diff options
author | Radek Simko <radek.simko@gmail.com> | 2017-08-10 14:38:14 +0200 |
---|---|---|
committer | Radek Simko <radek.simko@gmail.com> | 2017-08-10 14:38:14 +0200 |
commit | c680a8e1622ed0f18751d9d167c836ee24f5e897 (patch) | |
tree | 864f925049d422033dd25a73bafce32b361c8827 /vendor/golang.org/x/crypto | |
parent | 38f8880ac81bfabc6d7f82e4dc89661f20fc559e (diff) | |
download | terraform-provider-statuscake-c680a8e1622ed0f18751d9d167c836ee24f5e897.tar.gz terraform-provider-statuscake-c680a8e1622ed0f18751d9d167c836ee24f5e897.tar.zst terraform-provider-statuscake-c680a8e1622ed0f18751d9d167c836ee24f5e897.zip |
vendor: github.com/hashicorp/terraform/...@v0.10.0
Diffstat (limited to 'vendor/golang.org/x/crypto')
28 files changed, 7361 insertions, 0 deletions
diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go new file mode 100644 index 0000000..0b4af37 --- /dev/null +++ b/vendor/golang.org/x/crypto/cast5/cast5.go | |||
@@ -0,0 +1,526 @@ | |||
1 | // Copyright 2010 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common | ||
6 | // OpenPGP cipher. | ||
7 | package cast5 // import "golang.org/x/crypto/cast5" | ||
8 | |||
9 | import "errors" | ||
10 | |||
11 | const BlockSize = 8 | ||
12 | const KeySize = 16 | ||
13 | |||
14 | type Cipher struct { | ||
15 | masking [16]uint32 | ||
16 | rotate [16]uint8 | ||
17 | } | ||
18 | |||
19 | func NewCipher(key []byte) (c *Cipher, err error) { | ||
20 | if len(key) != KeySize { | ||
21 | return nil, errors.New("CAST5: keys must be 16 bytes") | ||
22 | } | ||
23 | |||
24 | c = new(Cipher) | ||
25 | c.keySchedule(key) | ||
26 | return | ||
27 | } | ||
28 | |||
29 | func (c *Cipher) BlockSize() int { | ||
30 | return BlockSize | ||
31 | } | ||
32 | |||
33 | func (c *Cipher) Encrypt(dst, src []byte) { | ||
34 | l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) | ||
35 | r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) | ||
36 | |||
37 | l, r = r, l^f1(r, c.masking[0], c.rotate[0]) | ||
38 | l, r = r, l^f2(r, c.masking[1], c.rotate[1]) | ||
39 | l, r = r, l^f3(r, c.masking[2], c.rotate[2]) | ||
40 | l, r = r, l^f1(r, c.masking[3], c.rotate[3]) | ||
41 | |||
42 | l, r = r, l^f2(r, c.masking[4], c.rotate[4]) | ||
43 | l, r = r, l^f3(r, c.masking[5], c.rotate[5]) | ||
44 | l, r = r, l^f1(r, c.masking[6], c.rotate[6]) | ||
45 | l, r = r, l^f2(r, c.masking[7], c.rotate[7]) | ||
46 | |||
47 | l, r = r, l^f3(r, c.masking[8], c.rotate[8]) | ||
48 | l, r = r, l^f1(r, c.masking[9], c.rotate[9]) | ||
49 | l, r = r, l^f2(r, c.masking[10], c.rotate[10]) | ||
50 | l, r = r, l^f3(r, c.masking[11], c.rotate[11]) | ||
51 | |||
52 | l, r = r, l^f1(r, c.masking[12], c.rotate[12]) | ||
53 | l, r = r, l^f2(r, c.masking[13], c.rotate[13]) | ||
54 | l, r = r, l^f3(r, c.masking[14], c.rotate[14]) | ||
55 | l, r = r, l^f1(r, c.masking[15], c.rotate[15]) | ||
56 | |||
57 | dst[0] = uint8(r >> 24) | ||
58 | dst[1] = uint8(r >> 16) | ||
59 | dst[2] = uint8(r >> 8) | ||
60 | dst[3] = uint8(r) | ||
61 | dst[4] = uint8(l >> 24) | ||
62 | dst[5] = uint8(l >> 16) | ||
63 | dst[6] = uint8(l >> 8) | ||
64 | dst[7] = uint8(l) | ||
65 | } | ||
66 | |||
67 | func (c *Cipher) Decrypt(dst, src []byte) { | ||
68 | l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) | ||
69 | r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) | ||
70 | |||
71 | l, r = r, l^f1(r, c.masking[15], c.rotate[15]) | ||
72 | l, r = r, l^f3(r, c.masking[14], c.rotate[14]) | ||
73 | l, r = r, l^f2(r, c.masking[13], c.rotate[13]) | ||
74 | l, r = r, l^f1(r, c.masking[12], c.rotate[12]) | ||
75 | |||
76 | l, r = r, l^f3(r, c.masking[11], c.rotate[11]) | ||
77 | l, r = r, l^f2(r, c.masking[10], c.rotate[10]) | ||
78 | l, r = r, l^f1(r, c.masking[9], c.rotate[9]) | ||
79 | l, r = r, l^f3(r, c.masking[8], c.rotate[8]) | ||
80 | |||
81 | l, r = r, l^f2(r, c.masking[7], c.rotate[7]) | ||
82 | l, r = r, l^f1(r, c.masking[6], c.rotate[6]) | ||
83 | l, r = r, l^f3(r, c.masking[5], c.rotate[5]) | ||
84 | l, r = r, l^f2(r, c.masking[4], c.rotate[4]) | ||
85 | |||
86 | l, r = r, l^f1(r, c.masking[3], c.rotate[3]) | ||
87 | l, r = r, l^f3(r, c.masking[2], c.rotate[2]) | ||
88 | l, r = r, l^f2(r, c.masking[1], c.rotate[1]) | ||
89 | l, r = r, l^f1(r, c.masking[0], c.rotate[0]) | ||
90 | |||
91 | dst[0] = uint8(r >> 24) | ||
92 | dst[1] = uint8(r >> 16) | ||
93 | dst[2] = uint8(r >> 8) | ||
94 | dst[3] = uint8(r) | ||
95 | dst[4] = uint8(l >> 24) | ||
96 | dst[5] = uint8(l >> 16) | ||
97 | dst[6] = uint8(l >> 8) | ||
98 | dst[7] = uint8(l) | ||
99 | } | ||
100 | |||
101 | type keyScheduleA [4][7]uint8 | ||
102 | type keyScheduleB [4][5]uint8 | ||
103 | |||
104 | // keyScheduleRound contains the magic values for a round of the key schedule. | ||
105 | // The keyScheduleA deals with the lines like: | ||
106 | // z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] | ||
107 | // Conceptually, both x and z are in the same array, x first. The first | ||
108 | // element describes which word of this array gets written to and the | ||
109 | // second, which word gets read. So, for the line above, it's "4, 0", because | ||
110 | // it's writing to the first word of z, which, being after x, is word 4, and | ||
111 | // reading from the first word of x: word 0. | ||
112 | // | ||
113 | // Next are the indexes into the S-boxes. Now the array is treated as bytes. So | ||
114 | // "xD" is 0xd. The first byte of z is written as "16 + 0", just to be clear | ||
115 | // that it's z that we're indexing. | ||
116 | // | ||
117 | // keyScheduleB deals with lines like: | ||
118 | // K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2] | ||
119 | // "K1" is ignored because key words are always written in order. So the five | ||
120 | // elements are the S-box indexes. They use the same form as in keyScheduleA, | ||
121 | // above. | ||
122 | |||
123 | type keyScheduleRound struct{} | ||
124 | type keySchedule []keyScheduleRound | ||
125 | |||
126 | var schedule = []struct { | ||
127 | a keyScheduleA | ||
128 | b keyScheduleB | ||
129 | }{ | ||
130 | { | ||
131 | keyScheduleA{ | ||
132 | {4, 0, 0xd, 0xf, 0xc, 0xe, 0x8}, | ||
133 | {5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa}, | ||
134 | {6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9}, | ||
135 | {7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb}, | ||
136 | }, | ||
137 | keyScheduleB{ | ||
138 | {16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2}, | ||
139 | {16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6}, | ||
140 | {16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9}, | ||
141 | {16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc}, | ||
142 | }, | ||
143 | }, | ||
144 | { | ||
145 | keyScheduleA{ | ||
146 | {0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0}, | ||
147 | {1, 4, 0, 2, 1, 3, 16 + 2}, | ||
148 | {2, 5, 7, 6, 5, 4, 16 + 1}, | ||
149 | {3, 7, 0xa, 9, 0xb, 8, 16 + 3}, | ||
150 | }, | ||
151 | keyScheduleB{ | ||
152 | {3, 2, 0xc, 0xd, 8}, | ||
153 | {1, 0, 0xe, 0xf, 0xd}, | ||
154 | {7, 6, 8, 9, 3}, | ||
155 | {5, 4, 0xa, 0xb, 7}, | ||
156 | }, | ||
157 | }, | ||
158 | { | ||
159 | keyScheduleA{ | ||
160 | {4, 0, 0xd, 0xf, 0xc, 0xe, 8}, | ||
161 | {5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa}, | ||
162 | {6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9}, | ||
163 | {7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb}, | ||
164 | }, | ||
165 | keyScheduleB{ | ||
166 | {16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9}, | ||
167 | {16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc}, | ||
168 | {16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2}, | ||
169 | {16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6}, | ||
170 | }, | ||
171 | }, | ||
172 | { | ||
173 | keyScheduleA{ | ||
174 | {0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0}, | ||
175 | {1, 4, 0, 2, 1, 3, 16 + 2}, | ||
176 | {2, 5, 7, 6, 5, 4, 16 + 1}, | ||
177 | {3, 7, 0xa, 9, 0xb, 8, 16 + 3}, | ||
178 | }, | ||
179 | keyScheduleB{ | ||
180 | {8, 9, 7, 6, 3}, | ||
181 | {0xa, 0xb, 5, 4, 7}, | ||
182 | {0xc, 0xd, 3, 2, 8}, | ||
183 | {0xe, 0xf, 1, 0, 0xd}, | ||
184 | }, | ||
185 | }, | ||
186 | } | ||
187 | |||
188 | func (c *Cipher) keySchedule(in []byte) { | ||
189 | var t [8]uint32 | ||
190 | var k [32]uint32 | ||
191 | |||
192 | for i := 0; i < 4; i++ { | ||
193 | j := i * 4 | ||
194 | t[i] = uint32(in[j])<<24 | uint32(in[j+1])<<16 | uint32(in[j+2])<<8 | uint32(in[j+3]) | ||
195 | } | ||
196 | |||
197 | x := []byte{6, 7, 4, 5} | ||
198 | ki := 0 | ||
199 | |||
200 | for half := 0; half < 2; half++ { | ||
201 | for _, round := range schedule { | ||
202 | for j := 0; j < 4; j++ { | ||
203 | var a [7]uint8 | ||
204 | copy(a[:], round.a[j][:]) | ||
205 | w := t[a[1]] | ||
206 | w ^= sBox[4][(t[a[2]>>2]>>(24-8*(a[2]&3)))&0xff] | ||
207 | w ^= sBox[5][(t[a[3]>>2]>>(24-8*(a[3]&3)))&0xff] | ||
208 | w ^= sBox[6][(t[a[4]>>2]>>(24-8*(a[4]&3)))&0xff] | ||
209 | w ^= sBox[7][(t[a[5]>>2]>>(24-8*(a[5]&3)))&0xff] | ||
210 | w ^= sBox[x[j]][(t[a[6]>>2]>>(24-8*(a[6]&3)))&0xff] | ||
211 | t[a[0]] = w | ||
212 | } | ||
213 | |||
214 | for j := 0; j < 4; j++ { | ||
215 | var b [5]uint8 | ||
216 | copy(b[:], round.b[j][:]) | ||
217 | w := sBox[4][(t[b[0]>>2]>>(24-8*(b[0]&3)))&0xff] | ||
218 | w ^= sBox[5][(t[b[1]>>2]>>(24-8*(b[1]&3)))&0xff] | ||
219 | w ^= sBox[6][(t[b[2]>>2]>>(24-8*(b[2]&3)))&0xff] | ||
220 | w ^= sBox[7][(t[b[3]>>2]>>(24-8*(b[3]&3)))&0xff] | ||
221 | w ^= sBox[4+j][(t[b[4]>>2]>>(24-8*(b[4]&3)))&0xff] | ||
222 | k[ki] = w | ||
223 | ki++ | ||
224 | } | ||
225 | } | ||
226 | } | ||
227 | |||
228 | for i := 0; i < 16; i++ { | ||
229 | c.masking[i] = k[i] | ||
230 | c.rotate[i] = uint8(k[16+i] & 0x1f) | ||
231 | } | ||
232 | } | ||
233 | |||
234 | // These are the three 'f' functions. See RFC 2144, section 2.2. | ||
235 | func f1(d, m uint32, r uint8) uint32 { | ||
236 | t := m + d | ||
237 | I := (t << r) | (t >> (32 - r)) | ||
238 | return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff] | ||
239 | } | ||
240 | |||
241 | func f2(d, m uint32, r uint8) uint32 { | ||
242 | t := m ^ d | ||
243 | I := (t << r) | (t >> (32 - r)) | ||
244 | return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff] | ||
245 | } | ||
246 | |||
247 | func f3(d, m uint32, r uint8) uint32 { | ||
248 | t := m - d | ||
249 | I := (t << r) | (t >> (32 - r)) | ||
250 | return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff] | ||
251 | } | ||
252 | |||
253 | var sBox = [8][256]uint32{ | ||
254 | { | ||
255 | 0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949, | ||
256 | 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, | ||
257 | 0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d, | ||
258 | 0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0, | ||
259 | 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, | ||
260 | 0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935, | ||
261 | 0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d, | ||
262 | 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, | ||
263 | 0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe, | ||
264 | 0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3, | ||
265 | 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, | ||
266 | 0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291, | ||
267 | 0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779, | ||
268 | 0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2, | ||
269 | 0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511, | ||
270 | 0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d, | ||
271 | 0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5, | ||
272 | 0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324, | ||
273 | 0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c, | ||
274 | 0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc, | ||
275 | 0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d, | ||
276 | 0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96, | ||
277 | 0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a, | ||
278 | 0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d, | ||
279 | 0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd, | ||
280 | 0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6, | ||
281 | 0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9, | ||
282 | 0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872, | ||
283 | 0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c, | ||
284 | 0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e, | ||
285 | 0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9, | ||
286 | 0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf, | ||
287 | }, | ||
288 | { | ||
289 | 0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651, | ||
290 | 0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3, | ||
291 | 0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb, | ||
292 | 0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806, | ||
293 | 0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b, | ||
294 | 0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359, | ||
295 | 0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b, | ||
296 | 0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c, | ||
297 | 0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34, | ||
298 | 0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb, | ||
299 | 0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd, | ||
300 | 0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860, | ||
301 | 0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b, | ||
302 | 0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304, | ||
303 | 0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b, | ||
304 | 0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf, | ||
305 | 0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c, | ||
306 | 0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13, | ||
307 | 0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f, | ||
308 | 0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6, | ||
309 | 0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6, | ||
310 | 0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58, | ||
311 | 0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906, | ||
312 | 0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d, | ||
313 | 0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6, | ||
314 | 0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4, | ||
315 | 0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6, | ||
316 | 0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f, | ||
317 | 0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249, | ||
318 | 0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa, | ||
319 | 0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9, | ||
320 | 0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1, | ||
321 | }, | ||
322 | { | ||
323 | 0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90, | ||
324 | 0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5, | ||
325 | 0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e, | ||
326 | 0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240, | ||
327 | 0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5, | ||
328 | 0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b, | ||
329 | 0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71, | ||
330 | 0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04, | ||
331 | 0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82, | ||
332 | 0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15, | ||
333 | 0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2, | ||
334 | 0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176, | ||
335 | 0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148, | ||
336 | 0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc, | ||
337 | 0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341, | ||
338 | 0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e, | ||
339 | 0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51, | ||
340 | 0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f, | ||
341 | 0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a, | ||
342 | 0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b, | ||
343 | 0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b, | ||
344 | 0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5, | ||
345 | 0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45, | ||
346 | 0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536, | ||
347 | 0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc, | ||
348 | 0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0, | ||
349 | 0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69, | ||
350 | 0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2, | ||
351 | 0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49, | ||
352 | 0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d, | ||
353 | 0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a, | ||
354 | 0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783, | ||
355 | }, | ||
356 | { | ||
357 | 0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1, | ||
358 | 0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf, | ||
359 | 0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15, | ||
360 | 0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121, | ||
361 | 0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25, | ||
362 | 0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5, | ||
363 | 0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb, | ||
364 | 0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5, | ||
365 | 0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d, | ||
366 | 0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6, | ||
367 | 0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23, | ||
368 | 0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003, | ||
369 | 0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6, | ||
370 | 0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119, | ||
