ReadArmoredKeyRing(signerReader)
	if err != nil {
		return "", err
	}

	for _, e := range signerEntries {
		// Entity.PrivateKey must be a signing key
		if e.PrivateKey != nil {
			if e.PrivateKey.Encrypted {
				e.PrivateKey.Decrypt([]byte(passphrase))
			}
			if !e.PrivateKey.Encrypted {
				signEntity = e
				break
			}
		}
	}

	if signEntity == nil {
		return "", errors.New("cannot sign message, singer key is not unlocked")
	}

	config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}

	att := bytes.NewReader(plainData)

	var outBuf bytes.Buffer
	//sign bin
	if err = openpgp.ArmoredDetachSign(&outBuf, signEntity, att, config); err != nil {
		return "", err
	}

	return outBuf.String(), nil
}

// SignBinDetachedBinKey ...
func (pm *PmCrypto) SignBinDetachedBinKey(plainData []byte, privateKey []byte, passphrase string) (string, error) {
	//sign with 0x00
	var signEntity *openpgp.Entity

	signerReader := bytes.NewReader(privateKey)
	signerEntries, err := openpgp.ReadKeyRing(signerReader)
	if err != nil {
		return "", err
	}

	for _, e := range signerEntries {
		// Entity.PrivateKey must be a signing key
		if e.PrivateKey != nil {
			if e.PrivateKey.Encrypted {
				e.PrivateKey.Decrypt([]byte(passphrase))
			}
			if !e.PrivateKey.Encrypted {
				signEntity = e
				break
			}
		}
	}

	if signEntity == nil {
		return "", errors.New("cannot sign message, singer key is not unlocked")
	}

	config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}

	att := bytes.NewReader(plainData)

	var outBuf bytes.Buffer
	//sign bin
	if err = openpgp.ArmoredDetachSign(&outBuf, signEntity, att, config); err != nil {
		return "", err
	}

	return outBuf.String(), nil
}

// VerifyTextSignDetached ...
func (pm *PmCrypto) VerifyTextSignDetached(signature string, plainText string, publicKey string, verifyTime int64) (bool, error) {

	pubKeyReader := strings.NewReader(publicKey)

	pubKeyEntries, err := openpgp.ReadArmoredKeyRing(pubKeyReader)
	if err != nil {
		return false, err
	}

	plainText = internal.TrimNewlines(plainText)

	origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())

	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
}

// VerifyTextSignDetachedBinKey ...
func (pm *PmCrypto) VerifyTextSignDetachedBinKey(signature string, plainText string, publicKey []byte, verifyTime int64) (bool, error) {

	pubKeyReader := bytes.NewReader(publicKey)

	pubKeyEntries, err := openpgp.ReadKeyRing(pubKeyReader)
	if err != nil {
		return false, err
	}

	plainText = internal.TrimNewlines(plainText)
	origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())

	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
}

func verifySignature(pubKeyEntries openpgp.EntityList, origText *bytes.Reader, signature string, verifyTime int64) (bool, error) {
	config := &packet.Config{}
	if verifyTime == 0 {
		config.Time = func() time.Time {
			return time.Unix(0, 0)
		}
	} else {
		config.Time = func() time.Time {
			return time.Unix(verifyTime+internal.CreationTimeOffset, 0)
		}
	}
	signatureReader := strings.NewReader(signature)

	signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)

	if err == errors2.ErrSignatureExpired && signer != nil {
		if verifyTime > 0 {
			// Maybe the creation time offset pushed it over the edge
			// Retry with the actual verification time
			config.Time = func() time.Time {
				return time.Unix(verifyTime, 0)
			}

			signatureReader.Seek(0, io.SeekStart)
			signer, err = openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)
		} else {
			// verifyTime = 0: time check disabled, everything is okay
			err = nil
		}
	}
	if err != nil {
		return false, err
	}
	if signer == nil {
		return false, errors.New("signer is empty")
	}
	// if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {
	// 	// t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)
	// 	return false, errors.New("signer is nil")
	// }
	return true, nil
}

// VerifyBinSignDetached ...
func (pm *PmCrypto) VerifyBinSignDetached(signature string, plainData []byte, publicKey string, verifyTime int64) (bool, error) {

	pubKeyReader := strings.NewReader(publicKey)

	pubKeyEntries, err := openpgp.ReadArmoredKeyRing(pubKeyReader)
	if err != nil {
		return false, err
	}

	origText := bytes.NewReader(plainData)
	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
}

// VerifyBinSignDetachedBinKey ...
func (pm *PmCrypto) VerifyBinSignDetachedBinKey(signature string, plainData []byte, publicKey []byte, verifyTime int64) (bool, error) {
	pubKeyReader := bytes.NewReader(publicKey)

	pubKeyEntries, err := openpgp.ReadKeyRing(pubKeyReader)
	if err != nil {
		return false, err
	}

	origText := bytes.NewReader(plainData)

	return verifySignature(pubKeyEntries, origText, signature, verifyTime)
}
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`package crypto`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`import (`
			`"bytes"`
			`"errors"`
			`"strings"`
			`"time"`

