diff --git a/build.sh b/build.sh index dff964b..bf3fe1a 100755 --- a/build.sh +++ b/build.sh @@ -5,7 +5,7 @@ SCRIPT_LOCATION=$(cd $(dirname $0);echo $PWD) OUTPUT_PATH="bin" ANDROID_OUT=${OUTPUT_PATH}/"Android" IOS_OUT=${OUTPUT_PATH}/"iOS" - +gomobile init -ndk $ANDROID_NDK # CHECK="${1-0}" # if [ ${CHECK} -eq "1" ]; then printf "\e[0;32mStart Building iOS framework .. Location: ${IOS_OUT} \033[0m\n\n" @@ -20,8 +20,6 @@ gomobile bind -target android -o ${ANDROID_OUT}/PM.aar printf "\e[0;32mInstalling frameworks. \033[0m\n\n" -cp -rf ${IOS_OUT}/PM.framework /Users/Yanfeng/Documents/ProtonMailGit/protonmail_ios/ProtonMail/ - printf "\e[0;32mAll Done. \033[0m\n\n" diff --git a/common.go b/common.go index ae610a6..e93bfee 100644 --- a/common.go +++ b/common.go @@ -30,3 +30,7 @@ func trimNewlines(input string) string { var re = regexp.MustCompile(`(?m)[ \t]*$`) return re.ReplaceAllString(input, "") } + +// Amount of seconds that a signature may be created after the verify time +// Consistent with the 2 day slack allowed in the ProtonMail Email Parser +var creationTimeOffset = int64(60 * 60 * 24 * 2) \ No newline at end of file diff --git a/message.go b/message.go index a8cf20a..ceab76e 100644 --- a/message.go +++ b/message.go @@ -11,7 +11,9 @@ import ( "golang.org/x/crypto/openpgp" "golang.org/x/crypto/openpgp/armor" "golang.org/x/crypto/openpgp/packet" -) + errors2 "golang.org/x/crypto/openpgp/errors" + "math" + ) // DecryptMessage decrypt encrypted message use private key (string ) // encryptedText : string armored encrypted @@ -165,12 +167,9 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey [] return nil, err } - config := &packet.Config{ Time: o.getTimeGenerator() } - if verifyTime > 0 { - tm := time.Unix(verifyTime, 0) - config.Time = func() time.Time { - return tm - } + config := &packet.Config{} + config.Time = func() time.Time { + return time.Unix(0, 0) } md, err := openpgp.ReadMessage(encryptedio.Body, privKeyEntries, nil, config) @@ -184,6 +183,8 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey [] return nil, err } + processSignatureExpiration(md, verifyTime) + out.Plaintext = string(b) if md.IsSigned { if md.SignedBy != nil { @@ -209,6 +210,25 @@ func (o *OpenPGP) decryptMessageVerifyAllBin(encryptedText string, veriferKey [] return out, nil } +// Handle signature time verification manually, so we can add a margin to the creationTime check. +func processSignatureExpiration(md *openpgp.MessageDetails, verifyTime int64) { + if md.SignatureError == errors2.ErrSignatureExpired { + if verifyTime > 0 { + created := md.Signature.CreationTime.Unix() + expires := int64(math.MaxInt64) + if md.Signature.KeyLifetimeSecs != nil { + expires = int64(*md.Signature.KeyLifetimeSecs) + created + } + if created - creationTimeOffset <= verifyTime && verifyTime <= expires { + md.SignatureError = nil + } + } else { + // verifyTime = 0: time check disabled, everything is okay + md.SignatureError = nil + } + } +} + // EncryptMessage encrypt message with public key, if pass private key and passphrase will also sign the message // publicKey : string armored public key // plainText : the input diff --git a/sign_detached.go b/sign_detached.go index 0d1be7c..d2d284a 100644 --- a/sign_detached.go +++ b/sign_detached.go @@ -9,6 +9,7 @@ import ( "golang.org/x/crypto/openpgp" "golang.org/x/crypto/openpgp/clearsign" "golang.org/x/crypto/openpgp/packet" + errors2 "golang.org/x/crypto/openpgp/errors" ) //ReadClearSignedMessage read clear message from a clearsign package @@ -202,31 +203,11 @@ func (o *OpenPGP) VerifyTextSignDetached(signature string, plainText string, pub return false, err } - signatureReader := strings.NewReader(signature) - plainText = trimNewlines(plainText) origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes()) - config := &packet.Config{ Time: o.getTimeGenerator() } - if verifyTime > 0 { - tm := time.Unix(verifyTime, 0) - config.Time = func() time.Time { - return tm - } - } - signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config) - if err != nil { - return false, err - } - if signer == nil { - return false, errors.New("signer is empty") - } - // if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId { - // // t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0) - // return false, errors.New("signer is nil") - // } - return true, nil + return verifySignature(pubKeyEntries, origText, signature, verifyTime) } // VerifyTextSignDetachedBinKey ... @@ -239,17 +220,40 @@ func (o *OpenPGP) VerifyTextSignDetachedBinKey(signature string, plainText strin return false, err } - signatureReader := strings.NewReader(signature) plainText = trimNewlines(plainText) origText := bytes.NewReader(bytes.NewBufferString(plainText).Bytes()) - config := &packet.Config{ Time: o.getTimeGenerator() } - if verifyTime > 0 { - tm := time.Unix(verifyTime, 0) + + return verifySignature(pubKeyEntries, origText, signature, verifyTime) +} + +func verifySignature(pubKeyEntries openpgp.EntityList, origText *bytes.Reader, signature string, verifyTime int64) (bool, error) { + config := &packet.Config{} + if verifyTime == 0 { config.Time = func() time.Time { - return tm + return time.Unix(0, 0) + } + } else { + config.Time = func() time.Time { + return time.Unix(verifyTime + creationTimeOffset, 0) } } + signatureReader := strings.NewReader(signature) + signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config) + + if err == errors2.ErrSignatureExpired && signer != nil { + if verifyTime > 0 { + // Maybe the creation time offset pushed it over the edge + // Retry with the actual verification time + config.Time = func() time.Time { + return time.Unix(verifyTime, 0) + } + signer, err = openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config) + } else { + // verifyTime = 0: time check disabled, everything is okay + err = nil + } + } if err != nil { return false, err } @@ -263,6 +267,7 @@ func (o *OpenPGP) VerifyTextSignDetachedBinKey(signature string, plainText strin return true, nil } + // VerifyBinSignDetached ... func (o *OpenPGP) VerifyBinSignDetached(signature string, plainData []byte, publicKey string, verifyTime int64) (bool, error) { @@ -273,28 +278,8 @@ func (o *OpenPGP) VerifyBinSignDetached(signature string, plainData []byte, publ return false, err } - signatureReader := strings.NewReader(signature) - origText := bytes.NewReader(plainData) - config := &packet.Config{ Time: o.getTimeGenerator() } - if verifyTime > 0 { - tm := time.Unix(verifyTime, 0) - config.Time = func() time.Time { - return tm - } - } - signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config) - if err != nil { - return false, err - } - if signer == nil { - return false, errors.New("signer is empty") - } - // if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId { - // // t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0) - // return false, errors.New("signer is nil") - // } - return true, nil + return verifySignature(pubKeyEntries, origText, signature, verifyTime) } // VerifyBinSignDetachedBinKey ... @@ -306,27 +291,7 @@ func (o *OpenPGP) VerifyBinSignDetachedBinKey(signature string, plainData []byte return false, err } - signatureReader := strings.NewReader(signature) - origText := bytes.NewReader(plainData) - config := &packet.Config{ Time: o.getTimeGenerator() } - if verifyTime > 0 { - tm := time.Unix(verifyTime, 0) - config.Time = func() time.Time { - return tm - } - } - signer, err := openpgp.CheckArmoredDetachedSignature(pubKeyEntries, origText, signatureReader, config) - if err != nil { - return false, err - } - if signer == nil { - return false, errors.New("signer is empty") - } - // if signer.PrimaryKey.KeyId != signed.PrimaryKey.KeyId { - // // t.Errorf("wrong signer got:%x want:%x", signer.PrimaryKey.KeyId, 0) - // return false, errors.New("signer is nil") - // } - return true, nil + return verifySignature(pubKeyEntries, origText, signature, verifyTime) }