371 | 0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24, | ||
372 | 0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a, | ||
373 | 0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79, | ||
374 | 0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df, | ||
375 | 0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26, | ||
376 | 0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab, | ||
377 | 0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7, | ||
378 | 0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417, | ||
379 | 0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2, | ||
380 | 0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2, | ||
381 | 0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a, | ||
382 | 0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919, | ||
383 | 0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef, | ||
384 | 0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876, | ||
385 | 0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab, | ||
386 | 0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04, | ||
387 | 0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282, | ||
388 | 0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2, | ||
389 | }, | ||
390 | { | ||
391 | 0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f, | ||
392 | 0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a, | ||
393 | 0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff, | ||
394 | 0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02, | ||
395 | 0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a, | ||
396 | 0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7, | ||
397 | 0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9, | ||
398 | 0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981, | ||
399 | 0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774, | ||
400 | 0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655, | ||
401 | 0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2, | ||
402 | 0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910, | ||
403 | 0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1, | ||
404 | 0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da, | ||
405 | 0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049, | ||
406 | 0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f, | ||
407 | 0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba, | ||
408 | 0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be, | ||
409 | 0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3, | ||
410 | 0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840, | ||
411 | 0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4, | ||
412 | 0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2, | ||
413 | 0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7, | ||
414 | 0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5, | ||
415 | 0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e, | ||
416 | 0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e, | ||
417 | 0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801, | ||
418 | 0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad, | ||
419 | 0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0, | ||
420 | 0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20, | ||
421 | 0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8, | ||
422 | 0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4, | ||
423 | }, | ||
424 | { | ||
425 | 0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac, | ||
426 | 0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138, | ||
427 | 0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367, | ||
428 | 0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98, | ||
429 | 0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072, | ||
430 | 0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3, | ||
431 | 0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd, | ||
432 | 0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8, | ||
433 | 0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9, | ||
434 | 0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54, | ||
435 | 0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387, | ||
436 | 0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc, | ||
437 | 0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf, | ||
438 | 0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf, | ||
439 | 0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f, | ||
440 | 0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289, | ||
441 | 0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950, | ||
442 | 0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f, | ||
443 | 0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b, | ||
444 | 0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be, | ||
445 | 0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13, | ||
446 | 0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976, | ||
447 | 0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0, | ||
448 | 0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891, | ||
449 | 0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da, | ||
450 | 0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc, | ||
451 | 0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084, | ||
452 | 0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25, | ||
453 | 0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121, | ||
454 | 0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5, | ||
455 | 0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd, | ||
456 | 0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f, | ||
457 | }, | ||
458 | { | ||
459 | 0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f, | ||
460 | 0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de, | ||
461 | 0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43, | ||
462 | 0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19, | ||
463 | 0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2, | ||
464 | 0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516, | ||
465 | 0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88, | ||
466 | 0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816, | ||
467 | 0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756, | ||
468 | 0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a, | ||
469 | 0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264, | ||
470 | 0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688, | ||
471 | 0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28, | ||
472 | 0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3, | ||
473 | 0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7, | ||
474 | 0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06, | ||
475 | 0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033, | ||
476 | 0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a, | ||
477 | 0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566, | ||
478 | 0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509, | ||
479 | 0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962, | ||
480 | 0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e, | ||
481 | 0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c, | ||
482 | 0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c, | ||
483 | 0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285, | ||
484 | 0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301, | ||
485 | 0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be, | ||
486 | 0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767, | ||
487 | 0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647, | ||
488 | 0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914, | ||
489 | 0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c, | ||
490 | 0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3, | ||
491 | }, | ||
492 | { | ||
493 | 0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5, | ||
494 | 0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc, | ||
495 | 0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd, | ||
496 | 0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d, | ||
497 | 0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2, | ||
498 | 0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862, | ||
499 | 0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc, | ||
500 | 0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c, | ||
501 | 0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e, | ||
502 | 0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039, | ||
503 | 0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8, | ||
504 | 0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42, | ||
505 | 0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5, | ||
506 | 0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472, | ||
507 | 0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225, | ||
508 | 0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c, | ||
509 | 0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb, | ||
510 | 0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054, | ||
511 | 0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70, | ||
512 | 0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc, | ||
513 | 0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c, | ||
514 | 0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3, | ||
515 | 0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4, | ||
516 | 0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101, | ||
517 | 0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f, | ||
518 | 0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e, | ||
519 | 0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a, | ||
520 | 0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c, | ||
521 | 0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384, | ||
522 | 0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c, | ||
523 | 0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82, | ||
524 | 0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e, | ||
525 | }, | ||
526 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/armor.go b/vendor/golang.org/x/crypto/openpgp/armor/armor.go new file mode 100644 index 0000000..592d186 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/armor/armor.go | |||
@@ -0,0 +1,219 @@ | |||
1 | // Copyright 2010 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is | ||
6 | // very similar to PEM except that it has an additional CRC checksum. | ||
7 | package armor // import "golang.org/x/crypto/openpgp/armor" | ||
8 | |||
9 | import ( | ||
10 | "bufio" | ||
11 | "bytes" | ||
12 | "encoding/base64" | ||
13 | "golang.org/x/crypto/openpgp/errors" | ||
14 | "io" | ||
15 | ) | ||
16 | |||
17 | // A Block represents an OpenPGP armored structure. | ||
18 | // | ||
19 | // The encoded form is: | ||
20 | // -----BEGIN Type----- | ||
21 | // Headers | ||
22 | // | ||
23 | // base64-encoded Bytes | ||
24 | // '=' base64 encoded checksum | ||
25 | // -----END Type----- | ||
26 | // where Headers is a possibly empty sequence of Key: Value lines. | ||
27 | // | ||
28 | // Since the armored data can be very large, this package presents a streaming | ||
29 | // interface. | ||
30 | type Block struct { | ||
31 | Type string // The type, taken from the preamble (i.e. "PGP SIGNATURE"). | ||
32 | Header map[string]string // Optional headers. | ||
33 | Body io.Reader // A Reader from which the contents can be read | ||
34 | lReader lineReader | ||
35 | oReader openpgpReader | ||
36 | } | ||
37 | |||
38 | var ArmorCorrupt error = errors.StructuralError("armor invalid") | ||
39 | |||
40 | const crc24Init = 0xb704ce | ||
41 | const crc24Poly = 0x1864cfb | ||
42 | const crc24Mask = 0xffffff | ||
43 | |||
44 | // crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1 | ||
45 | func crc24(crc uint32, d []byte) uint32 { | ||
46 | for _, b := range d { | ||
47 | crc ^= uint32(b) << 16 | ||
48 | for i := 0; i < 8; i++ { | ||
49 | crc <<= 1 | ||
50 | if crc&0x1000000 != 0 { | ||
51 | crc ^= crc24Poly | ||
52 | } | ||
53 | } | ||
54 | } | ||
55 | return crc | ||
56 | } | ||
57 | |||
58 | var armorStart = []byte("-----BEGIN ") | ||
59 | var armorEnd = []byte("-----END ") | ||
60 | var armorEndOfLine = []byte("-----") | ||
61 | |||
62 | // lineReader wraps a line based reader. It watches for the end of an armor | ||
63 | // block and records the expected CRC value. | ||
64 | type lineReader struct { | ||
65 | in *bufio.Reader | ||
66 | buf []byte | ||
67 | eof bool | ||
68 | crc uint32 | ||
69 | } | ||
70 | |||
71 | func (l *lineReader) Read(p []byte) (n int, err error) { | ||
72 | if l.eof { | ||
73 | return 0, io.EOF | ||
74 | } | ||
75 | |||
76 | if len(l.buf) > 0 { | ||
77 | n = copy(p, l.buf) | ||
78 | l.buf = l.buf[n:] | ||
79 | return | ||
80 | } | ||
81 | |||
82 | line, isPrefix, err := l.in.ReadLine() | ||
83 | if err != nil { | ||
84 | return | ||
85 | } | ||
86 | if isPrefix { | ||
87 | return 0, ArmorCorrupt | ||
88 | } | ||
89 | |||
90 | if len(line) == 5 && line[0] == '=' { | ||
91 | // This is the checksum line | ||
92 | var expectedBytes [3]byte | ||
93 | var m int | ||
94 | m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:]) | ||
95 | if m != 3 || err != nil { | ||
96 | return | ||
97 | } | ||
98 | l.crc = uint32(expectedBytes[0])<<16 | | ||
99 | uint32(expectedBytes[1])<<8 | | ||
100 | uint32(expectedBytes[2]) | ||
101 | |||
102 | line, _, err = l.in.ReadLine() | ||
103 | if err != nil && err != io.EOF { | ||
104 | return | ||
105 | } | ||
106 | if !bytes.HasPrefix(line, armorEnd) { | ||
107 | return 0, ArmorCorrupt | ||
108 | } | ||
109 | |||
110 | l.eof = true | ||
111 | return 0, io.EOF | ||
112 | } | ||
113 | |||
114 | if len(line) > 96 { | ||
115 | return 0, ArmorCorrupt | ||
116 | } | ||
117 | |||
118 | n = copy(p, line) | ||
119 | bytesToSave := len(line) - n | ||
120 | if bytesToSave > 0 { | ||
121 | if cap(l.buf) < bytesToSave { | ||
122 | l.buf = make([]byte, 0, bytesToSave) | ||
123 | } | ||
124 | l.buf = l.buf[0:bytesToSave] | ||
125 | copy(l.buf, line[n:]) | ||
126 | } | ||
127 | |||
128 | return | ||
129 | } | ||
130 | |||
131 | // openpgpReader passes Read calls to the underlying base64 decoder, but keeps | ||
132 | // a running CRC of the resulting data and checks the CRC against the value | ||
133 | // found by the lineReader at EOF. | ||
134 | type openpgpReader struct { | ||
135 | lReader *lineReader | ||
136 | b64Reader io.Reader | ||
137 | currentCRC uint32 | ||
138 | } | ||
139 | |||
140 | func (r *openpgpReader) Read(p []byte) (n int, err error) { | ||
141 | n, err = r.b64Reader.Read(p) | ||
142 | r.currentCRC = crc24(r.currentCRC, p[:n]) | ||
143 | |||
144 | if err == io.EOF { | ||
145 | if r.lReader.crc != uint32(r.currentCRC&crc24Mask) { | ||
146 | return 0, ArmorCorrupt | ||
147 | } | ||
148 | } | ||
149 | |||
150 | return | ||
151 | } | ||
152 | |||
153 | // Decode reads a PGP armored block from the given Reader. It will ignore | ||
154 | // leading garbage. If it doesn't find a block, it will return nil, io.EOF. The | ||
155 | // given Reader is not usable after calling this function: an arbitrary amount | ||
156 | // of data may have been read past the end of the block. | ||
157 | func Decode(in io.Reader) (p *Block, err error) { | ||
158 | r := bufio.NewReaderSize(in, 100) | ||
159 | var line []byte | ||
160 | ignoreNext := false | ||
161 | |||
162 | TryNextBlock: | ||
163 | p = nil | ||
164 | |||
165 | // Skip leading garbage | ||
166 | for { | ||
167 | ignoreThis := ignoreNext | ||
168 | line, ignoreNext, err = r.ReadLine() | ||
169 | if err != nil { | ||
170 | return | ||
171 | } | ||
172 | if ignoreNext || ignoreThis { | ||
173 | continue | ||
174 | } | ||
175 | line = bytes.TrimSpace(line) | ||
176 | if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) { | ||
177 | break | ||
178 | } | ||
179 | } | ||
180 | |||
181 | p = new(Block) | ||
182 | p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)]) | ||
183 | p.Header = make(map[string]string) | ||
184 | nextIsContinuation := false | ||
185 | var lastKey string | ||
186 | |||
187 | // Read headers | ||
188 | for { | ||
189 | isContinuation := nextIsContinuation | ||
190 | line, nextIsContinuation, err = r.ReadLine() | ||
191 | if err != nil { | ||
192 | p = nil | ||
193 | return | ||
194 | } | ||
195 | if isContinuation { | ||
196 | p.Header[lastKey] += string(line) | ||
197 | continue | ||
198 | } | ||
199 | line = bytes.TrimSpace(line) | ||
200 | if len(line) == 0 { | ||
201 | break | ||
202 | } | ||
203 | |||
204 | i := bytes.Index(line, []byte(": ")) | ||
205 | if i == -1 { | ||
206 | goto TryNextBlock | ||
207 | } | ||
208 | lastKey = string(line[:i]) | ||
209 | p.Header[lastKey] = string(line[i+2:]) | ||
210 | } | ||
211 | |||
212 | p.lReader.in = r | ||
213 | p.oReader.currentCRC = crc24Init | ||
214 | p.oReader.lReader = &p.lReader | ||
215 | p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader) | ||
216 | p.Body = &p.oReader | ||
217 | |||
218 | return | ||
219 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/armor/encode.go b/vendor/golang.org/x/crypto/openpgp/armor/encode.go new file mode 100644 index 0000000..6f07582 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/armor/encode.go | |||
@@ -0,0 +1,160 @@ | |||
1 | // Copyright 2010 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package armor | ||
6 | |||
7 | import ( | ||
8 | "encoding/base64" | ||
9 | "io" | ||
10 | ) | ||
11 | |||
12 | var armorHeaderSep = []byte(": ") | ||
13 | var blockEnd = []byte("\n=") | ||
14 | var newline = []byte("\n") | ||
15 | var armorEndOfLineOut = []byte("-----\n") | ||
16 | |||
17 | // writeSlices writes its arguments to the given Writer. | ||
18 | func writeSlices(out io.Writer, slices ...[]byte) (err error) { | ||
19 | for _, s := range slices { | ||
20 | _, err = out.Write(s) | ||
21 | if err != nil { | ||
22 | return err | ||
23 | } | ||
24 | } | ||
25 | return | ||