Minor build fixes 2018-11-01 17:03:43 +01:00			`"github.com/ProtonMail/go-pm-crypto/internal"`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`"golang.org/x/crypto/openpgp"`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`errors2 "golang.org/x/crypto/openpgp/errors"`
Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`"golang.org/x/crypto/openpgp/packet"`
bugfix 2018-07-31 01:13:00 +02:00			`"io"`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`)`

			`// SignTextDetached sign detached text type`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) SignTextDetached(plainText string, privateKey string, passphrase string, trim bool) (string, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`//sign with 0x01 text`
			`var signEntity *openpgp.Entity`

add trim leading function 2018-06-05 15:26:55 -07:00			`if trim {`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`plainText = internal.TrimNewlines(plainText)`
add trim leading function 2018-06-05 15:26:55 -07:00			`}`

wrapper for mobile 2018-06-04 16:05:14 -07:00			`signerReader := strings.NewReader(privateKey)`
			`signerEntries, err := openpgp.ReadArmoredKeyRing(signerReader)`
			`if err != nil {`
			`return "", err`
			`}`

			`for _, e := range signerEntries {`
			`// Entity.PrivateKey must be a signing key`
			`if e.PrivateKey != nil {`
			`if e.PrivateKey.Encrypted {`
			`e.PrivateKey.Decrypt([]byte(passphrase))`
			`}`
			`if !e.PrivateKey.Encrypted {`
			`signEntity = e`
			`break`
			`}`
			`}`
			`}`

			`if signEntity == nil {`
more cleanup, fixes 2018-06-04 17:50:26 -07:00			`return "", errors.New("cannot sign message, signer key is not unlocked")`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`}`

Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`att := strings.NewReader(plainText)`

			`var outBuf bytes.Buffer`
			`//SignText`
			`if err = openpgp.ArmoredDetachSignText(&outBuf, signEntity, att, config); err != nil {`
			`return "", err`
			`}`

			`return outBuf.String(), nil`
			`}`

			`// SignTextDetachedBinKey ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) SignTextDetachedBinKey(plainText string, privateKey []byte, passphrase string, trim bool) (string, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`//sign with 0x01`
			`var signEntity *openpgp.Entity`

add trim leading function 2018-06-05 15:26:55 -07:00			`if trim {`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`plainText = internal.TrimNewlines(plainText)`
add trim leading function 2018-06-05 15:26:55 -07:00			`}`

wrapper for mobile 2018-06-04 16:05:14 -07:00			`signerReader := bytes.NewReader(privateKey)`
			`signerEntries, err := openpgp.ReadKeyRing(signerReader)`
			`if err != nil {`
			`return "", err`
			`}`

			`for _, e := range signerEntries {`
			`// Entity.PrivateKey must be a signing key`
			`if e.PrivateKey != nil {`
			`if e.PrivateKey.Encrypted {`
			`e.PrivateKey.Decrypt([]byte(passphrase))`
			`}`
			`if !e.PrivateKey.Encrypted {`
			`signEntity = e`
			`break`
			`}`
			`}`
			`}`

			`if signEntity == nil {`
			`return "", errors.New("cannot sign message, singer key is not unlocked")`
			`}`

Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`att := strings.NewReader(plainText)`

			`var outBuf bytes.Buffer`
			`//sign text`
			`if err = openpgp.ArmoredDetachSignText(&outBuf, signEntity, att, config); err != nil {`
			`return "", err`
			`}`

			`return outBuf.String(), nil`
			`}`

			`// SignBinDetached sign bin data`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) SignBinDetached(plainData []byte, privateKey string, passphrase string) (string, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`//sign with 0x00`
			`var signEntity *openpgp.Entity`

			`signerReader := strings.NewReader(privateKey)`
			`signerEntries, err := openpgp.ReadArmoredKeyRing(signerReader)`
			`if err != nil {`
			`return "", err`
			`}`

			`for _, e := range signerEntries {`
			`// Entity.PrivateKey must be a signing key`
			`if e.PrivateKey != nil {`
			`if e.PrivateKey.Encrypted {`
			`e.PrivateKey.Decrypt([]byte(passphrase))`
			`}`
			`if !e.PrivateKey.Encrypted {`
			`signEntity = e`
			`break`
			`}`
			`}`
			`}`

			`if signEntity == nil {`
			`return "", errors.New("cannot sign message, singer key is not unlocked")`
			`}`

Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`att := bytes.NewReader(plainData)`

			`var outBuf bytes.Buffer`
			`//sign bin`
			`if err = openpgp.ArmoredDetachSign(&outBuf, signEntity, att, config); err != nil {`
			`return "", err`
			`}`

			`return outBuf.String(), nil`
			`}`

			`// SignBinDetachedBinKey ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) SignBinDetachedBinKey(plainData []byte, privateKey []byte, passphrase string) (string, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`//sign with 0x00`
			`var signEntity *openpgp.Entity`

			`signerReader := bytes.NewReader(privateKey)`
			`signerEntries, err := openpgp.ReadKeyRing(signerReader)`
			`if err != nil {`
			`return "", err`
			`}`