26 | } | ||
27 | |||
28 | // lineBreaker breaks data across several lines, all of the same byte length | ||
29 | // (except possibly the last). Lines are broken with a single '\n'. | ||
30 | type lineBreaker struct { | ||
31 | lineLength int | ||
32 | line []byte | ||
33 | used int | ||
34 | out io.Writer | ||
35 | haveWritten bool | ||
36 | } | ||
37 | |||
38 | func newLineBreaker(out io.Writer, lineLength int) *lineBreaker { | ||
39 | return &lineBreaker{ | ||
40 | lineLength: lineLength, | ||
41 | line: make([]byte, lineLength), | ||
42 | used: 0, | ||
43 | out: out, | ||
44 | } | ||
45 | } | ||
46 | |||
47 | func (l *lineBreaker) Write(b []byte) (n int, err error) { | ||
48 | n = len(b) | ||
49 | |||
50 | if n == 0 { | ||
51 | return | ||
52 | } | ||
53 | |||
54 | if l.used == 0 && l.haveWritten { | ||
55 | _, err = l.out.Write([]byte{'\n'}) | ||
56 | if err != nil { | ||
57 | return | ||
58 | } | ||
59 | } | ||
60 | |||
61 | if l.used+len(b) < l.lineLength { | ||
62 | l.used += copy(l.line[l.used:], b) | ||
63 | return | ||
64 | } | ||
65 | |||
66 | l.haveWritten = true | ||
67 | _, err = l.out.Write(l.line[0:l.used]) | ||
68 | if err != nil { | ||
69 | return | ||
70 | } | ||
71 | excess := l.lineLength - l.used | ||
72 | l.used = 0 | ||
73 | |||
74 | _, err = l.out.Write(b[0:excess]) | ||
75 | if err != nil { | ||
76 | return | ||
77 | } | ||
78 | |||
79 | _, err = l.Write(b[excess:]) | ||
80 | return | ||
81 | } | ||
82 | |||
83 | func (l *lineBreaker) Close() (err error) { | ||
84 | if l.used > 0 { | ||
85 | _, err = l.out.Write(l.line[0:l.used]) | ||
86 | if err != nil { | ||
87 | return | ||
88 | } | ||
89 | } | ||
90 | |||
91 | return | ||
92 | } | ||
93 | |||
94 | // encoding keeps track of a running CRC24 over the data which has been written | ||
95 | // to it and outputs a OpenPGP checksum when closed, followed by an armor | ||
96 | // trailer. | ||
97 | // | ||
98 | // It's built into a stack of io.Writers: | ||
99 | // encoding -> base64 encoder -> lineBreaker -> out | ||
100 | type encoding struct { | ||
101 | out io.Writer | ||
102 | breaker *lineBreaker | ||
103 | b64 io.WriteCloser | ||
104 | crc uint32 | ||
105 | blockType []byte | ||
106 | } | ||
107 | |||
108 | func (e *encoding) Write(data []byte) (n int, err error) { | ||
109 | e.crc = crc24(e.crc, data) | ||
110 | return e.b64.Write(data) | ||
111 | } | ||
112 | |||
113 | func (e *encoding) Close() (err error) { | ||
114 | err = e.b64.Close() | ||
115 | if err != nil { | ||
116 | return | ||
117 | } | ||
118 | e.breaker.Close() | ||
119 | |||
120 | var checksumBytes [3]byte | ||
121 | checksumBytes[0] = byte(e.crc >> 16) | ||
122 | checksumBytes[1] = byte(e.crc >> 8) | ||
123 | checksumBytes[2] = byte(e.crc) | ||
124 | |||
125 | var b64ChecksumBytes [4]byte | ||
126 | base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:]) | ||
127 | |||
128 | return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine) | ||
129 | } | ||
130 | |||
131 | // Encode returns a WriteCloser which will encode the data written to it in | ||
132 | // OpenPGP armor. | ||
133 | func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) { | ||
134 | bType := []byte(blockType) | ||
135 | err = writeSlices(out, armorStart, bType, armorEndOfLineOut) | ||
136 | if err != nil { | ||
137 | return | ||
138 | } | ||
139 | |||
140 | for k, v := range headers { | ||
141 | err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline) | ||
142 | if err != nil { | ||
143 | return | ||
144 | } | ||
145 | } | ||
146 | |||
147 | _, err = out.Write(newline) | ||
148 | if err != nil { | ||
149 | return | ||
150 | } | ||
151 | |||
152 | e := &encoding{ | ||
153 | out: out, | ||
154 | breaker: newLineBreaker(out, 64), | ||
155 | crc: crc24Init, | ||
156 | blockType: bType, | ||
157 | } | ||
158 | e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker) | ||
159 | return e, nil | ||
160 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/canonical_text.go b/vendor/golang.org/x/crypto/openpgp/canonical_text.go new file mode 100644 index 0000000..e601e38 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/canonical_text.go | |||
@@ -0,0 +1,59 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package openpgp | ||
6 | |||
7 | import "hash" | ||
8 | |||
9 | // NewCanonicalTextHash reformats text written to it into the canonical | ||
10 | // form and then applies the hash h. See RFC 4880, section 5.2.1. | ||
11 | func NewCanonicalTextHash(h hash.Hash) hash.Hash { | ||
12 | return &canonicalTextHash{h, 0} | ||
13 | } | ||
14 | |||
15 | type canonicalTextHash struct { | ||
16 | h hash.Hash | ||
17 | s int | ||
18 | } | ||
19 | |||
20 | var newline = []byte{'\r', '\n'} | ||
21 | |||
22 | func (cth *canonicalTextHash) Write(buf []byte) (int, error) { | ||
23 | start := 0 | ||
24 | |||
25 | for i, c := range buf { | ||
26 | switch cth.s { | ||
27 | case 0: | ||
28 | if c == '\r' { | ||
29 | cth.s = 1 | ||
30 | } else if c == '\n' { | ||
31 | cth.h.Write(buf[start:i]) | ||
32 | cth.h.Write(newline) | ||
33 | start = i + 1 | ||
34 | } | ||
35 | case 1: | ||
36 | cth.s = 0 | ||
37 | } | ||
38 | } | ||
39 | |||
40 | cth.h.Write(buf[start:]) | ||
41 | return len(buf), nil | ||
42 | } | ||
43 | |||
44 | func (cth *canonicalTextHash) Sum(in []byte) []byte { | ||
45 | return cth.h.Sum(in) | ||
46 | } | ||
47 | |||
48 | func (cth *canonicalTextHash) Reset() { | ||
49 | cth.h.Reset() | ||
50 | cth.s = 0 | ||
51 | } | ||
52 | |||
53 | func (cth *canonicalTextHash) Size() int { | ||
54 | return cth.h.Size() | ||
55 | } | ||
56 | |||
57 | func (cth *canonicalTextHash) BlockSize() int { | ||
58 | return cth.h.BlockSize() | ||
59 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go new file mode 100644 index 0000000..73f4fe3 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go | |||
@@ -0,0 +1,122 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package elgamal implements ElGamal encryption, suitable for OpenPGP, | ||
6 | // as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on | ||
7 | // Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31, | ||
8 | // n. 4, 1985, pp. 469-472. | ||
9 | // | ||
10 | // This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it | ||
11 | // unsuitable for other protocols. RSA should be used in preference in any | ||
12 | // case. | ||
13 | package elgamal // import "golang.org/x/crypto/openpgp/elgamal" | ||
14 | |||
15 | import ( | ||
16 | "crypto/rand" | ||
17 | "crypto/subtle" | ||
18 | "errors" | ||
19 | "io" | ||
20 | "math/big" | ||
21 | ) | ||
22 | |||
23 | // PublicKey represents an ElGamal public key. | ||
24 | type PublicKey struct { | ||
25 | G, P, Y *big.Int | ||
26 | } | ||
27 | |||
28 | // PrivateKey represents an ElGamal private key. | ||
29 | type PrivateKey struct { | ||
30 | PublicKey | ||
31 | X *big.Int | ||
32 | } | ||
33 | |||
34 | // Encrypt encrypts the given message to the given public key. The result is a | ||
35 | // pair of integers. Errors can result from reading random, or because msg is | ||
36 | // too large to be encrypted to the public key. | ||
37 | func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { | ||
38 | pLen := (pub.P.BitLen() + 7) / 8 | ||
39 | if len(msg) > pLen-11 { | ||
40 | err = errors.New("elgamal: message too long") | ||
41 | return | ||
42 | } | ||
43 | |||
44 | // EM = 0x02 || PS || 0x00 || M | ||
45 | em := make([]byte, pLen-1) | ||
46 | em[0] = 2 | ||
47 | ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):] | ||
48 | err = nonZeroRandomBytes(ps, random) | ||
49 | if err != nil { | ||
50 | return | ||
51 | } | ||
52 | em[len(em)-len(msg)-1] = 0 | ||
53 | copy(mm, msg) | ||
54 | |||
55 | m := new(big.Int).SetBytes(em) | ||
56 | |||
57 | k, err := rand.Int(random, pub.P) | ||
58 | if err != nil { | ||
59 | return | ||
60 | } | ||
61 | |||
62 | c1 = new(big.Int).Exp(pub.G, k, pub.P) | ||
63 | s := new(big.Int).Exp(pub.Y, k, pub.P) | ||
64 | c2 = s.Mul(s, m) | ||
65 | c2.Mod(c2, pub.P) | ||
66 | |||
67 | return | ||
68 | } | ||
69 | |||
70 | // Decrypt takes two integers, resulting from an ElGamal encryption, and | ||
71 | // returns the plaintext of the message. An error can result only if the | ||
72 | // ciphertext is invalid. Users should keep in mind that this is a padding | ||
73 | // oracle and thus, if exposed to an adaptive chosen ciphertext attack, can | ||
74 | // be used to break the cryptosystem. See ``Chosen Ciphertext Attacks | ||
75 | // Against Protocols Based on the RSA Encryption Standard PKCS #1'', Daniel | ||
76 | // Bleichenbacher, Advances in Cryptology (Crypto '98), | ||
77 | func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { | ||
78 | s := new(big.Int).Exp(c1, priv.X, priv.P) | ||
79 | s.ModInverse(s, priv.P) | ||
80 | s.Mul(s, c2) | ||
81 | s.Mod(s, priv.P) | ||
82 | em := s.Bytes() | ||
83 | |||
84 | firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2) | ||
85 | |||
86 | // The remainder of the plaintext must be a string of non-zero random | ||
87 | // octets, followed by a 0, followed by the message. | ||
88 | // lookingForIndex: 1 iff we are still looking for the zero. | ||
89 | // index: the offset of the first zero byte. | ||
90 | var lookingForIndex, index int | ||
91 | lookingForIndex = 1 | ||
92 | |||
93 | for i := 1; i < len(em); i++ { | ||
94 | equals0 := subtle.ConstantTimeByteEq(em[i], 0) | ||
95 | index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index) | ||
96 | lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex) | ||
97 | } | ||
98 | |||
99 | if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 { | ||
100 | return nil, errors.New("elgamal: decryption error") | ||
101 | } | ||
102 | return em[index+1:], nil | ||
103 | } | ||
104 | |||
105 | // nonZeroRandomBytes fills the given slice with non-zero random octets. | ||
106 | func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) { | ||
107 | _, err = io.ReadFull(rand, s) | ||
108 | if err != nil { | ||
109 | return | ||
110 | } | ||
111 | |||
112 | for i := 0; i < len(s); i++ { | ||
113 | for s[i] == 0 { | ||
114 | _, err = io.ReadFull(rand, s[i:i+1]) | ||
115 | if err != nil { | ||
116 | return | ||
117 | } | ||
118 | } | ||
119 | } | ||
120 | |||
121 | return | ||
122 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/errors/errors.go b/vendor/golang.org/x/crypto/openpgp/errors/errors.go new file mode 100644 index 0000000..eb0550b --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/errors/errors.go | |||
@@ -0,0 +1,72 @@ | |||
1 | // Copyright 2010 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package errors contains common error types for the OpenPGP packages. | ||
6 | package errors // import "golang.org/x/crypto/openpgp/errors" | ||
7 | |||
8 | import ( | ||
9 | "strconv" | ||
10 | ) | ||
11 | |||
12 | // A StructuralError is returned when OpenPGP data is found to be syntactically | ||
13 | // invalid. | ||
14 | type StructuralError string | ||
15 | |||
16 | func (s StructuralError) Error() string { | ||
17 | return "openpgp: invalid data: " + string(s) | ||
18 | } | ||
19 | |||
20 | // UnsupportedError indicates that, although the OpenPGP data is valid, it | ||
21 | // makes use of currently unimplemented features. | ||
22 | type UnsupportedError string | ||
23 | |||
24 | func (s UnsupportedError) Error() string { | ||
25 | return "openpgp: unsupported feature: " + string(s) | ||
26 | } | ||
27 | |||
28 | // InvalidArgumentError indicates that the caller is in error and passed an | ||
29 | // incorrect value. | ||
30 | type InvalidArgumentError string | ||
31 | |||
32 | func (i InvalidArgumentError) Error() string { | ||
33 | return "openpgp: invalid argument: " + string(i) | ||
34 | } | ||
35 | |||
36 | // SignatureError indicates that a syntactically valid signature failed to | ||
37 | // validate. | ||
38 | type SignatureError string | ||
39 | |||
40 | func (b SignatureError) Error() string { | ||
41 | return "openpgp: invalid signature: " + string(b) | ||
42 | } | ||
43 | |||
44 | type keyIncorrectError int | ||
45 | |||
46 | func (ki keyIncorrectError) Error() string { | ||
47 | return "openpgp: incorrect key" | ||
48 | } | ||
49 | |||
50 | var ErrKeyIncorrect error = keyIncorrectError(0) | ||
51 | |||
52 | type unknownIssuerError int | ||
53 | |||
54 | func (unknownIssuerError) Error() string { | ||
55 | return "openpgp: signature made by unknown entity" | ||
56 | } | ||
57 | |||
58 | var ErrUnknownIssuer error = unknownIssuerError(0) | ||
59 | |||
60 | type keyRevokedError int | ||
61 | |||
62 | func (keyRevokedError) Error() string { | ||
63 | return "openpgp: signature made by revoked key" | ||
64 | } | ||
65 | |||
66 | var ErrKeyRevoked error = keyRevokedError(0) | ||
67 | |||
68 | type UnknownPacketTypeError uint8 | ||
69 | |||
70 | func (upte UnknownPacketTypeError) Error() string { | ||
71 | return "openpgp: unknown packet type: " + strconv.Itoa(int(upte)) | ||
72 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go new file mode 100644 index 0000000..68b14c6 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/keys.go | |||
@@ -0,0 +1,637 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package openpgp | ||
6 | |||
7 | import ( | ||
8 | "crypto/rsa" | ||
9 | "io" | ||
10 | "time" | ||
11 | |||
12 | "golang.org/x/crypto/openpgp/armor" | ||
13 | "golang.org/x/crypto/openpgp/errors" | ||
14 | "golang.org/x/crypto/openpgp/packet" | ||
15 | ) | ||
16 | |||
17 | // PublicKeyType is the armor type for a PGP public key. | ||
18 | var PublicKeyType = "PGP PUBLIC KEY BLOCK" | ||
19 | |||
20 | // PrivateKeyType is the armor type for a PGP private key. | ||
21 | var PrivateKeyType = "PGP PRIVATE KEY BLOCK" | ||
22 | |||
23 | // An Entity represents the components of an OpenPGP key: a primary public key | ||
24 | // (which must be a signing key), one or more identities claimed by that key, | ||
25 | // and zero or more subkeys, which may be encryption keys. | ||
26 | type Entity struct { | ||
27 | PrimaryKey *packet.PublicKey | ||
28 | PrivateKey *packet.PrivateKey | ||
29 | Identities map[string]*Identity // indexed by Identity.Name | ||
30 | Revocations []*packet.Signature | ||
31 | Subkeys []Subkey | ||
32 | } | ||
33 | |||
34 | // An Identity represents an identity claimed by an Entity and zero or more | ||
35 | // assertions by other entities about that claim. | ||
36 | type Identity struct { | ||
37 | Name string // by convention, has the form "Full Name (comment) <email@example.com>" | ||
38 | UserId *packet.UserId | ||
39 | SelfSignature *packet.Signature | ||
40 | Signatures []*packet.Signature | ||
41 | } | ||
42 | |||
43 | // A Subkey is an additional public key in an Entity. Subkeys can be used for | ||
44 | // encryption. | ||
45 | type Subkey struct { | ||
46 | PublicKey *packet.PublicKey | ||
47 | PrivateKey *packet.PrivateKey | ||
48 | Sig *packet.Signature | ||
49 | } | ||
50 | |||
51 | // A Key identifies a specific public key in an Entity. This is either the | ||
52 | // Entity's primary key or a subkey. | ||
53 | type Key struct { | ||
54 | Entity *Entity | ||
55 | PublicKey *packet.PublicKey | ||
56 | PrivateKey *packet.PrivateKey | ||
57 | SelfSignature *packet.Signature | ||
58 | } | ||
59 | |||
60 | // A KeyRing provides access to public and private keys. | ||
61 | type KeyRing interface { | ||
62 | // KeysById returns the set of keys that have the given key id. | ||
63 | KeysById(id uint64) []Key | ||
64 | // KeysByIdAndUsage returns the set of keys with the given id | ||
65 | // that also meet the key usage given by requiredUsage. | ||
66 | // The requiredUsage is expressed as the bitwise-OR of | ||
67 | // packet.KeyFlag* values. | ||
68 | KeysByIdUsage(id uint64, requiredUsage byte) []Key | ||
69 | // DecryptionKeys returns all private keys that are valid for | ||
70 | // decryption. | ||
71 | DecryptionKeys() []Key | ||
72 | } | ||
73 | |||
74 | // primaryIdentity returns the Identity marked as primary or the first identity | ||
75 | // if none are so marked. | ||
76 | func (e *Entity) primaryIdentity() *Identity { | ||
77 | var firstIdentity *Identity | ||
78 | for _, ident := range e.Identities { | ||
79 | if firstIdentity == nil { | ||
80 | firstIdentity = ident | ||
81 | } | ||
82 | if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId { | ||
83 | return ident | ||
84 | } | ||
85 | } | ||
86 | return firstIdentity | ||
87 | } | ||
88 | |||
89 | // encryptionKey returns the best candidate Key for encrypting a message to the | ||
90 | // given Entity. | ||
91 | func (e *Entity) encryptionKey(now time.Time) (Key, bool) { | ||
92 | candidateSubkey := -1 | ||
93 | |||
94 | // Iterate the keys to find the newest key | ||
95 | var maxTime time.Time | ||
96 | for i, subkey := range e.Subkeys { | ||
97 | if subkey.Sig.FlagsValid && | ||
98 | subkey.Sig.FlagEncryptCommunications && | ||
99 | subkey.PublicKey.PubKeyAlgo.CanEncrypt() && | ||
100 | !subkey.Sig.KeyExpired(now) && | ||
101 | (maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) { | ||
102 | candidateSubkey = i | ||
103 | maxTime = subkey.Sig.CreationTime | ||
104 | } | ||
105 | } | ||
106 | |||
107 | if candidateSubkey != -1 { | ||
108 | subkey := e.Subkeys[candidateSubkey] | ||
109 | return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true | ||
110 | } | ||
111 | |||
112 | // If we don't have any candidate subkeys for encryption and | ||
113 | // the primary key doesn't have any usage metadata then we | ||
114 | // assume that the primary key is ok. Or, if the primary key is | ||
115 | // marked as ok to encrypt to, then we can obviously use it. | ||
116 | i := e.primaryIdentity() | ||
117 | if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications && | ||
118 | e.PrimaryKey.PubKeyAlgo.CanEncrypt() && | ||
119 | !i.SelfSignature.KeyExpired(now) { | ||
120 | return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true | ||
121 | } | ||
122 | |||
123 | // This Entity appears to be signing only. | ||
124 | return Key{}, false | ||
125 | } | ||
126 | |||
127 | // signingKey return the best candidate Key for signing a message with this | ||
128 | // Entity. | ||
129 | func (e *Entity) signingKey(now time.Time) (Key, bool) { | ||
130 | candidateSubkey := -1 | ||
131 | |||
132 | for i, subkey := range e.Subkeys { | ||
133 | if subkey.Sig.FlagsValid && | ||
134 | subkey.Sig.FlagSign && | ||
135 | subkey.PublicKey.PubKeyAlgo.CanSign() && | ||
136 | !subkey.Sig.KeyExpired(now) { | ||
137 | candidateSubkey = i | ||
138 | break | ||
139 | } | ||
140 | } | ||
141 | |||
142 | if candidateSubkey != -1 { | ||
143 | subkey := e.Subkeys[candidateSubkey] | ||
144 | return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true | ||
145 | } | ||
146 | |||
147 | // If we have no candidate subkey then we assume that it's ok to sign | ||
148 | // with the primary key. | ||
149 | i := e.primaryIdentity() | ||
150 | if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign && | ||
151 | !i.SelfSignature.KeyExpired(now) { | ||
152 | return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true | ||
153 | } | ||
154 | |||
155 | return Key{}, false | ||
156 | } | ||
157 | |||
158 | // An EntityList contains one or more Entities. | ||
159 | type EntityList []*Entity | ||
160 | |||
161 | // KeysById returns the set of keys that have the given key id. | ||
162 | func (el EntityList) KeysById(id uint64) (keys []Key) { | ||
163 | for _, e := range el { | ||
164 | if e.PrimaryKey.KeyId == id { | ||
165 | var selfSig *packet.Signature | ||
166 | for _, ident := range e.Identities { | ||
167 | if selfSig == nil { | ||
168 | selfSig = ident.SelfSignature | ||
169 | } else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId { | ||
170 | selfSig = ident.SelfSignature | ||
171 | break | ||
172 | } | ||
173 | } | ||
174 | keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig}) | ||
175 | } | ||
176 | |||
177 | for _, subKey := range e.Subkeys { | ||
178 | if subKey.PublicKey.KeyId == id { | ||
179 | keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig}) | ||
180 | } | ||
181 | } | ||
182 | } | ||
183 | return | ||
184 | } | ||
185 | |||
186 | // KeysByIdAndUsage returns the set of keys with the given id that also meet | ||
187 | // the key usage given by requiredUsage. The requiredUsage is expressed as | ||
188 | // the bitwise-OR of packet.KeyFlag* values. | ||
189 | func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) { | ||
190 | for _, key := range el.KeysById(id) { | ||
191 | if len(key.Entity.Revocations) > 0 { | ||
192 | continue | ||
193 | } | ||
194 | |||
195 | if key.SelfSignature.RevocationReason != nil { | ||
196 | continue | ||
197 | } | ||
198 | |||
199 | if key.SelfSignature.FlagsValid && requiredUsage != 0 { | ||
200 | var usage byte | ||
201 | if key.SelfSignature.FlagCertify { | ||
202 | usage |= packet.KeyFlagCertify | ||
203 | } | ||
204 | if key.SelfSignature.FlagSign { | ||
205 | usage |= packet.KeyFlagSign | ||
206 | } | ||
207 | if key.SelfSignature.FlagEncryptCommunications { | ||
208 | usage |= packet.KeyFlagEncryptCommunications | ||
209 | } | ||
210 | if key.SelfSignature.FlagEncryptStorage { | ||
211 | usage |= packet.KeyFlagEncryptStorage | ||
212 | } | ||
213 | if usage&requiredUsage != requiredUsage { | ||
214 | continue | ||
215 | } | ||
216 | } | ||
217 | |||
218 | keys = append(keys, key) | ||
219 | } | ||
220 | return | ||
221 | } | ||
222 | |||
223 | // DecryptionKeys returns all private keys that are valid for decryption. | ||
224 | func (el EntityList) DecryptionKeys() (keys []Key) { | ||
225 | for _, e := range el { | ||
226 | for _, subKey := range e.Subkeys { | ||
227 | if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) { | ||
228 | keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig}) | ||
229 | } | ||
230 | } | ||
231 | } | ||
232 | return | ||
233 | } | ||
234 | |||
235 | // ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file. | ||
236 | func ReadArmoredKeyRing(r io.Reader) (EntityList, error) { | ||
237 | block, err := armor.Decode(r) | ||
238 | if err == io.EOF { | ||
239 | return nil, errors.InvalidArgumentError("no armored data found") | ||
240 | } | ||
241 | if err != nil { | ||
242 | return nil, err | ||
243 | } | ||
244 | if block.Type != PublicKeyType && block.Type != PrivateKeyType { | ||
245 | return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type) | ||
246 | } | ||
247 | |||
248 | return ReadKeyRing(block.Body) | ||
249 | } | ||
250 | |||
251 | // ReadKeyRing reads one or more public/private keys. Unsupported keys are | ||
252 | // ignored as long as at least a single valid key is found. | ||
253 | func ReadKeyRing(r io.Reader) (el EntityList, err error) { | ||
254 | packets := packet.NewReader(r) | ||
255 | var lastUnsupportedError error | ||
256 | |||
257 | for { | ||
258 | var e *Entity | ||
259 | e, err = ReadEntity(packets) | ||
260 | if err != nil { | ||
261 | // TODO: warn about skipped unsupported/unreadable keys | ||
262 | if _, ok := err.(errors.UnsupportedError); ok { | ||
263 | lastUnsupportedError = err | ||
264 | err = readToNextPublicKey(packets) | ||
265 | } else if _, ok := err.(errors.StructuralError); ok { | ||
266 | // Skip unreadable, badly-formatted keys | ||
267 | lastUnsupportedError = err | ||
268 | err = readToNextPublicKey(packets) | ||
269 | } | ||
270 | if err == io.EOF { | ||
271 | err = nil | ||
272 | break | ||
273 | } | ||
274 | if err != nil { | ||
275 | el = nil | ||
276 | break | ||
277 | } | ||
278 | } else { | ||
279 | el = append(el, e) | ||
280 | } | ||
281 | } | ||
282 | |||
283 | if len(el) == 0 && err == nil { | ||
284 | err = lastUnsupportedError | ||
285 | } | ||
286 | return | ||
287 | } | ||
288 | |||
289 | // readToNextPublicKey reads packets until the start of the entity and leaves | ||
290 | // the first packet of the new entity in the Reader. | ||
291 | func readToNextPublicKey(packets *packet.Reader) (err error) { | ||
292 | var p packet.Packet | ||
293 | for { | ||
294 | p, err = packets.Next() | ||
295 | if err == io.EOF { | ||
296 | return | ||
297 | } else if err != nil { | ||
298 | if _, ok := err.(errors.UnsupportedError); ok { | ||
299 | err = nil | ||
300 | continue | ||
301 | } | ||
302 | return | ||
303 | } | ||
304 | |||
305 | if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey { | ||
306 | packets.Unread(p) | ||
307 | return | ||
308 | } | ||
309 | } | ||
310 | } | ||
311 | |||
312 | // ReadEntity reads an entity (public key, identities, subkeys etc) from the | ||
313 | // given Reader. | ||
314 | func ReadEntity(packets *packet.Reader) (*Entity, error) { | ||
315 | e := new(Entity) | ||
316 | e.Identities = make(map[string]*Identity) | ||
317 | |||
318 | p, err := packets.Next() | ||
319 | if err != nil { | ||
320 | return nil, err | ||
321 | } | ||
322 | |||
323 | var ok bool | ||
324 | if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok { | ||
325 | if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok { | ||
326 | packets.Unread(p) | ||
327 | return nil, errors.StructuralError("first packet was not a public/private key") | ||
328 | } else { | ||
329 | e.PrimaryKey = &e.PrivateKey.PublicKey | ||
330 | } | ||
331 | } | ||
332 | |||
333 | if !e.PrimaryKey.PubKeyAlgo.CanSign() { | ||
334 | return nil, errors.StructuralError("primary key cannot be used for signatures") | ||
335 | } | ||
336 | |||
337 | var current *Identity | ||
338 | var revocations []*packet.Signature | ||
339 | EachPacket: | ||
340 | for { | ||
341 | p, err := packets.Next() | ||
342 | if err == io.EOF { | ||
343 | break | ||
344 | } else if err != nil { | ||
345 | return nil, err | ||
346 | } | ||
347 | |||
348 | switch pkt := p.(type) { | ||
349 | case *packet.UserId: | ||
350 | current = new(Identity) | ||
351 | current.Name = pkt.Id | ||
352 | current.UserId = pkt | ||
353 | e.Identities[pkt.Id] = current | ||
354 | |||
355 | for { | ||
356 | p, err = packets.Next() | ||
357 | if err == io.EOF { | ||
358 | return nil, io.ErrUnexpectedEOF | ||
359 | } else if err != nil { | ||
360 | return nil, err | ||
361 | } | ||
362 | |||
363 | sig, ok := p.(*packet.Signature) | ||
364 | if !ok { | ||
365 | return nil, errors.StructuralError("user ID packet not followed by self-signature") | ||
366 | } | ||
367 | |||
368 | if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId { | ||
369 | if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil { | ||
370 | return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error()) | ||
371 | } | ||
372 | current.SelfSignature = sig | ||
373 | break | ||
374 | } | ||
375 | current.Signatures = append(current.Signatures, sig) | ||
376 | } | ||
377 | case *packet.Signature: | ||
378 | if pkt.SigType == packet.SigTypeKeyRevocation { | ||
379 | revocations = append(revocations, pkt) | ||
380 | } else if pkt.SigType == packet.SigTypeDirectSignature { | ||
381 | // TODO: RFC4880 5.2.1 permits signatures | ||
382 | // directly on keys (eg. to bind additional | ||
383 | // revocation keys). | ||
384 | } else if current == nil { | ||
385 | return nil, errors.StructuralError("signature packet found before user id packet") | ||
386 | } else { | ||
387 | current.Signatures = append(current.Signatures, pkt) | ||
388 | } | ||
389 | case *packet.PrivateKey: | ||
390 | if pkt.IsSubkey == false { | ||
391 | packets.Unread(p) | ||
392 | break EachPacket | ||
393 | } | ||
394 | err = addSubkey(e, packets, &pkt.PublicKey, pkt) | ||
395 | if err != nil { | ||
396 | return nil, err | ||
397 | } | ||
398 | case *packet.PublicKey: | ||
399 | if pkt.IsSubkey == false { | ||
400 | packets.Unread(p) | ||
401 | break EachPacket | ||
402 | } | ||
403 | err = addSubkey(e, packets, pkt, nil) | ||
404 | if err != nil { | ||
405 | return nil, err | ||
406 | } | ||
407 | default: | ||
408 | // we ignore unknown packets | ||
409 | } | ||
410 | } | ||
411 | |||
412 | if len(e.Identities) == 0 { | ||
413 | return nil, errors.StructuralError("entity without any identities") | ||
414 | } | ||
415 | |||
416 | for _, revocation := range revocations { | ||
417 | err = e.PrimaryKey.VerifyRevocationSignature(revocation) | ||
418 | if err == nil { | ||
419 | e.Revocations = append(e.Revocations, revocation) | ||
420 | } else { | ||
421 | // TODO: RFC 4880 5.2.3.15 defines revocation keys. | ||
422 | return nil, errors.StructuralError("revocation signature signed by alternate key") | ||
423 | } | ||
424 | } | ||
425 | |||
426 | return e, nil | ||
427 | } | ||
428 | |||
429 | func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error { | ||
430 | var subKey Subkey | ||
431 | subKey.PublicKey = pub | ||
432 | subKey.PrivateKey = priv | ||
433 | p, err := packets.Next() | ||
434 | if err == io.EOF { | ||
435 | return io.ErrUnexpectedEOF | ||
436 | } | ||
437 | if err != nil { | ||
438 | return errors.StructuralError("subkey signature invalid: " + err.Error()) | ||
439 | } | ||
440 | var ok bool | ||
441 | subKey.Sig, ok = p.(*packet.Signature) | ||
442 | if !ok { | ||
443 | return errors.StructuralError("subkey packet not followed by signature") | ||
444 | } | ||
445 | if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation { | ||
446 | return errors.StructuralError("subkey signature with wrong type") | ||
447 | } | ||
448 | err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig) | ||
449 | if err != nil { | ||
450 | return errors.StructuralError("subkey signature invalid: " + err.Error()) | ||
451 | } | ||
452 | e.Subkeys = append(e.Subkeys, subKey) | ||
453 | return nil | ||
454 | } | ||
455 | |||
456 | const defaultRSAKeyBits = 2048 | ||
457 | |||
458 | // NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a | ||
459 | // single identity composed of the given full name, comment and email, any of | ||
460 | // which may be empty but must not contain any of "()<>\x00". | ||
461 | // If config is nil, sensible defaults will be used. | ||
462 | func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) { | ||
463 | currentTime := config.Now() | ||
464 | |||
465 | bits := defaultRSAKeyBits | ||
466 | if config != nil && config.RSABits != 0 { | ||
467 | bits = config.RSABits | ||
468 | } | ||
469 | |||
470 | uid := packet.NewUserId(name, comment, email) | ||
471 | if uid == nil { | ||
472 | return nil, errors.InvalidArgumentError("user id field contained invalid characters") | ||
473 | } | ||
474 | signingPriv, err := rsa.GenerateKey(config.Random(), bits) | ||
475 | if err != nil { | ||
476 | return nil, err | ||
477 | } | ||
478 | encryptingPriv, err := rsa.GenerateKey(config.Random(), bits) | ||
479 | if err != nil { | ||
480 | return nil, err | ||
481 | } | ||
482 | |||
483 | e := &Entity{ | ||
484 | PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey), | ||
485 | PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv), | ||
486 | Identities: make(map[string]*Identity), | ||
487 | } | ||
488 | isPrimaryId := true | ||
489 | e.Identities[uid.Id] = &Identity{ | ||
490 | Name: uid.Name, | ||
491 | UserId: uid, | ||
492 | SelfSignature: &packet.Signature{ | ||
493 | CreationTime: currentTime, | ||
494 | SigType: packet.SigTypePositiveCert, | ||
495 | PubKeyAlgo: packet.PubKeyAlgoRSA, | ||
496 | Hash: config.Hash(), | ||
497 | IsPrimaryId: &isPrimaryId, | ||
498 | FlagsValid: true, | ||
499 | FlagSign: true, | ||
500 | FlagCertify: true, | ||
501 | IssuerKeyId: &e.PrimaryKey.KeyId, | ||
502 | }, | ||
503 | } | ||
504 | |||
505 | // If the user passes in a DefaultHash via packet.Config, | ||
506 | // set the PreferredHash for the SelfSignature. | ||
507 | if config != nil && config.DefaultHash != 0 { | ||
508 | e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)} | ||
509 | } | ||
510 | |||
511 | e.Subkeys = make([]Subkey, 1) | ||
512 | e.Subkeys[0] = Subkey{ | ||
513 | PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey), | ||
514 | PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv), | ||
515 | Sig: &packet.Signature{ | ||
516 | CreationTime: currentTime, | ||
517 | SigType: packet.SigTypeSubkeyBinding, | ||
518 | PubKeyAlgo: packet.PubKeyAlgoRSA, | ||
519 | Hash: config.Hash(), | ||
520 | FlagsValid: true, | ||
521 | FlagEncryptStorage: true, | ||
522 | FlagEncryptCommunications: true, | ||
523 | IssuerKeyId: &e.PrimaryKey.KeyId, | ||
524 | }, | ||
525 | } | ||
526 | e.Subkeys[0].PublicKey.IsSubkey = true | ||
527 | e.Subkeys[0].PrivateKey.IsSubkey = true | ||
528 | |||
529 | return e, nil | ||
530 | } | ||
531 | |||
532 | // SerializePrivate serializes an Entity, including private key material, to | ||
533 | // the given Writer. For now, it must only be used on an Entity returned from | ||
534 | // NewEntity. | ||
535 | // If config is nil, sensible defaults will be used. | ||
536 | func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) { | ||
537 | err = e.PrivateKey.Serialize(w) | ||
538 | if err != nil { | ||
539 | return | ||
540 | } | ||
541 | for _, ident := range e.Identities { | ||
542 | err = ident.UserId.Serialize(w) | ||
543 | if err != nil { | ||
544 | return | ||
545 | } | ||
546 | err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config) | ||
547 | if err != nil { | ||
548 | return | ||
549 | } | ||
550 | err = ident.SelfSignature.Serialize(w) | ||
551 | if err != nil { | ||
552 | return | ||
553 | } | ||
554 | } | ||
555 | for _, subkey := range e.Subkeys { | ||
556 | err = subkey.PrivateKey.Serialize(w) | ||
557 | if err != nil { | ||
558 | return | ||
559 | } | ||
560 | err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config) | ||
561 | if err != nil { | ||
562 | return | ||
563 | } | ||
564 | err = subkey.Sig.Serialize(w) | ||
565 | if err != nil { | ||
566 | return | ||
567 | } | ||
568 | } | ||
569 | return nil | ||
570 | } | ||
571 | |||
572 | // Serialize writes the public part of the given Entity to w. (No private | ||
573 | // key material will be output). | ||
574 | func (e *Entity) Serialize(w io.Writer) error { | ||
575 | err := e.PrimaryKey.Serialize(w) | ||
576 | if err != nil { | ||
577 | return err | ||
578 | } | ||
579 | for _, ident := range e.Identities { | ||
580 | err = ident.UserId.Serialize(w) | ||
581 | if err != nil { | ||
582 | return err | ||
583 | } | ||
584 | err = ident.SelfSignature.Serialize(w) | ||
585 | if err != nil { | ||
586 | return err | ||
587 | } | ||
588 | for _, sig := range ident.Signatures { | ||
589 | err = sig.Serialize(w) | ||
590 | if err != nil { | ||
591 | return err | ||
592 | } | ||
593 | } | ||
594 | } | ||
595 | for _, subkey := range e.Subkeys { | ||
596 | err = subkey.PublicKey.Serialize(w) | ||
597 | if err != nil { | ||
598 | return err | ||
599 | } | ||
600 | err = subkey.Sig.Serialize(w) | ||
601 | if err != nil { | ||
602 | return err | ||
603 | } | ||
604 | } | ||
605 | return nil | ||
606 | } | ||
607 | |||
608 | // SignIdentity adds a signature to e, from signer, attesting that identity is | ||
609 | // associated with e. The provided identity must already be an element of | ||
610 | // e.Identities and the private key of signer must have been decrypted if | ||
611 | // necessary. | ||
612 | // If config is nil, sensible defaults will be used. | ||
613 | func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error { | ||
614 | if signer.PrivateKey == nil { | ||
615 | return errors.InvalidArgumentError("signing Entity must have a private key") | ||
616 | } | ||
617 | if signer.PrivateKey.Encrypted { | ||
618 | return errors.InvalidArgumentError("signing Entity's private key must be decrypted") | ||
619 | } | ||
620 | ident, ok := e.Identities[identity] | ||
621 | if !ok { | ||
622 | return errors.InvalidArgumentError("given identity string not found in Entity") | ||
623 | } | ||
624 | |||
625 | sig := &packet.Signature{ | ||
626 | SigType: packet.SigTypeGenericCert, | ||
627 | PubKeyAlgo: signer.PrivateKey.PubKeyAlgo, | ||
628 | Hash: config.Hash(), | ||
629 | CreationTime: config.Now(), | ||
630 | IssuerKeyId: &signer.PrivateKey.KeyId, | ||
631 | } | ||
632 | if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil { | ||
633 | return err | ||
634 | } | ||
635 | ident.Signatures = append(ident.Signatures, sig) | ||
636 | return nil | ||
637 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/compressed.go b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go new file mode 100644 index 0000000..e8f0b5c --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go | |||