			`for _, e := range signerEntries {`
			`// Entity.PrivateKey must be a signing key`
			`if e.PrivateKey != nil {`
			`if e.PrivateKey.Encrypted {`
			`e.PrivateKey.Decrypt([]byte(passphrase))`
			`}`
			`if !e.PrivateKey.Encrypted {`
			`signEntity = e`
			`break`
			`}`
			`}`
			`}`

			`if signEntity == nil {`
			`return "", errors.New("cannot sign message, singer key is not unlocked")`
			`}`

Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`config := &packet.Config{DefaultCipher: packet.CipherAES256, Time: pm.getTimeGenerator()}`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`att := bytes.NewReader(plainData)`

			`var outBuf bytes.Buffer`
			`//sign bin`
			`if err = openpgp.ArmoredDetachSign(&outBuf, signEntity, att, config); err != nil {`
			`return "", err`
			`}`

			`return outBuf.String(), nil`
			`}`

			`// VerifyTextSignDetached ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) VerifyTextSignDetached(signature string, plainText string, publicKey string, verifyTime int64) (bool, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`pubKeyReader := strings.NewReader(publicKey)`

			`pubKeyEntries, err := openpgp.ReadArmoredKeyRing(pubKeyReader)`
			`if err != nil {`
			`return false, err`
			`}`

Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`plainText = internal.TrimNewlines(plainText)`
add trim leading function 2018-06-05 15:26:55 -07:00
wrapper for mobile 2018-06-04 16:05:14 -07:00			`origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())`

Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`return verifySignature(pubKeyEntries, origText, signature, verifyTime)`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`}`

			`// VerifyTextSignDetachedBinKey ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) VerifyTextSignDetachedBinKey(signature string, plainText string, publicKey []byte, verifyTime int64) (bool, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`pubKeyReader := bytes.NewReader(publicKey)`

			`pubKeyEntries, err := openpgp.ReadKeyRing(pubKeyReader)`
			`if err != nil {`
			`return false, err`
			`}`

Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`plainText = internal.TrimNewlines(plainText)`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes())`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00
			`return verifySignature(pubKeyEntries, origText, signature, verifyTime)`
			`}`

			`func verifySignature(pubKeyEntries openpgp.EntityList, origText *bytes.Reader, signature string, verifyTime int64) (bool, error) {`
			`config := &packet.Config{}`
			`if verifyTime == 0 {`
			`config.Time = func() time.Time {`
			`return time.Unix(0, 0)`
			`}`
			`} else {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`config.Time = func() time.Time {`
Refactor: Moved relevant parts of Key and KeyRing objs from go-pmapi 2018-09-20 15:20:45 +02:00			`return time.Unix(verifyTime+internal.CreationTimeOffset, 0)`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`}`
			`}`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`signatureReader := strings.NewReader(signature)`

wrapper for mobile 2018-06-04 16:05:14 -07:00			`signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00
			`if err == errors2.ErrSignatureExpired && signer != nil {`
			`if verifyTime > 0 {`
			`// Maybe the creation time offset pushed it over the edge`
			`// Retry with the actual verification time`
			`config.Time = func() time.Time {`
			`return time.Unix(verifyTime, 0)`
			`}`
bugfix 2018-07-31 01:13:00 +02:00
			`signatureReader.Seek(0, io.SeekStart)`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`signer, err = openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config)`
			`} else {`
			`// verifyTime = 0: time check disabled, everything is okay`
			`err = nil`
			`}`
			`}`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`if err != nil {`
			`return false, err`
			`}`
			`if signer == nil {`
			`return false, errors.New("signer is empty")`
			`}`
			`// if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId {`
			`// // t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0)`
			`// return false, errors.New("signer is nil")`
			`// }`
			`return true, nil`
			`}`

			`// VerifyBinSignDetached ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) VerifyBinSignDetached(signature string, plainData []byte, publicKey string, verifyTime int64) (bool, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00
			`pubKeyReader := strings.NewReader(publicKey)`

			`pubKeyEntries, err := openpgp.ReadArmoredKeyRing(pubKeyReader)`
			`if err != nil {`
			`return false, err`
			`}`

			`origText := bytes.NewReader(plainData)`
Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`return verifySignature(pubKeyEntries, origText, signature, verifyTime)`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`}`

			`// VerifyBinSignDetachedBinKey ...`
Add decryptMime and refactor package structure 2018-09-11 11:09:28 +02:00			`func (pm *PmCrypto) VerifyBinSignDetachedBinKey(signature string, plainData []byte, publicKey []byte, verifyTime int64) (bool, error) {`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`pubKeyReader := bytes.NewReader(publicKey)`

			`pubKeyEntries, err := openpgp.ReadKeyRing(pubKeyReader)`
			`if err != nil {`
			`return false, err`
			`}`

			`origText := bytes.NewReader(plainData)`

Add a 2 day offset for signature creation time checking 2018-07-31 01:00:45 +02:00			`return verifySignature(pubKeyEntries, origText, signature, verifyTime)`
wrapper for mobile 2018-06-04 16:05:14 -07:00			`}`