@@ -0,0 +1,123 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "compress/bzip2" | ||
9 | "compress/flate" | ||
10 | "compress/zlib" | ||
11 | "golang.org/x/crypto/openpgp/errors" | ||
12 | "io" | ||
13 | "strconv" | ||
14 | ) | ||
15 | |||
16 | // Compressed represents a compressed OpenPGP packet. The decompressed contents | ||
17 | // will contain more OpenPGP packets. See RFC 4880, section 5.6. | ||
18 | type Compressed struct { | ||
19 | Body io.Reader | ||
20 | } | ||
21 | |||
22 | const ( | ||
23 | NoCompression = flate.NoCompression | ||
24 | BestSpeed = flate.BestSpeed | ||
25 | BestCompression = flate.BestCompression | ||
26 | DefaultCompression = flate.DefaultCompression | ||
27 | ) | ||
28 | |||
29 | // CompressionConfig contains compressor configuration settings. | ||
30 | type CompressionConfig struct { | ||
31 | // Level is the compression level to use. It must be set to | ||
32 | // between -1 and 9, with -1 causing the compressor to use the | ||
33 | // default compression level, 0 causing the compressor to use | ||
34 | // no compression and 1 to 9 representing increasing (better, | ||
35 | // slower) compression levels. If Level is less than -1 or | ||
36 | // more then 9, a non-nil error will be returned during | ||
37 | // encryption. See the constants above for convenient common | ||
38 | // settings for Level. | ||
39 | Level int | ||
40 | } | ||
41 | |||
42 | func (c *Compressed) parse(r io.Reader) error { | ||
43 | var buf [1]byte | ||
44 | _, err := readFull(r, buf[:]) | ||
45 | if err != nil { | ||
46 | return err | ||
47 | } | ||
48 | |||
49 | switch buf[0] { | ||
50 | case 1: | ||
51 | c.Body = flate.NewReader(r) | ||
52 | case 2: | ||
53 | c.Body, err = zlib.NewReader(r) | ||
54 | case 3: | ||
55 | c.Body = bzip2.NewReader(r) | ||
56 | default: | ||
57 | err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0]))) | ||
58 | } | ||
59 | |||
60 | return err | ||
61 | } | ||
62 | |||
63 | // compressedWriterCloser represents the serialized compression stream | ||
64 | // header and the compressor. Its Close() method ensures that both the | ||
65 | // compressor and serialized stream header are closed. Its Write() | ||
66 | // method writes to the compressor. | ||
67 | type compressedWriteCloser struct { | ||
68 | sh io.Closer // Stream Header | ||
69 | c io.WriteCloser // Compressor | ||
70 | } | ||
71 | |||
72 | func (cwc compressedWriteCloser) Write(p []byte) (int, error) { | ||
73 | return cwc.c.Write(p) | ||
74 | } | ||
75 | |||
76 | func (cwc compressedWriteCloser) Close() (err error) { | ||
77 | err = cwc.c.Close() | ||
78 | if err != nil { | ||
79 | return err | ||
80 | } | ||
81 | |||
82 | return cwc.sh.Close() | ||
83 | } | ||
84 | |||
85 | // SerializeCompressed serializes a compressed data packet to w and | ||
86 | // returns a WriteCloser to which the literal data packets themselves | ||
87 | // can be written and which MUST be closed on completion. If cc is | ||
88 | // nil, sensible defaults will be used to configure the compression | ||
89 | // algorithm. | ||
90 | func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) { | ||
91 | compressed, err := serializeStreamHeader(w, packetTypeCompressed) | ||
92 | if err != nil { | ||
93 | return | ||
94 | } | ||
95 | |||
96 | _, err = compressed.Write([]byte{uint8(algo)}) | ||
97 | if err != nil { | ||
98 | return | ||
99 | } | ||
100 | |||
101 | level := DefaultCompression | ||
102 | if cc != nil { | ||
103 | level = cc.Level | ||
104 | } | ||
105 | |||
106 | var compressor io.WriteCloser | ||
107 | switch algo { | ||
108 | case CompressionZIP: | ||
109 | compressor, err = flate.NewWriter(compressed, level) | ||
110 | case CompressionZLIB: | ||
111 | compressor, err = zlib.NewWriterLevel(compressed, level) | ||
112 | default: | ||
113 | s := strconv.Itoa(int(algo)) | ||
114 | err = errors.UnsupportedError("Unsupported compression algorithm: " + s) | ||
115 | } | ||
116 | if err != nil { | ||
117 | return | ||
118 | } | ||
119 | |||
120 | literaldata = compressedWriteCloser{compressed, compressor} | ||
121 | |||
122 | return | ||
123 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/config.go b/vendor/golang.org/x/crypto/openpgp/packet/config.go new file mode 100644 index 0000000..c76eecc --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/config.go | |||
@@ -0,0 +1,91 @@ | |||
1 | // Copyright 2012 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto" | ||
9 | "crypto/rand" | ||
10 | "io" | ||
11 | "time" | ||
12 | ) | ||
13 | |||
14 | // Config collects a number of parameters along with sensible defaults. | ||
15 | // A nil *Config is valid and results in all default values. | ||
16 | type Config struct { | ||
17 | // Rand provides the source of entropy. | ||
18 | // If nil, the crypto/rand Reader is used. | ||
19 | Rand io.Reader | ||
20 | // DefaultHash is the default hash function to be used. | ||
21 | // If zero, SHA-256 is used. | ||
22 | DefaultHash crypto.Hash | ||
23 | // DefaultCipher is the cipher to be used. | ||
24 | // If zero, AES-128 is used. | ||
25 | DefaultCipher CipherFunction | ||
26 | // Time returns the current time as the number of seconds since the | ||
27 | // epoch. If Time is nil, time.Now is used. | ||
28 | Time func() time.Time | ||
29 | // DefaultCompressionAlgo is the compression algorithm to be | ||
30 | // applied to the plaintext before encryption. If zero, no | ||
31 | // compression is done. | ||
32 | DefaultCompressionAlgo CompressionAlgo | ||
33 | // CompressionConfig configures the compression settings. | ||
34 | CompressionConfig *CompressionConfig | ||
35 | // S2KCount is only used for symmetric encryption. It | ||
36 | // determines the strength of the passphrase stretching when | ||
37 | // the said passphrase is hashed to produce a key. S2KCount | ||
38 | // should be between 1024 and 65011712, inclusive. If Config | ||
39 | // is nil or S2KCount is 0, the value 65536 used. Not all | ||
40 | // values in the above range can be represented. S2KCount will | ||
41 | // be rounded up to the next representable value if it cannot | ||
42 | // be encoded exactly. When set, it is strongly encrouraged to | ||
43 | // use a value that is at least 65536. See RFC 4880 Section | ||
44 | // 3.7.1.3. | ||
45 | S2KCount int | ||
46 | // RSABits is the number of bits in new RSA keys made with NewEntity. | ||
47 | // If zero, then 2048 bit keys are created. | ||
48 | RSABits int | ||
49 | } | ||
50 | |||
51 | func (c *Config) Random() io.Reader { | ||
52 | if c == nil || c.Rand == nil { | ||
53 | return rand.Reader | ||
54 | } | ||
55 | return c.Rand | ||
56 | } | ||
57 | |||
58 | func (c *Config) Hash() crypto.Hash { | ||
59 | if c == nil || uint(c.DefaultHash) == 0 { | ||
60 | return crypto.SHA256 | ||
61 | } | ||
62 | return c.DefaultHash | ||
63 | } | ||
64 | |||
65 | func (c *Config) Cipher() CipherFunction { | ||
66 | if c == nil || uint8(c.DefaultCipher) == 0 { | ||
67 | return CipherAES128 | ||
68 | } | ||
69 | return c.DefaultCipher | ||
70 | } | ||
71 | |||
72 | func (c *Config) Now() time.Time { | ||
73 | if c == nil || c.Time == nil { | ||
74 | return time.Now() | ||
75 | } | ||
76 | return c.Time() | ||
77 | } | ||
78 | |||
79 | func (c *Config) Compression() CompressionAlgo { | ||
80 | if c == nil { | ||
81 | return CompressionNone | ||
82 | } | ||
83 | return c.DefaultCompressionAlgo | ||
84 | } | ||
85 | |||
86 | func (c *Config) PasswordHashIterations() int { | ||
87 | if c == nil || c.S2KCount == 0 { | ||
88 | return 0 | ||
89 | } | ||
90 | return c.S2KCount | ||
91 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go new file mode 100644 index 0000000..266840d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go | |||
@@ -0,0 +1,199 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto/rsa" | ||
9 | "encoding/binary" | ||
10 | "io" | ||
11 | "math/big" | ||
12 | "strconv" | ||
13 | |||
14 | "golang.org/x/crypto/openpgp/elgamal" | ||
15 | "golang.org/x/crypto/openpgp/errors" | ||
16 | ) | ||
17 | |||
18 | const encryptedKeyVersion = 3 | ||
19 | |||
20 | // EncryptedKey represents a public-key encrypted session key. See RFC 4880, | ||
21 | // section 5.1. | ||
22 | type EncryptedKey struct { | ||
23 | KeyId uint64 | ||
24 | Algo PublicKeyAlgorithm | ||
25 | CipherFunc CipherFunction // only valid after a successful Decrypt | ||
26 | Key []byte // only valid after a successful Decrypt | ||
27 | |||
28 | encryptedMPI1, encryptedMPI2 parsedMPI | ||
29 | } | ||
30 | |||
31 | func (e *EncryptedKey) parse(r io.Reader) (err error) { | ||
32 | var buf [10]byte | ||
33 | _, err = readFull(r, buf[:]) | ||
34 | if err != nil { | ||
35 | return | ||
36 | } | ||
37 | if buf[0] != encryptedKeyVersion { | ||
38 | return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0]))) | ||
39 | } | ||
40 | e.KeyId = binary.BigEndian.Uint64(buf[1:9]) | ||
41 | e.Algo = PublicKeyAlgorithm(buf[9]) | ||
42 | switch e.Algo { | ||
43 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | ||
44 | e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) | ||
45 | case PubKeyAlgoElGamal: | ||
46 | e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) | ||
47 | if err != nil { | ||
48 | return | ||
49 | } | ||
50 | e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r) | ||
51 | } | ||
52 | _, err = consumeAll(r) | ||
53 | return | ||
54 | } | ||
55 | |||
56 | func checksumKeyMaterial(key []byte) uint16 { | ||
57 | var checksum uint16 | ||
58 | for _, v := range key { | ||
59 | checksum += uint16(v) | ||
60 | } | ||
61 | return checksum | ||
62 | } | ||
63 | |||
64 | // Decrypt decrypts an encrypted session key with the given private key. The | ||
65 | // private key must have been decrypted first. | ||
66 | // If config is nil, sensible defaults will be used. | ||
67 | func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { | ||
68 | var err error | ||
69 | var b []byte | ||
70 | |||
71 | // TODO(agl): use session key decryption routines here to avoid | ||
72 | // padding oracle attacks. | ||
73 | switch priv.PubKeyAlgo { | ||
74 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | ||
75 | b, err = rsa.DecryptPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), e.encryptedMPI1.bytes) | ||
76 | case PubKeyAlgoElGamal: | ||
77 | c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes) | ||
78 | c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes) | ||
79 | b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2) | ||
80 | default: | ||
81 | err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo))) | ||
82 | } | ||
83 | |||
84 | if err != nil { | ||
85 | return err | ||
86 | } | ||
87 | |||
88 | e.CipherFunc = CipherFunction(b[0]) | ||
89 | e.Key = b[1 : len(b)-2] | ||
90 | expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1]) | ||
91 | checksum := checksumKeyMaterial(e.Key) | ||
92 | if checksum != expectedChecksum { | ||
93 | return errors.StructuralError("EncryptedKey checksum incorrect") | ||
94 | } | ||
95 | |||
96 | return nil | ||
97 | } | ||
98 | |||
99 | // Serialize writes the encrypted key packet, e, to w. | ||
100 | func (e *EncryptedKey) Serialize(w io.Writer) error { | ||
101 | var mpiLen int | ||
102 | switch e.Algo { | ||
103 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | ||
104 | mpiLen = 2 + len(e.encryptedMPI1.bytes) | ||
105 | case PubKeyAlgoElGamal: | ||
106 | mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes) | ||
107 | default: | ||
108 | return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo))) | ||
109 | } | ||
110 | |||
111 | serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen) | ||
112 | |||
113 | w.Write([]byte{encryptedKeyVersion}) | ||
114 | binary.Write(w, binary.BigEndian, e.KeyId) | ||
115 | w.Write([]byte{byte(e.Algo)}) | ||
116 | |||
117 | switch e.Algo { | ||
118 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | ||
119 | writeMPIs(w, e.encryptedMPI1) | ||
120 | case PubKeyAlgoElGamal: | ||
121 | writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2) | ||
122 | default: | ||
123 | panic("internal error") | ||
124 | } | ||
125 | |||
126 | return nil | ||
127 | } | ||
128 | |||
129 | // SerializeEncryptedKey serializes an encrypted key packet to w that contains | ||
130 | // key, encrypted to pub. | ||
131 | // If config is nil, sensible defaults will be used. | ||
132 | func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error { | ||
133 | var buf [10]byte | ||
134 | buf[0] = encryptedKeyVersion | ||
135 | binary.BigEndian.PutUint64(buf[1:9], pub.KeyId) | ||
136 | buf[9] = byte(pub.PubKeyAlgo) | ||
137 | |||
138 | keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */) | ||
139 | keyBlock[0] = byte(cipherFunc) | ||
140 | copy(keyBlock[1:], key) | ||
141 | checksum := checksumKeyMaterial(key) | ||
142 | keyBlock[1+len(key)] = byte(checksum >> 8) | ||
143 | keyBlock[1+len(key)+1] = byte(checksum) | ||
144 | |||
145 | switch pub.PubKeyAlgo { | ||
146 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: | ||
147 | return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock) | ||
148 | case PubKeyAlgoElGamal: | ||
149 | return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock) | ||
150 | case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly: | ||
151 | return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) | ||
152 | } | ||
153 | |||
154 | return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) | ||
155 | } | ||
156 | |||
157 | func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error { | ||
158 | cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock) | ||
159 | if err != nil { | ||
160 | return errors.InvalidArgumentError("RSA encryption failed: " + err.Error()) | ||
161 | } | ||
162 | |||
163 | packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText) | ||
164 | |||
165 | err = serializeHeader(w, packetTypeEncryptedKey, packetLen) | ||
166 | if err != nil { | ||
167 | return err | ||
168 | } | ||
169 | _, err = w.Write(header[:]) | ||
170 | if err != nil { | ||
171 | return err | ||
172 | } | ||
173 | return writeMPI(w, 8*uint16(len(cipherText)), cipherText) | ||
174 | } | ||
175 | |||
176 | func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error { | ||
177 | c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock) | ||
178 | if err != nil { | ||
179 | return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error()) | ||
180 | } | ||
181 | |||
182 | packetLen := 10 /* header length */ | ||
183 | packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8 | ||
184 | packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8 | ||
185 | |||
186 | err = serializeHeader(w, packetTypeEncryptedKey, packetLen) | ||
187 | if err != nil { | ||
188 | return err | ||
189 | } | ||
190 | _, err = w.Write(header[:]) | ||
191 | if err != nil { | ||
192 | return err | ||
193 | } | ||
194 | err = writeBig(w, c1) | ||
195 | if err != nil { | ||
196 | return err | ||
197 | } | ||
198 | return writeBig(w, c2) | ||
199 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/literal.go b/vendor/golang.org/x/crypto/openpgp/packet/literal.go new file mode 100644 index 0000000..1a9ec6e --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/literal.go | |||
@@ -0,0 +1,89 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "encoding/binary" | ||
9 | "io" | ||
10 | ) | ||
11 | |||
12 | // LiteralData represents an encrypted file. See RFC 4880, section 5.9. | ||
13 | type LiteralData struct { | ||
14 | IsBinary bool | ||
15 | FileName string | ||
16 | Time uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined. | ||
17 | Body io.Reader | ||
18 | } | ||
19 | |||
20 | // ForEyesOnly returns whether the contents of the LiteralData have been marked | ||
21 | // as especially sensitive. | ||
22 | func (l *LiteralData) ForEyesOnly() bool { | ||
23 | return l.FileName == "_CONSOLE" | ||
24 | } | ||
25 | |||
26 | func (l *LiteralData) parse(r io.Reader) (err error) { | ||
27 | var buf [256]byte | ||
28 | |||
29 | _, err = readFull(r, buf[:2]) | ||
30 | if err != nil { | ||
31 | return | ||
32 | } | ||
33 | |||
34 | l.IsBinary = buf[0] == 'b' | ||
35 | fileNameLen := int(buf[1]) | ||
36 | |||
37 | _, err = readFull(r, buf[:fileNameLen]) | ||
38 | if err != nil { | ||
39 | return | ||
40 | } | ||
41 | |||
42 | l.FileName = string(buf[:fileNameLen]) | ||
43 | |||
44 | _, err = readFull(r, buf[:4]) | ||
45 | if err != nil { | ||
46 | return | ||
47 | } | ||
48 | |||
49 | l.Time = binary.BigEndian.Uint32(buf[:4]) | ||
50 | l.Body = r | ||
51 | return | ||
52 | } | ||
53 | |||
54 | // SerializeLiteral serializes a literal data packet to w and returns a | ||
55 | // WriteCloser to which the data itself can be written and which MUST be closed | ||
56 | // on completion. The fileName is truncated to 255 bytes. | ||
57 | func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) { | ||
58 | var buf [4]byte | ||
59 | buf[0] = 't' | ||
60 | if isBinary { | ||
61 | buf[0] = 'b' | ||
62 | } | ||
63 | if len(fileName) > 255 { | ||
64 | fileName = fileName[:255] | ||
65 | } | ||
66 | buf[1] = byte(len(fileName)) | ||
67 | |||
68 | inner, err := serializeStreamHeader(w, packetTypeLiteralData) | ||
69 | if err != nil { | ||
70 | return | ||
71 | } | ||
72 | |||
73 | _, err = inner.Write(buf[:2]) | ||
74 | if err != nil { | ||
75 | return | ||
76 | } | ||
77 | _, err = inner.Write([]byte(fileName)) | ||
78 | if err != nil { | ||
79 | return | ||
80 | } | ||
81 | binary.BigEndian.PutUint32(buf[:], time) | ||
82 | _, err = inner.Write(buf[:]) | ||
83 | if err != nil { | ||
84 | return | ||
85 | } | ||
86 | |||
87 | plaintext = inner | ||
88 | return | ||
89 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go new file mode 100644 index 0000000..ce2a33a --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go | |||
@@ -0,0 +1,143 @@ | |||
1 | // Copyright 2010 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9 | ||
6 | |||
7 | package packet | ||
8 | |||
9 | import ( | ||
10 | "crypto/cipher" | ||
11 | ) | ||
12 | |||
13 | type ocfbEncrypter struct { | ||
14 | b cipher.Block | ||
15 | fre []byte | ||
16 | outUsed int | ||
17 | } | ||
18 | |||
19 | // An OCFBResyncOption determines if the "resynchronization step" of OCFB is | ||
20 | // performed. | ||
21 | type OCFBResyncOption bool | ||
22 | |||
23 | const ( | ||
24 | OCFBResync OCFBResyncOption = true | ||
25 | OCFBNoResync OCFBResyncOption = false | ||
26 | ) | ||
27 | |||
28 | // NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's | ||
29 | // cipher feedback mode using the given cipher.Block, and an initial amount of | ||
30 | // ciphertext. randData must be random bytes and be the same length as the | ||
31 | // cipher.Block's block size. Resync determines if the "resynchronization step" | ||
32 | // from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on | ||
33 | // this point. | ||
34 | func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) { | ||
35 | blockSize := block.BlockSize() | ||
36 | if len(randData) != blockSize { | ||
37 | return nil, nil | ||
38 | } | ||
39 | |||
40 | x := &ocfbEncrypter{ | ||
41 | b: block, | ||
42 | fre: make([]byte, blockSize), | ||
43 | outUsed: 0, | ||
44 | } | ||
45 | prefix := make([]byte, blockSize+2) | ||
46 | |||
47 | block.Encrypt(x.fre, x.fre) | ||
48 | for i := 0; i < blockSize; i++ { | ||
49 | prefix[i] = randData[i] ^ x.fre[i] | ||
50 | } | ||
51 | |||
52 | block.Encrypt(x.fre, prefix[:blockSize]) | ||
53 | prefix[blockSize] = x.fre[0] ^ randData[blockSize-2] | ||
54 | prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1] | ||
55 | |||
56 | if resync { | ||
57 | block.Encrypt(x.fre, prefix[2:]) | ||
58 | } else { | ||
59 | x.fre[0] = prefix[blockSize] | ||
60 | x.fre[1] = prefix[blockSize+1] | ||
61 | x.outUsed = 2 | ||
62 | } | ||
63 | return x, prefix | ||
64 | } | ||
65 | |||
66 | func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) { | ||
67 | for i := 0; i < len(src); i++ { | ||
68 | if x.outUsed == len(x.fre) { | ||
69 | x.b.Encrypt(x.fre, x.fre) | ||
70 | x.outUsed = 0 | ||
71 | } | ||
72 | |||
73 | x.fre[x.outUsed] ^= src[i] | ||
74 | dst[i] = x.fre[x.outUsed] | ||
75 | x.outUsed++ | ||
76 | } | ||
77 | } | ||
78 | |||
79 | type ocfbDecrypter struct { | ||
80 | b cipher.Block | ||
81 | fre []byte | ||
82 | outUsed int | ||
83 | } | ||
84 | |||
85 | // NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's | ||
86 | // cipher feedback mode using the given cipher.Block. Prefix must be the first | ||
87 | // blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's | ||
88 | // block size. If an incorrect key is detected then nil is returned. On | ||
89 | // successful exit, blockSize+2 bytes of decrypted data are written into | ||
90 | // prefix. Resync determines if the "resynchronization step" from RFC 4880, | ||
91 | // 13.9 step 7 is performed. Different parts of OpenPGP vary on this point. | ||
92 | func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream { | ||
93 | blockSize := block.BlockSize() | ||
94 | if len(prefix) != blockSize+2 { | ||
95 | return nil | ||
96 | } | ||
97 | |||
98 | x := &ocfbDecrypter{ | ||
99 | b: block, | ||
100 | fre: make([]byte, blockSize), | ||
101 | outUsed: 0, | ||
102 | } | ||
103 | prefixCopy := make([]byte, len(prefix)) | ||
104 | copy(prefixCopy, prefix) | ||
105 | |||
106 | block.Encrypt(x.fre, x.fre) | ||
107 | for i := 0; i < blockSize; i++ { | ||
108 | prefixCopy[i] ^= x.fre[i] | ||
109 | } | ||
110 | |||
111 | block.Encrypt(x.fre, prefix[:blockSize]) | ||
112 | prefixCopy[blockSize] ^= x.fre[0] | ||
113 | prefixCopy[blockSize+1] ^= x.fre[1] | ||
114 | |||
115 | if prefixCopy[blockSize-2] != prefixCopy[blockSize] || | ||
116 | prefixCopy[blockSize-1] != prefixCopy[blockSize+1] { | ||
117 | return nil | ||
118 | } | ||
119 | |||
120 | if resync { | ||
121 | block.Encrypt(x.fre, prefix[2:]) | ||
122 | } else { | ||
123 | x.fre[0] = prefix[blockSize] | ||
124 | x.fre[1] = prefix[blockSize+1] | ||
125 | x.outUsed = 2 | ||
126 | } | ||
127 | copy(prefix, prefixCopy) | ||
128 | return x | ||
129 | } | ||
130 | |||
131 | func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) { | ||
132 | for i := 0; i < len(src); i++ { | ||
133 | if x.outUsed == len(x.fre) { | ||
134 | x.b.Encrypt(x.fre, x.fre) | ||
135 | x.outUsed = 0 | ||
136 | } | ||
137 | |||
138 | c := src[i] | ||
139 | dst[i] = x.fre[x.outUsed] ^ src[i] | ||
140 | x.fre[x.outUsed] = c | ||
141 | x.outUsed++ | ||
142 | } | ||
143 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go new file mode 100644 index 0000000..1713503 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go | |||
@@ -0,0 +1,73 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto" | ||
9 | "encoding/binary" | ||
10 | "golang.org/x/crypto/openpgp/errors" | ||
11 | "golang.org/x/crypto/openpgp/s2k" | ||
12 | "io" | ||
13 | "strconv" | ||
14 | ) | ||
15 | |||
16 | // OnePassSignature represents a one-pass signature packet. See RFC 4880, | ||
17 | // section 5.4. | ||
18 | type OnePassSignature struct { | ||
19 | SigType SignatureType | ||
20 | Hash crypto.Hash | ||
21 | PubKeyAlgo PublicKeyAlgorithm | ||
22 | KeyId uint64 | ||
23 | IsLast bool | ||
24 | } | ||
25 | |||
26 | const onePassSignatureVersion = 3 | ||
27 | |||
28 | func (ops *OnePassSignature) parse(r io.Reader) (err error) { | ||
29 | var buf [13]byte | ||
30 | |||
31 | _, err = readFull(r, buf[:]) | ||
32 | if err != nil { | ||
33 | return | ||
34 | } | ||
35 | if buf[0] != onePassSignatureVersion { | ||
36 | err = errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0]))) | ||
37 | } | ||
38 | |||
39 | var ok bool | ||
40 | ops.Hash, ok = s2k.HashIdToHash(buf[2]) | ||
41 | if !ok { | ||
42 | return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2]))) | ||
43 | } | ||
44 | |||
45 | ops.SigType = SignatureType(buf[1]) | ||
46 | ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3]) | ||
47 | ops.KeyId = binary.BigEndian.Uint64(buf[4:12]) | ||
48 | ops.IsLast = buf[12] != 0 | ||
49 | return | ||
50 | } | ||
51 | |||
52 | // Serialize marshals the given OnePassSignature to w. | ||
53 | func (ops *OnePassSignature) Serialize(w io.Writer) error { | ||
54 | var buf [13]byte | ||
55 | buf[0] = onePassSignatureVersion | ||
56 | buf[1] = uint8(ops.SigType) | ||
57 | var ok bool | ||
58 | buf[2], ok = s2k.HashToHashId(ops.Hash) | ||
59 | if !ok { | ||
60 | return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash))) | ||
61 | } | ||
62 | buf[3] = uint8(ops.PubKeyAlgo) | ||
63 | binary.BigEndian.PutUint64(buf[4:12], ops.KeyId) | ||
64 | if ops.IsLast { | ||
65 | buf[12] = 1 | ||
66 | } | ||
67 | |||
68 | if err := serializeHeader(w, packetTypeOnePassSignature, len(buf)); err != nil { | ||
69 | return err | ||
70 | } | ||
71 | _, err := w.Write(buf[:]) | ||
72 | return err | ||
73 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/opaque.go b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go new file mode 100644 index 0000000..456d807 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go | |||
@@ -0,0 +1,162 @@ | |||
1 | // Copyright 2012 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "io" | ||
10 | "io/ioutil" | ||
11 | |||
12 | "golang.org/x/crypto/openpgp/errors" | ||
13 | ) | ||
14 | |||
15 | // OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is | ||
16 | // useful for splitting and storing the original packet contents separately, | ||
17 | // handling unsupported packet types or accessing parts of the packet not yet | ||
18 | // implemented by this package. | ||
19 | type OpaquePacket struct { | ||
20 | // Packet type | ||
21 | Tag uint8 | ||
22 | // Reason why the packet was parsed opaquely | ||
23 | Reason error | ||
24 | // Binary contents of the packet data | ||
25 | Contents []byte | ||
26 | } | ||
27 | |||
28 | func (op *OpaquePacket) parse(r io.Reader) (err error) { | ||
29 | op.Contents, err = ioutil.ReadAll(r) | ||
30 | return | ||
31 | } | ||
32 | |||
33 | // Serialize marshals the packet to a writer in its original form, including | ||
34 | // the packet header. | ||
35 | func (op *OpaquePacket) Serialize(w io.Writer) (err error) { | ||
36 | err = serializeHeader(w, packetType(op.Tag), len(op.Contents)) | ||
37 | if err == nil { | ||
38 | _, err = w.Write(op.Contents) | ||
39 | } | ||
40 | return | ||
41 | } | ||
42 | |||
43 | // Parse attempts to parse the opaque contents into a structure supported by | ||
44 | // this package. If the packet is not known then the result will be another | ||
45 | // OpaquePacket. | ||
46 | func (op *OpaquePacket) Parse() (p Packet, err error) { | ||
47 | hdr := bytes.NewBuffer(nil) | ||
48 | err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents)) | ||
49 | if err != nil { | ||
50 | op.Reason = err | ||
51 | return op, err | ||
52 | } | ||
53 | p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents))) | ||
54 | if err != nil { | ||
55 | op.Reason = err | ||
56 | p = op | ||
57 | } | ||
58 | return | ||
59 | } | ||
60 | |||
61 | // OpaqueReader reads OpaquePackets from an io.Reader. | ||
62 | type OpaqueReader struct { | ||
63 | r io.Reader | ||
64 | } | ||
65 | |||
66 | func NewOpaqueReader(r io.Reader) *OpaqueReader { | ||
67 | return &OpaqueReader{r: r} | ||
68 | } | ||
69 | |||
70 | // Read the next OpaquePacket. | ||
71 | func (or *OpaqueReader) Next() (op *OpaquePacket, err error) { | ||
72 | tag, _, contents, err := readHeader(or.r) | ||
73 | if err != nil { | ||
74 | return | ||
75 | } | ||
76 | op = &OpaquePacket{Tag: uint8(tag), Reason: err} | ||
77 | err = op.parse(contents) | ||
78 | if err != nil { | ||
79 | consumeAll(contents) | ||
80 | } | ||
81 | return | ||
82 | } | ||
83 | |||
84 | // OpaqueSubpacket represents an unparsed OpenPGP subpacket, | ||
85 | // as found in signature and user attribute packets. | ||
86 | type OpaqueSubpacket struct { | ||
87 | SubType uint8 | ||
88 | Contents []byte | ||
89 | } | ||
90 | |||
91 | // OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from | ||
92 | // their byte representation. | ||
93 | func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) { | ||
94 | var ( | ||
95 | subHeaderLen int | ||
96 | subPacket *OpaqueSubpacket | ||
97 | ) | ||
98 | for len(contents) > 0 { | ||
99 | subHeaderLen, subPacket, err = nextSubpacket(contents) | ||
100 | if err != nil { | ||
101 | break | ||
102 | } | ||
103 | result = append(result, subPacket) | ||
104 | contents = contents[subHeaderLen+len(subPacket.Contents):] | ||
105 | } | ||
106 | return | ||
107 | } | ||
108 | |||
109 | func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) { | ||
110 | // RFC 4880, section 5.2.3.1 | ||
111 | var subLen uint32 | ||
112 | if len(contents) < 1 { | ||
113 | goto Truncated | ||
114 | } | ||
115 | subPacket = &OpaqueSubpacket{} | ||
116 | switch { | ||
117 | case contents[0] < 192: | ||
118 | subHeaderLen = 2 // 1 length byte, 1 subtype byte | ||
119 | if len(contents) < subHeaderLen { | ||
120 | goto Truncated | ||
121 | } | ||
122 | subLen = uint32(contents[0]) | ||
123 | contents = contents[1:] | ||
124 | case contents[0] < 255: | ||
125 | subHeaderLen = 3 // 2 length bytes, 1 subtype | ||
126 | if len(contents) < subHeaderLen { | ||
127 | goto Truncated | ||
128 | } | ||
129 | subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192 | ||
130 | contents = contents[2:] | ||
131 | default: | ||
132 | subHeaderLen = 6 // 5 length bytes, 1 subtype | ||
133 | if len(contents) < subHeaderLen { | ||
134 | goto Truncated | ||
135 | } | ||
136 | subLen = uint32(contents[1])<<24 | | ||
137 | uint32(contents[2])<<16 | | ||
138 | uint32(contents[3])<<8 | | ||
139 | uint32(contents[4]) | ||
140 | contents = contents[5:] | ||
141 | } | ||
142 | if subLen > uint32(len(contents)) || subLen == 0 { | ||
143 | goto Truncated | ||
144 | } | ||
145 | subPacket.SubType = contents[0] | ||
146 | subPacket.Contents = contents[1:subLen] | ||
147 | return | ||
148 | Truncated: | ||
149 | err = errors.StructuralError("subpacket truncated") | ||
150 | return | ||
151 | } | ||
152 | |||
153 | func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) { | ||
154 | buf := make([]byte, 6) | ||
155 | n := serializeSubpacketLength(buf, len(osp.Contents)+1) | ||
156 | buf[n] = osp.SubType | ||
157 | if _, err = w.Write(buf[:n+1]); err != nil { | ||
158 | return | ||
159 | } | ||
160 | _, err = w.Write(osp.Contents) | ||
161 | return | ||
162 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go new file mode 100644 index 0000000..3eded93 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go | |||
@@ -0,0 +1,537 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package packet implements parsing and serialization of OpenPGP packets, as | ||
6 | // specified in RFC 4880. | ||
7 | package packet // import "golang.org/x/crypto/openpgp/packet" | ||
8 | |||
9 | import ( | ||
10 | "bufio" | ||
11 | "crypto/aes" | ||
12 | "crypto/cipher" | ||
13 | "crypto/des" | ||
14 | "golang.org/x/crypto/cast5" | ||
15 | "golang.org/x/crypto/openpgp/errors" | ||
16 | "io" | ||
17 | "math/big" | ||
18 | ) | ||
19 | |||
20 | // readFull is the same as io.ReadFull except that reading zero bytes returns | ||
21 | // ErrUnexpectedEOF rather than EOF. | ||
22 | func readFull(r io.Reader, buf []byte) (n int, err error) { | ||
23 | n, err = io.ReadFull(r, buf) | ||
24 | if err == io.EOF { | ||
25 | err = io.ErrUnexpectedEOF | ||
26 | } | ||
27 | return | ||
28 | } | ||
29 | |||
30 | // readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2. | ||
31 | func readLength(r io.Reader) (length int64, isPartial bool, err error) { | ||
32 | var buf [4]byte | ||
33 | _, err = readFull(r, buf[:1]) | ||
34 | if err != nil { | ||
35 | return | ||
36 | } | ||
37 | switch { | ||
38 | case buf[0] < 192: | ||
39 | length = int64(buf[0]) | ||
40 | case buf[0] < 224: | ||
41 | length = int64(buf[0]-192) << 8 | ||
42 | _, err = readFull(r, buf[0:1]) | ||
43 | if err != nil { | ||
44 | return | ||
45 | } | ||
46 | length += int64(buf[0]) + 192 | ||
47 | case buf[0] < 255: | ||
48 | length = int64(1) << (buf[0] & 0x1f) | ||
49 | isPartial = true | ||
50 | default: | ||
51 | _, err = readFull(r, buf[0:4]) | ||
52 | if err != nil { | ||
53 | return | ||
54 | } | ||
55 | length = int64(buf[0])<<24 | | ||
56 | int64(buf[1])<<16 | | ||
57 | int64(buf[2])<<8 | | ||
58 | int64(buf[3]) | ||
59 | } | ||
60 | return | ||
61 | } | ||
62 | |||
63 | // partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths. | ||
64 | // The continuation lengths are parsed and removed from the stream and EOF is | ||
65 | // returned at the end of the packet. See RFC 4880, section 4.2.2.4. | ||
66 | type partialLengthReader struct { | ||
67 | r io.Reader | ||
68 | remaining int64 | ||
69 | isPartial bool | ||
70 | } | ||
71 | |||
72 | func (r *partialLengthReader) Read(p []byte) (n int, err error) { | ||
73 | for r.remaining == 0 { | ||
74 | if !r.isPartial { | ||
75 | return 0, io.EOF | ||
76 | } | ||
77 | r.remaining, r.isPartial, err = readLength(r.r) | ||
78 | if err != nil { | ||
79 | return 0, err | ||
80 | } | ||
81 | } | ||
82 | |||
83 | toRead := int64(len(p)) | ||
84 | if toRead > r.remaining { | ||
85 | toRead = r.remaining | ||
86 | } | ||
87 | |||
88 | n, err = r.r.Read(p[:int(toRead)]) | ||
89 | r.remaining -= int64(n) | ||
90 | if n < int(toRead) && err == io.EOF { | ||
91 | err = io.ErrUnexpectedEOF | ||
92 | } | ||
93 | return | ||
94 | } | ||
95 | |||
96 | // partialLengthWriter writes a stream of data using OpenPGP partial lengths. | ||
97 | // See RFC 4880, section 4.2.2.4. | ||
98 | type partialLengthWriter struct { | ||
99 | w io.WriteCloser | ||
100 | lengthByte [1]byte | ||
101 | } | ||
102 | |||
103 | func (w *partialLengthWriter) Write(p []byte) (n int, err error) { | ||
104 | for len(p) > 0 { | ||
105 | for power := uint(14); power < 32; power-- { | ||
106 | l := 1 << power | ||
107 | if len(p) >= l { | ||
108 | w.lengthByte[0] = 224 + uint8(power) | ||
109 | _, err = w.w.Write(w.lengthByte[:]) | ||
110 | if err != nil { | ||
111 | return | ||
112 | } | ||
113 | var m int | ||
114 | m, err = w.w.Write(p[:l]) | ||
115 | n += m | ||
116 | if err != nil { | ||
117 | return | ||
118 | } | ||
119 | p = p[l:] | ||
120 | break | ||
121 | } | ||
122 | } | ||
123 | } | ||
124 | return | ||
125 | } | ||
126 | |||
127 | func (w *partialLengthWriter) Close() error { | ||
128 | w.lengthByte[0] = 0 | ||
129 | _, err := w.w.Write(w.lengthByte[:]) | ||
130 | if err != nil { | ||
131 | return err | ||
132 | } | ||
133 | return w.w.Close() | ||
134 | } | ||
135 | |||
136 | // A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the | ||
137 | // underlying Reader returns EOF before the limit has been reached. | ||
138 | type spanReader struct { | ||
139 | r io.Reader | ||
140 | n int64 | ||
141 | } | ||
142 | |||
143 | func (l *spanReader) Read(p []byte) (n int, err error) { | ||
144 | if l.n <= 0 { | ||
145 | return 0, io.EOF | ||
146 | } | ||
147 | if int64(len(p)) > l.n { | ||
148 | p = p[0:l.n] | ||
149 | } | ||
150 | n, err = l.r.Read(p) | ||
151 | l.n -= int64(n) | ||
152 | if l.n > 0 && err == io.EOF { | ||
153 | err = io.ErrUnexpectedEOF | ||
154 | } | ||
155 | return | ||
156 | } | ||
157 | |||
158 | // readHeader parses a packet header and returns an io.Reader which will return | ||
159 | // the contents of the packet. See RFC 4880, section 4.2. | ||
160 | func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) { | ||
161 | var buf [4]byte | ||
162 | _, err = io.ReadFull(r, buf[:1]) | ||
163 | if err != nil { | ||
164 | return | ||
165 | } | ||
166 | if buf[0]&0x80 == 0 { | ||
167 | err = errors.StructuralError("tag byte does not have MSB set") | ||
168 | return | ||
169 | } | ||
170 | if buf[0]&0x40 == 0 { | ||
171 | // Old format packet | ||
172 | tag = packetType((buf[0] & 0x3f) >> 2) | ||
173 | lengthType := buf[0] & 3 | ||
174 | if lengthType == 3 { | ||
175 | length = -1 | ||
176 | contents = r | ||
177 | return | ||
178 | } | ||
179 | lengthBytes := 1 << lengthType | ||
180 | _, err = readFull(r, buf[0:lengthBytes]) | ||
181 | if err != nil { | ||
182 | return | ||
183 | } | ||
184 | for i := 0; i < lengthBytes; i++ { | ||
185 | length <<= 8 | ||
186 | length |= int64(buf[i]) | ||
187 | } | ||
188 | contents = &spanReader{r, length} | ||
189 | return | ||
190 | } | ||
191 | |||
192 | // New format packet | ||
193 | tag = packetType(buf[0] & 0x3f) | ||
194 | length, isPartial, err := readLength(r) | ||
195 | if err != nil { | ||
196 | return | ||
197 | } | ||
198 | if isPartial { | ||
199 | contents = &partialLengthReader{ | ||
200 | remaining: length, | ||
201 | isPartial: true, | ||
202 | r: r, | ||
203 | } | ||
204 | length = -1 | ||
205 | } else { | ||
206 | contents = &spanReader{r, length} | ||
207 | } | ||
208 | return | ||
209 | } | ||
210 | |||
211 | // serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section | ||
212 | // 4.2. | ||
213 | func serializeHeader(w io.Writer, ptype packetType, length int) (err error) { | ||
214 | var buf [6]byte | ||
215 | var n int | ||
216 | |||
217 | buf[0] = 0x80 | 0x40 | byte(ptype) | ||
218 | if length < 192 { | ||
219 | buf[1] = byte(length) | ||
220 | n = 2 | ||
221 | } else if length < 8384 { | ||
222 | length -= 192 | ||
223 | buf[1] = 192 + byte(length>>8) | ||
224 | buf[2] = byte(length) | ||
225 | n = 3 | ||
226 | } else { | ||
227 | buf[1] = 255 | ||
228 | buf[2] = byte(length >> 24) | ||
229 | buf[3] = byte(length >> 16) | ||
230 | buf[4] = byte(length >> 8) | ||
231 | buf[5] = byte(length) | ||
232 | n = 6 | ||
233 | } | ||
234 | |||
235 | _, err = w.Write(buf[:n]) | ||
236 | return | ||
237 | } | ||
238 | |||
239 | // serializeStreamHeader writes an OpenPGP packet header to w where the | ||
240 | // length of the packet is unknown. It returns a io.WriteCloser which can be | ||
241 | // used to write the contents of the packet. See RFC 4880, section 4.2. | ||
242 | func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) { | ||
243 | var buf [1]byte | ||
244 | buf[0] = 0x80 | 0x40 | byte(ptype) | ||
245 | _, err = w.Write(buf[:]) | ||
246 | if err != nil { | ||
247 | return | ||
248 | } | ||
249 | out = &partialLengthWriter{w: w} | ||
250 | return | ||
251 | } | ||
252 | |||
253 | // Packet represents an OpenPGP packet. Users are expected to try casting | ||
254 | // instances of this interface to specific packet types. | ||
255 | type Packet interface { | ||
256 | parse(io.Reader) error | ||
257 | } | ||
258 | |||
259 | // consumeAll reads from the given Reader until error, returning the number of | ||
260 | // bytes read. | ||
261 | func consumeAll(r io.Reader) (n int64, err error) { | ||
262 | var m int | ||
263 | var buf [1024]byte | ||
264 | |||
265 | for { | ||
266 | m, err = r.Read(buf[:]) | ||
267 | n += int64(m) | ||
268 | if err == io.EOF { | ||
269 | err = nil | ||
270 | return | ||
271 | } | ||
272 | if err != nil { | ||
273 | return | ||
274 | } | ||
275 | } | ||
276 | } | ||
277 | |||
278 | // packetType represents the numeric ids of the different OpenPGP packet types. See | ||
279 | // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2 | ||
280 | type packetType uint8 | ||
281 | |||
282 | const ( | ||
283 | packetTypeEncryptedKey packetType = 1 | ||
284 | packetTypeSignature packetType = 2 | ||
285 | packetTypeSymmetricKeyEncrypted packetType = 3 | ||
286 | packetTypeOnePassSignature packetType = 4 | ||
287 | packetTypePrivateKey packetType = 5 | ||
288 | packetTypePublicKey packetType = 6 | ||
289 | packetTypePrivateSubkey packetType = 7 | ||
290 | packetTypeCompressed packetType = 8 | ||
291 | packetTypeSymmetricallyEncrypted packetType = 9 | ||
292 | packetTypeLiteralData packetType = 11 | ||
293 | packetTypeUserId packetType = 13 | ||
294 | packetTypePublicSubkey packetType = 14 | ||
295 | packetTypeUserAttribute packetType = 17 | ||
296 | packetTypeSymmetricallyEncryptedMDC packetType = 18 | ||
297 | ) | ||
298 | |||
299 | // peekVersion detects the version of a public key packet about to | ||
300 | // be read. A bufio.Reader at the original position of the io.Reader | ||
301 | // is returned. | ||
302 | func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) { | ||
303 | bufr = bufio.NewReader(r) | ||
304 | var verBuf []byte | ||
305 | if verBuf, err = bufr.Peek(1); err != nil { | ||
306 | return | ||
307 | } | ||
308 | ver = verBuf[0] | ||
309 | return | ||
310 | } | ||
311 | |||
312 | // Read reads a single OpenPGP packet from the given io.Reader. If there is an | ||
313 | // error parsing a packet, the whole packet is consumed from the input. | ||
314 | func Read(r io.Reader) (p Packet, err error) { | ||
315 | tag, _, contents, err := readHeader(r) | ||
316 | if err != nil { | ||
317 | return | ||
318 | } | ||
319 | |||
320 | switch tag { | ||
321 | case packetTypeEncryptedKey: | ||
322 | p = new(EncryptedKey) | ||
323 | case packetTypeSignature: | ||
324 | var version byte | ||
325 | // Detect signature version | ||
326 | if contents, version, err = peekVersion(contents); err != nil { | ||
327 | return | ||
328 | } | ||
329 | if version < 4 { | ||
330 | p = new(SignatureV3) | ||
331 | } else { | ||
332 | p = new(Signature) | ||
333 | } | ||
334 | case packetTypeSymmetricKeyEncrypted: | ||
335 | p = new(SymmetricKeyEncrypted) | ||
336 | case packetTypeOnePassSignature: | ||
337 | p = new(OnePassSignature) | ||
338 | case packetTypePrivateKey, packetTypePrivateSubkey: | ||
339 | pk := new(PrivateKey) | ||
340 | if tag == packetTypePrivateSubkey { | ||
341 | pk.IsSubkey = true | ||
342 | } | ||
343 | p = pk | ||
344 | case packetTypePublicKey, packetTypePublicSubkey: | ||
345 | var version byte | ||
346 | if contents, version, err = peekVersion(contents); err != nil { | ||
347 | return | ||
348 | } | ||
349 | isSubkey := tag == packetTypePublicSubkey | ||
350 | if version < 4 { | ||
351 | p = &PublicKeyV3{IsSubkey: isSubkey} | ||
352 | } else { | ||
353 | p = &PublicKey{IsSubkey: isSubkey} | ||
354 | } | ||
355 | case packetTypeCompressed: | ||
356 | p = new(Compressed) | ||
357 | case packetTypeSymmetricallyEncrypted: | ||
358 | p = new(SymmetricallyEncrypted) | ||
359 | case packetTypeLiteralData: | ||
360 | p = new(LiteralData) | ||
361 | case packetTypeUserId: | ||
362 | p = new(UserId) | ||
363 | case packetTypeUserAttribute: | ||
364 | p = new(UserAttribute) | ||
365 | case packetTypeSymmetricallyEncryptedMDC: | ||
366 | se := new(SymmetricallyEncrypted) | ||
367 | se.MDC = true | ||
368 | p = se | ||
369 | default: | ||
370 | err = errors.UnknownPacketTypeError(tag) | ||
371 | } | ||
372 | if p != nil { | ||
373 | err = p.parse(contents) | ||
374 | } | ||
375 | if err != nil { | ||
376 | consumeAll(contents) | ||
377 | } | ||
378 | return | ||
379 | } | ||
380 | |||
381 | // SignatureType represents the different semantic meanings of an OpenPGP | ||
382 | // signature. See RFC 4880, section 5.2.1. | ||
383 | type SignatureType uint8 | ||
384 | |||
385 | const ( | ||
386 | SigTypeBinary SignatureType = 0 | ||
387 | SigTypeText = 1 | ||
388 | SigTypeGenericCert = 0x10 | ||
389 | SigTypePersonaCert = 0x11 | ||
390 | SigTypeCasualCert = 0x12 | ||
391 | SigTypePositiveCert = 0x13 | ||
392 | SigTypeSubkeyBinding = 0x18 | ||
393 | SigTypePrimaryKeyBinding = 0x19 | ||
394 | SigTypeDirectSignature = 0x1F | ||
395 | SigTypeKeyRevocation = 0x20 | ||
396 | SigTypeSubkeyRevocation = 0x28 | ||
397 | ) | ||
398 | |||
399 | // PublicKeyAlgorithm represents the different public key system specified for | ||
400 | // OpenPGP. See | ||
401 | // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12 | ||
402 | type PublicKeyAlgorithm uint8 | ||
403 | |||
404 | const ( | ||
405 | PubKeyAlgoRSA PublicKeyAlgorithm = 1 | ||
406 | PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2 | ||
407 | PubKeyAlgoRSASignOnly PublicKeyAlgorithm = 3 | ||
408 | PubKeyAlgoElGamal PublicKeyAlgorithm = 16 | ||
409 | PubKeyAlgoDSA PublicKeyAlgorithm = 17 | ||
410 | // RFC 6637, Section 5. | ||
411 | PubKeyAlgoECDH PublicKeyAlgorithm = 18 | ||
412 | PubKeyAlgoECDSA PublicKeyAlgorithm = 19 | ||
413 | ) | ||
414 | |||
415 | // CanEncrypt returns true if it's possible to encrypt a message to a public | ||
416 | // key of the given type. | ||
417 | func (pka PublicKeyAlgorithm) CanEncrypt() bool { | ||
418 | switch pka { | ||
419 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal: | ||
420 | return true | ||
421 | } | ||
422 | return false | ||
423 | } | ||
424 | |||
425 | // CanSign returns true if it's possible for a public key of the given type to | ||
426 | // sign a message. | ||
427 | func (pka PublicKeyAlgorithm) CanSign() bool { | ||
428 | switch pka { | ||
429 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA: | ||
430 | return true | ||
431 | } | ||
432 | return false | ||
433 | } | ||
434 | |||
435 | // CipherFunction represents the different block ciphers specified for OpenPGP. See | ||
436 | // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13 | ||
437 | type CipherFunction uint8 | ||
438 | |||
439 | const ( | ||
440 | Cipher3DES CipherFunction = 2 | ||
441 | CipherCAST5 CipherFunction = 3 | ||
442 | CipherAES128 CipherFunction = 7 | ||
443 | CipherAES192 CipherFunction = 8 | ||
444 | CipherAES256 CipherFunction = 9 | ||
445 | ) | ||
446 | |||
447 | // KeySize returns the key size, in bytes, of cipher. | ||
448 | func (cipher CipherFunction) KeySize() int { | ||
449 | switch cipher { | ||
450 | case Cipher3DES: | ||
451 | return 24 | ||
452 | case CipherCAST5: | ||
453 | return cast5.KeySize | ||
454 | case CipherAES128: | ||
455 | return 16 | ||
456 | case CipherAES192: | ||
457 | return 24 | ||
458 | case CipherAES256: | ||
459 | return 32 | ||
460 | } | ||
461 | return 0 | ||
462 | } | ||
463 | |||
464 | // blockSize returns the block size, in bytes, of cipher. | ||
465 | func (cipher CipherFunction) blockSize() int { | ||
466 | switch cipher { | ||
467 | case Cipher3DES: | ||
468 | return des.BlockSize | ||
469 | case CipherCAST5: | ||
470 | return 8 | ||
471 | case CipherAES128, CipherAES192, CipherAES256: | ||
472 | return 16 | ||
473 | } | ||
474 | return 0 | ||
475 | } | ||
476 | |||
477 | // new returns a fresh instance of the given cipher. | ||
478 | func (cipher CipherFunction) new(key []byte) (block cipher.Block) { | ||
479 | switch cipher { | ||
480 | case Cipher3DES: | ||
481 | block, _ = des.NewTripleDESCipher(key) | ||
482 | case CipherCAST5: | ||
483 | block, _ = cast5.NewCipher(key) | ||
484 | case CipherAES128, CipherAES192, CipherAES256: | ||
485 | block, _ = aes.NewCipher(key) | ||
486 | } | ||
487 | return | ||
488 | } | ||
489 | |||
490 | // readMPI reads a big integer from r. The bit length returned is the bit | ||
491 | // length that was specified in r. This is preserved so that the integer can be | ||
492 | // reserialized exactly. | ||
493 | func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) { | ||
494 | var buf [2]byte | ||
495 | _, err = readFull(r, buf[0:]) | ||
496 | if err != nil { | ||
497 | return | ||
498 | } | ||
499 | bitLength = uint16(buf[0])<<8 | uint16(buf[1]) | ||
500 | numBytes := (int(bitLength) + 7) / 8 | ||
501 | mpi = make([]byte, numBytes) | ||
502 | _, err = readFull(r, mpi) | ||
503 | return | ||
504 | } | ||
505 | |||
506 | // mpiLength returns the length of the given *big.Int when serialized as an | ||
507 | // MPI. | ||
508 | func mpiLength(n *big.Int) (mpiLengthInBytes int) { | ||
509 | mpiLengthInBytes = 2 /* MPI length */ | ||
510 | mpiLengthInBytes += (n.BitLen() + 7) / 8 | ||
511 | return | ||
512 | } | ||
513 | |||
514 | // writeMPI serializes a big integer to w. | ||
515 | func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) { | ||
516 | _, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)}) | ||
517 | if err == nil { | ||
518 | _, err = w.Write(mpiBytes) | ||
519 | } | ||
520 | return | ||
521 | } | ||
522 | |||
523 | // writeBig serializes a *big.Int to w. | ||
524 | func writeBig(w io.Writer, i *big.Int) error { | ||
525 | return writeMPI(w, uint16(i.BitLen()), i.Bytes()) | ||
526 | } | ||
527 | |||
528 | // CompressionAlgo Represents the different compression algorithms | ||
529 | // supported by OpenPGP (except for BZIP2, which is not currently | ||
530 | // supported). See Section 9.3 of RFC 4880. | ||
531 | type CompressionAlgo uint8 | ||
532 | |||
533 | const ( | ||
534 | CompressionNone CompressionAlgo = 0 | ||
535 | CompressionZIP CompressionAlgo = 1 | ||
536 | CompressionZLIB CompressionAlgo = 2 | ||
537 | ) | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go new file mode 100644 index 0000000..34734cc --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go | |||
@@ -0,0 +1,380 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "crypto" | ||
10 | "crypto/cipher" | ||
11 | "crypto/dsa" | ||
12 | "crypto/ecdsa" | ||
13 | "crypto/rsa" | ||
14 | "crypto/sha1" | ||
15 | "io" | ||
16 | "io/ioutil" | ||
17 | "math/big" | ||
18 | "strconv" | ||
19 | "time" | ||
20 | |||
21 | "golang.org/x/crypto/openpgp/elgamal" | ||
22 | "golang.org/x/crypto/openpgp/errors" | ||
23 | "golang.org/x/crypto/openpgp/s2k" | ||
24 | ) | ||
25 | |||
26 | // PrivateKey represents a possibly encrypted private key. See RFC 4880, | ||
27 | // section 5.5.3. | ||
28 | type PrivateKey struct { | ||
29 | PublicKey | ||
30 | Encrypted bool // if true then the private key is unavailable until Decrypt has been called. | ||
31 | encryptedData []byte | ||
32 | cipher CipherFunction | ||
33 | s2k func(out, in []byte) | ||
34 | PrivateKey interface{} // An *{rsa|dsa|ecdsa}.PrivateKey or a crypto.Signer. | ||
35 | sha1Checksum bool | ||
36 | iv []byte | ||
37 | } | ||
38 | |||
39 | func NewRSAPrivateKey(currentTime time.Time, priv *rsa.PrivateKey) *PrivateKey { | ||
40 | pk := new(PrivateKey) | ||
41 | pk.PublicKey = *NewRSAPublicKey(currentTime, &priv.PublicKey) | ||
42 | pk.PrivateKey = priv | ||
43 | return pk | ||
44 | } | ||
45 | |||
46 | func NewDSAPrivateKey(currentTime time.Time, priv *dsa.PrivateKey) *PrivateKey { | ||
47 | pk := new(PrivateKey) | ||
48 | pk.PublicKey = *NewDSAPublicKey(currentTime, &priv.PublicKey) | ||
49 | pk.PrivateKey = priv | ||
50 | return pk | ||
51 | } | ||
52 | |||
53 | func NewElGamalPrivateKey(currentTime time.Time, priv *elgamal.PrivateKey) *PrivateKey { | ||
54 | pk := new(PrivateKey) | ||
55 | pk.PublicKey = *NewElGamalPublicKey(currentTime, &priv.PublicKey) | ||
56 | pk.PrivateKey = priv | ||
57 | return pk | ||
58 | } | ||
59 | |||
60 | func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey { | ||
61 | pk := new(PrivateKey) | ||
62 | pk.PublicKey = *NewECDSAPublicKey(currentTime, &priv.PublicKey) | ||
63 | pk.PrivateKey = priv | ||
64 | return pk | ||
65 | } | ||
66 | |||
67 | // NewSignerPrivateKey creates a sign-only PrivateKey from a crypto.Signer that | ||
68 | // implements RSA or ECDSA. | ||
69 | func NewSignerPrivateKey(currentTime time.Time, signer crypto.Signer) *PrivateKey { | ||
70 | pk := new(PrivateKey) | ||
71 | switch pubkey := signer.Public().(type) { | ||
72 | case rsa.PublicKey: | ||
73 | pk.PublicKey = *NewRSAPublicKey(currentTime, &pubkey) | ||
74 | pk.PubKeyAlgo = PubKeyAlgoRSASignOnly | ||
75 | case ecdsa.PublicKey: | ||
76 | pk.PublicKey = *NewECDSAPublicKey(currentTime, &pubkey) | ||
77 | default: | ||
78 | panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey") | ||
79 | } | ||
80 | pk.PrivateKey = signer | ||
81 | return pk | ||
82 | } | ||
83 | |||
84 | func (pk *PrivateKey) parse(r io.Reader) (err error) { | ||
85 | err = (&pk.PublicKey).parse(r) | ||
86 | if err != nil { | ||
87 | return | ||
88 | } | ||
89 | var buf [1]byte | ||
90 | _, err = readFull(r, buf[:]) | ||
91 | if err != nil { | ||
92 | return | ||
93 | } | ||
94 | |||
95 | s2kType := buf[0] | ||
96 | |||
97 | switch s2kType { | ||
98 | case 0: | ||
99 | pk.s2k = nil | ||
100 | pk.Encrypted = false | ||
101 | case 254, 255: | ||
102 | _, err = readFull(r, buf[:]) | ||
103 | if err != nil { | ||
104 | return | ||
105 | } | ||
106 | pk.cipher = CipherFunction(buf[0]) | ||
107 | pk.Encrypted = true | ||
108 | pk.s2k, err = s2k.Parse(r) | ||
109 | if err != nil { | ||
110 | return | ||
111 | } | ||
112 | if s2kType == 254 { | ||
113 | pk.sha1Checksum = true | ||
114 | } | ||
115 | default: | ||
116 | return errors.UnsupportedError("deprecated s2k function in private key") | ||
117 | } | ||
118 | |||
119 | if pk.Encrypted { | ||
120 | blockSize := pk.cipher.blockSize() | ||
121 | if blockSize == 0 { | ||
122 | return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher))) | ||
123 | } | ||
124 | pk.iv = make([]byte, blockSize) | ||
125 | _, err = readFull(r, pk.iv) | ||
126 | if err != nil { | ||
127 | return | ||
128 | } | ||
129 | } | ||
130 | |||
131 | pk.encryptedData, err = ioutil.ReadAll(r) | ||
132 | if err != nil { | ||
133 | return | ||
134 | } | ||
135 | |||
136 | if !pk.Encrypted { | ||
137 | return pk.parsePrivateKey(pk.encryptedData) | ||
138 | } | ||
139 | |||
140 | return | ||
141 | } | ||
142 | |||
143 | func mod64kHash(d []byte) uint16 { | ||
144 | var h uint16 | ||
145 | for _, b := range d { | ||
146 | h += uint16(b) | ||
147 | } | ||
148 | return h | ||
149 | } | ||
150 | |||
151 | func (pk *PrivateKey) Serialize(w io.Writer) (err error) { | ||
152 | // TODO(agl): support encrypted private keys | ||
153 | buf := bytes.NewBuffer(nil) | ||
154 | err = pk.PublicKey.serializeWithoutHeaders(buf) | ||
155 | if err != nil { | ||
156 | return | ||
157 | } | ||
158 | buf.WriteByte(0 /* no encryption */) | ||
159 | |||
160 | privateKeyBuf := bytes.NewBuffer(nil) | ||
161 | |||
162 | switch priv := pk.PrivateKey.(type) { | ||
163 | case *rsa.PrivateKey: | ||
164 | err = serializeRSAPrivateKey(privateKeyBuf, priv) | ||
165 | case *dsa.PrivateKey: | ||
166 | err = serializeDSAPrivateKey(privateKeyBuf, priv) | ||
167 | case *elgamal.PrivateKey: | ||
168 | err = serializeElGamalPrivateKey(privateKeyBuf, priv) | ||
169 | case *ecdsa.PrivateKey: | ||
170 | err = serializeECDSAPrivateKey(privateKeyBuf, priv) | ||
171 | default: | ||
172 | err = errors.InvalidArgumentError("unknown private key type") | ||
173 | } | ||
174 | if err != nil { | ||
175 | return | ||
176 | } | ||
177 | |||
178 | ptype := packetTypePrivateKey | ||
179 | contents := buf.Bytes() | ||
180 | privateKeyBytes := privateKeyBuf.Bytes() | ||
181 | if pk.IsSubkey { | ||
182 | ptype = packetTypePrivateSubkey | ||
183 | } | ||
184 | err = serializeHeader(w, ptype, len(contents)+len(privateKeyBytes)+2) | ||
185 | if err != nil { | ||
186 | return | ||
187 | } | ||
188 | _, err = w.Write(contents) | ||
189 | if err != nil { | ||
190 | return | ||
191 | } | ||
192 | _, err = w.Write(privateKeyBytes) | ||
193 | if err != nil { | ||
194 | return | ||
195 | } | ||
196 | |||
197 | checksum := mod64kHash(privateKeyBytes) | ||
198 | var checksumBytes [2]byte | ||
199 | checksumBytes[0] = byte(checksum >> 8) | ||
200 | checksumBytes[1] = byte(checksum) | ||
201 | _, err = w.Write(checksumBytes[:]) | ||
202 | |||
203 | return | ||
204 | } | ||
205 | |||
206 | func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error { | ||
207 | err := writeBig(w, priv.D) | ||
208 | if err != nil { | ||
209 | return err | ||
210 | } | ||
211 | err = writeBig(w, priv.Primes[1]) | ||
212 | if err != nil { | ||
213 | return err | ||
214 | } | ||
215 | err = writeBig(w, priv.Primes[0]) | ||
216 | if err != nil { | ||
217 | return err | ||
218 | } | ||
219 | return writeBig(w, priv.Precomputed.Qinv) | ||
220 | } | ||
221 | |||
222 | func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error { | ||
223 | return writeBig(w, priv.X) | ||
224 | } | ||
225 | |||
226 | func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error { | ||
227 | return writeBig(w, priv.X) | ||
228 | } | ||
229 | |||
230 | func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error { | ||
231 | return writeBig(w, priv.D) | ||
232 | } | ||
233 | |||
234 | // Decrypt decrypts an encrypted private key using a passphrase. | ||
235 | func (pk *PrivateKey) Decrypt(passphrase []byte) error { | ||
236 | if !pk.Encrypted { | ||
237 | return nil | ||
238 | } | ||
239 | |||
240 | key := make([]byte, pk.cipher.KeySize()) | ||
241 | pk.s2k(key, passphrase) | ||
242 | block := pk.cipher.new(key) | ||
243 | cfb := cipher.NewCFBDecrypter(block, pk.iv) | ||
244 | |||
245 | data := make([]byte, len(pk.encryptedData)) | ||
246 | cfb.XORKeyStream(data, pk.encryptedData) | ||
247 | |||
248 | if pk.sha1Checksum { | ||
249 | if len(data) < sha1.Size { | ||
250 | return errors.StructuralError("truncated private key data") | ||
251 | } | ||
252 | h := sha1.New() | ||
253 | h.Write(data[:len(data)-sha1.Size]) | ||
254 | sum := h.Sum(nil) | ||
255 | if !bytes.Equal(sum, data[len(data)-sha1.Size:]) { | ||
256 | return errors.StructuralError("private key checksum failure") | ||
257 | } | ||
258 | data = data[:len(data)-sha1.Size] | ||
259 | } else { | ||
260 | if len(data) < 2 { | ||
261 | return errors.StructuralError("truncated private key data") | ||
262 | } | ||
263 | var sum uint16 | ||
264 | for i := 0; i < len(data)-2; i++ { | ||
265 | sum += uint16(data[i]) | ||
266 | } | ||
267 | if data[len(data)-2] != uint8(sum>>8) || | ||
268 | data[len(data)-1] != uint8(sum) { | ||
269 | return errors.StructuralError("private key checksum failure") | ||
270 | } | ||
271 | data = data[:len(data)-2] | ||
272 | } | ||
273 | |||
274 | return pk.parsePrivateKey(data) | ||
275 | } | ||
276 | |||
277 | func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) { | ||
278 | switch pk.PublicKey.PubKeyAlgo { | ||
279 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly: | ||
280 | return pk.parseRSAPrivateKey(data) | ||
281 | case PubKeyAlgoDSA: | ||
282 | return pk.parseDSAPrivateKey(data) | ||
283 | case PubKeyAlgoElGamal: | ||
284 | return pk.parseElGamalPrivateKey(data) | ||
285 | case PubKeyAlgoECDSA: | ||
286 | return pk.parseECDSAPrivateKey(data) | ||
287 | } | ||
288 | panic("impossible") | ||
289 | } | ||
290 | |||
291 | func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) { | ||
292 | rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey) | ||
293 | rsaPriv := new(rsa.PrivateKey) | ||
294 | rsaPriv.PublicKey = *rsaPub | ||
295 | |||
296 | buf := bytes.NewBuffer(data) | ||
297 | d, _, err := readMPI(buf) | ||
298 | if err != nil { | ||
299 | return | ||
300 | } | ||
301 | p, _, err := readMPI(buf) | ||
302 | if err != nil { | ||
303 | return | ||
304 | } | ||
305 | q, _, err := readMPI(buf) | ||
306 | if err != nil { | ||
307 | return | ||
308 | } | ||
309 | |||
310 | rsaPriv.D = new(big.Int).SetBytes(d) | ||
311 | rsaPriv.Primes = make([]*big.Int, 2) | ||
312 | rsaPriv.Primes[0] = new(big.Int).SetBytes(p) | ||
313 | rsaPriv.Primes[1] = new(big.Int).SetBytes(q) | ||
314 | if err := rsaPriv.Validate(); err != nil { | ||
315 | return err | ||
316 | } | ||
317 | rsaPriv.Precompute() | ||
318 | pk.PrivateKey = rsaPriv | ||
319 | pk.Encrypted = false | ||
320 | pk.encryptedData = nil | ||
321 | |||
322 | return nil | ||
323 | } | ||
324 | |||
325 | func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) { | ||
326 | dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey) | ||
327 | dsaPriv := new(dsa.PrivateKey) | ||
328 | dsaPriv.PublicKey = *dsaPub | ||
329 | |||
330 | buf := bytes.NewBuffer(data) | ||
331 | x, _, err := readMPI(buf) | ||
332 | if err != nil { | ||
333 | return | ||
334 | } | ||
335 | |||
336 | dsaPriv.X = new(big.Int).SetBytes(x) | ||
337 | pk.PrivateKey = dsaPriv | ||
338 | pk.Encrypted = false | ||
339 | pk.encryptedData = nil | ||
340 | |||
341 | return nil | ||
342 | } | ||
343 | |||
344 | func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) { | ||
345 | pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey) | ||
346 | priv := new(elgamal.PrivateKey) | ||
347 | priv.PublicKey = *pub | ||
348 | |||
349 | buf := bytes.NewBuffer(data) | ||
350 | x, _, err := readMPI(buf) | ||
351 | if err != nil { | ||
352 | return | ||
353 | } | ||
354 | |||
355 | priv.X = new(big.Int).SetBytes(x) | ||
356 | pk.PrivateKey = priv | ||
357 | pk.Encrypted = false | ||
358 | pk.encryptedData = nil | ||
359 | |||
360 | return nil | ||
361 | } | ||
362 | |||
363 | func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) { | ||
364 | ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey) | ||
365 | |||
366 | buf := bytes.NewBuffer(data) | ||
367 | d, _, err := readMPI(buf) | ||
368 | if err != nil { | ||
369 | return | ||
370 | } | ||
371 | |||
372 | pk.PrivateKey = &ecdsa.PrivateKey{ | ||
373 | PublicKey: *ecdsaPub, | ||
374 | D: new(big.Int).SetBytes(d), | ||
375 | } | ||
376 | pk.Encrypted = false | ||
377 | pk.encryptedData = nil | ||
378 | |||
379 | return nil | ||
380 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go new file mode 100644 index 0000000..ead2623 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go | |||
@@ -0,0 +1,748 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "crypto" | ||
10 | "crypto/dsa" | ||
11 | "crypto/ecdsa" | ||
12 | "crypto/elliptic" | ||
13 | "crypto/rsa" | ||
14 | "crypto/sha1" | ||
15 | _ "crypto/sha256" | ||
16 | _ "crypto/sha512" | ||
17 | "encoding/binary" | ||
18 | "fmt" | ||
19 | "hash" | ||
20 | "io" | ||
21 | "math/big" | ||
22 | "strconv" | ||
23 | "time" | ||
24 | |||
25 | "golang.org/x/crypto/openpgp/elgamal" | ||
26 | "golang.org/x/crypto/openpgp/errors" | ||
27 | ) | ||
28 | |||
29 | var ( | ||
30 | // NIST curve P-256 | ||
31 | oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07} | ||
32 | // NIST curve P-384 | ||
33 | oidCurveP384 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x22} | ||
34 | // NIST curve P-521 | ||
35 | oidCurveP521 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x23} | ||
36 | ) | ||
37 | |||
38 | const maxOIDLength = 8 | ||
39 | |||
40 | // ecdsaKey stores the algorithm-specific fields for ECDSA keys. | ||
41 | // as defined in RFC 6637, Section 9. | ||
42 | type ecdsaKey struct { | ||
43 | // oid contains the OID byte sequence identifying the elliptic curve used | ||
44 | oid []byte | ||
45 | // p contains the elliptic curve point that represents the public key | ||
46 | p parsedMPI | ||
47 | } | ||
48 | |||
49 | // parseOID reads the OID for the curve as defined in RFC 6637, Section 9. | ||
50 | func parseOID(r io.Reader) (oid []byte, err error) { | ||
51 | buf := make([]byte, maxOIDLength) | ||
52 | if _, err = readFull(r, buf[:1]); err != nil { | ||
53 | return | ||
54 | } | ||
55 | oidLen := buf[0] | ||
56 | if int(oidLen) > len(buf) { | ||
57 | err = errors.UnsupportedError("invalid oid length: " + strconv.Itoa(int(oidLen))) | ||
58 | return | ||
59 | } | ||
60 | oid = buf[:oidLen] | ||
61 | _, err = readFull(r, oid) | ||
62 | return | ||
63 | } | ||
64 | |||
65 | func (f *ecdsaKey) parse(r io.Reader) (err error) { | ||
66 | if f.oid, err = parseOID(r); err != nil { | ||
67 | return err | ||
68 | } | ||
69 | f.p.bytes, f.p.bitLength, err = readMPI(r) | ||
70 | return | ||
71 | } | ||
72 | |||
73 | func (f *ecdsaKey) serialize(w io.Writer) (err error) { | ||
74 | buf := make([]byte, maxOIDLength+1) | ||
75 | buf[0] = byte(len(f.oid)) | ||
76 | copy(buf[1:], f.oid) | ||
77 | if _, err = w.Write(buf[:len(f.oid)+1]); err != nil { | ||
78 | return | ||
79 | } | ||
80 | return writeMPIs(w, f.p) | ||
81 | } | ||
82 | |||
83 | func (f *ecdsaKey) newECDSA() (*ecdsa.PublicKey, error) { | ||
84 | var c elliptic.Curve | ||
85 | if bytes.Equal(f.oid, oidCurveP256) { | ||
86 | c = elliptic.P256() | ||
87 | } else if bytes.Equal(f.oid, oidCurveP384) { | ||
88 | c = elliptic.P384() | ||
89 | } else if bytes.Equal(f.oid, oidCurveP521) { | ||
90 | c = elliptic.P521() | ||
91 | } else { | ||
92 | return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid)) | ||
93 | } | ||
94 | x, y := elliptic.Unmarshal(c, f.p.bytes) | ||
95 | if x == nil { | ||
96 | return nil, errors.UnsupportedError("failed to parse EC point") | ||
97 | } | ||
98 | return &ecdsa.PublicKey{Curve: c, X: x, Y: y}, nil | ||
99 | } | ||
100 | |||
101 | func (f *ecdsaKey) byteLen() int { | ||
102 | return 1 + len(f.oid) + 2 + len(f.p.bytes) | ||
103 | } | ||
104 | |||
105 | type kdfHashFunction byte | ||
106 | type kdfAlgorithm byte | ||
107 | |||
108 | // ecdhKdf stores key derivation function parameters | ||
109 | // used for ECDH encryption. See RFC 6637, Section 9. | ||
110 | type ecdhKdf struct { | ||
111 | KdfHash kdfHashFunction | ||
112 | KdfAlgo kdfAlgorithm | ||
113 | } | ||
114 | |||
115 | func (f *ecdhKdf) parse(r io.Reader) (err error) { | ||
116 | buf := make([]byte, 1) | ||
117 | if _, err = readFull(r, buf); err != nil { | ||
118 | return | ||
119 | } | ||
120 | kdfLen := int(buf[0]) | ||
121 | if kdfLen < 3 { | ||
122 | return errors.UnsupportedError("Unsupported ECDH KDF length: " + strconv.Itoa(kdfLen)) | ||
123 | } | ||
124 | buf = make([]byte, kdfLen) | ||
125 | if _, err = readFull(r, buf); err != nil { | ||
126 | return | ||
127 | } | ||
128 | reserved := int(buf[0]) | ||
129 | f.KdfHash = kdfHashFunction(buf[1]) | ||
130 | f.KdfAlgo = kdfAlgorithm(buf[2]) | ||
131 | if reserved != 0x01 { | ||
132 | return errors.UnsupportedError("Unsupported KDF reserved field: " + strconv.Itoa(reserved)) | ||
133 | } | ||
134 | return | ||
135 | } | ||
136 | |||
137 | func (f *ecdhKdf) serialize(w io.Writer) (err error) { | ||
138 | buf := make([]byte, 4) | ||
139 | // See RFC 6637, Section 9, Algorithm-Specific Fields for ECDH keys. | ||
140 | buf[0] = byte(0x03) // Length of the following fields | ||
141 | buf[1] = byte(0x01) // Reserved for future extensions, must be 1 for now | ||
142 | buf[2] = byte(f.KdfHash) | ||
143 | buf[3] = byte(f.KdfAlgo) | ||
144 | _, err = w.Write(buf[:]) | ||
145 | return | ||
146 | } | ||
147 | |||
148 | func (f *ecdhKdf) byteLen() int { | ||
149 | return 4 | ||
150 | } | ||
151 | |||
152 | // PublicKey represents an OpenPGP public key. See RFC 4880, section 5.5.2. | ||
153 | type PublicKey struct { | ||
154 | CreationTime time.Time | ||
155 | PubKeyAlgo PublicKeyAlgorithm | ||
156 | PublicKey interface{} // *rsa.PublicKey, *dsa.PublicKey or *ecdsa.PublicKey | ||
157 | Fingerprint [20]byte | ||
158 | KeyId uint64 | ||
159 | IsSubkey bool | ||
160 | |||
161 | n, e, p, q, g, y parsedMPI | ||
162 | |||
163 | // RFC 6637 fields | ||
164 | ec *ecdsaKey | ||
165 | ecdh *ecdhKdf | ||
166 | } | ||
167 | |||
168 | // signingKey provides a convenient abstraction over signature verification | ||
169 | // for v3 and v4 public keys. | ||
170 | type signingKey interface { | ||
171 | SerializeSignaturePrefix(io.Writer) | ||
172 | serializeWithoutHeaders(io.Writer) error | ||
173 | } | ||
174 | |||
175 | func fromBig(n *big.Int) parsedMPI { | ||
176 | return parsedMPI{ | ||
177 | bytes: n.Bytes(), | ||
178 | bitLength: uint16(n.BitLen()), | ||
179 | } | ||
180 | } | ||
181 | |||
182 | // NewRSAPublicKey returns a PublicKey that wraps the given rsa.PublicKey. | ||
183 | func NewRSAPublicKey(creationTime time.Time, pub *rsa.PublicKey) *PublicKey { | ||
184 | pk := &PublicKey{ | ||
185 | CreationTime: creationTime, | ||
186 | PubKeyAlgo: PubKeyAlgoRSA, | ||
187 | PublicKey: pub, | ||
188 | n: fromBig(pub.N), | ||
189 | e: fromBig(big.NewInt(int64(pub.E))), | ||
190 | } | ||
191 | |||
192 | pk.setFingerPrintAndKeyId() | ||
193 | return pk | ||
194 | } | ||
195 | |||
196 | // NewDSAPublicKey returns a PublicKey that wraps the given dsa.PublicKey. | ||
197 | func NewDSAPublicKey(creationTime time.Time, pub *dsa.PublicKey) *PublicKey { | ||
198 | pk := &PublicKey{ | ||
199 | CreationTime: creationTime, | ||
200 | PubKeyAlgo: PubKeyAlgoDSA, | ||
201 | PublicKey: pub, | ||
202 | p: fromBig(pub.P), | ||
203 | q: fromBig(pub.Q), | ||
204 | g: fromBig(pub.G), | ||
205 | y: fromBig(pub.Y), | ||
206 | } | ||
207 | |||
208 | pk.setFingerPrintAndKeyId() | ||
209 | return pk | ||
210 | } | ||
211 | |||
212 | // NewElGamalPublicKey returns a PublicKey that wraps the given elgamal.PublicKey. | ||
213 | func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *PublicKey { | ||
214 | pk := &PublicKey{ | ||
215 | CreationTime: creationTime, | ||
216 | PubKeyAlgo: PubKeyAlgoElGamal, | ||
217 | PublicKey: pub, | ||
218 | p: fromBig(pub.P), | ||
219 | g: fromBig(pub.G), | ||
220 | y: fromBig(pub.Y), | ||
221 | } | ||
222 | |||
223 | pk.setFingerPrintAndKeyId() | ||
224 | return pk | ||
225 | } | ||
226 | |||
227 | func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey { | ||
228 | pk := &PublicKey{ | ||
229 | CreationTime: creationTime, | ||
230 | PubKeyAlgo: PubKeyAlgoECDSA, | ||
231 | PublicKey: pub, | ||
232 | ec: new(ecdsaKey), | ||
233 | } | ||
234 | |||
235 | switch pub.Curve { | ||
236 | case elliptic.P256(): | ||
237 | pk.ec.oid = oidCurveP256 | ||
238 | case elliptic.P384(): | ||
239 | pk.ec.oid = oidCurveP384 | ||
240 | case elliptic.P521(): | ||
241 | pk.ec.oid = oidCurveP521 | ||
242 | default: | ||
243 | panic("unknown elliptic curve") | ||
244 | } | ||
245 | |||
246 | pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) | ||
247 | pk.ec.p.bitLength = uint16(8 * len(pk.ec.p.bytes)) | ||
248 | |||
249 | pk.setFingerPrintAndKeyId() | ||
250 | return pk | ||
251 | } | ||
252 | |||
253 | func (pk *PublicKey) parse(r io.Reader) (err error) { | ||
254 | // RFC 4880, section 5.5.2 | ||
255 | var buf [6]byte | ||
256 | _, err = readFull(r, buf[:]) | ||
257 | if err != nil { | ||
258 | return | ||
259 | } | ||
260 | if buf[0] != 4 { | ||
261 | return errors.UnsupportedError("public key version") | ||
262 | } | ||
263 | pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0) | ||
264 | pk.PubKeyAlgo = PublicKeyAlgorithm(buf[5]) | ||
265 | switch pk.PubKeyAlgo { | ||
266 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
267 | err = pk.parseRSA(r) | ||
268 | case PubKeyAlgoDSA: | ||
269 | err = pk.parseDSA(r) | ||
270 | case PubKeyAlgoElGamal: | ||
271 | err = pk.parseElGamal(r) | ||
272 | case PubKeyAlgoECDSA: | ||
273 | pk.ec = new(ecdsaKey) | ||
274 | if err = pk.ec.parse(r); err != nil { | ||
275 | return err | ||
276 | } | ||
277 | pk.PublicKey, err = pk.ec.newECDSA() | ||
278 | case PubKeyAlgoECDH: | ||
279 | pk.ec = new(ecdsaKey) | ||
280 | if err = pk.ec.parse(r); err != nil { | ||
281 | return | ||
282 | } | ||
283 | pk.ecdh = new(ecdhKdf) | ||
284 | if err = pk.ecdh.parse(r); err != nil { | ||
285 | return | ||
286 | } | ||
287 | // The ECDH key is stored in an ecdsa.PublicKey for convenience. | ||
288 | pk.PublicKey, err = pk.ec.newECDSA() | ||
289 | default: | ||
290 | err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo))) | ||
291 | } | ||
292 | if err != nil { | ||
293 | return | ||
294 | } | ||
295 | |||
296 | pk.setFingerPrintAndKeyId() | ||
297 | return | ||
298 | } | ||
299 | |||
300 | func (pk *PublicKey) setFingerPrintAndKeyId() { | ||
301 | // RFC 4880, section 12.2 | ||
302 | fingerPrint := sha1.New() | ||
303 | pk.SerializeSignaturePrefix(fingerPrint) | ||
304 | pk.serializeWithoutHeaders(fingerPrint) | ||
305 | copy(pk.Fingerprint[:], fingerPrint.Sum(nil)) | ||
306 | pk.KeyId = binary.BigEndian.Uint64(pk.Fingerprint[12:20]) | ||
307 | } | ||
308 | |||
309 | // parseRSA parses RSA public key material from the given Reader. See RFC 4880, | ||
310 | // section 5.5.2. | ||
311 | func (pk *PublicKey) parseRSA(r io.Reader) (err error) { | ||
312 | pk.n.bytes, pk.n.bitLength, err = readMPI(r) | ||
313 | if err != nil { | ||
314 | return | ||
315 | } | ||
316 | pk.e.bytes, pk.e.bitLength, err = readMPI(r) | ||
317 | if err != nil { | ||
318 | return | ||
319 | } | ||
320 | |||
321 | if len(pk.e.bytes) > 3 { | ||
322 | err = errors.UnsupportedError("large public exponent") | ||
323 | return | ||
324 | } | ||
325 | rsa := &rsa.PublicKey{ | ||
326 | N: new(big.Int).SetBytes(pk.n.bytes), | ||
327 | E: 0, | ||
328 | } | ||
329 | for i := 0; i < len(pk.e.bytes); i++ { | ||
330 | rsa.E <<= 8 | ||
331 | rsa.E |= int(pk.e.bytes[i]) | ||
332 | } | ||
333 | pk.PublicKey = rsa | ||
334 | return | ||
335 | } | ||
336 | |||
337 | // parseDSA parses DSA public key material from the given Reader. See RFC 4880, | ||
338 | // section 5.5.2. | ||
339 | func (pk *PublicKey) parseDSA(r io.Reader) (err error) { | ||
340 | pk.p.bytes, pk.p.bitLength, err = readMPI(r) | ||
341 | if err != nil { | ||
342 | return | ||
343 | } | ||
344 | pk.q.bytes, pk.q.bitLength, err = readMPI(r) | ||
345 | if err != nil { | ||
346 | return | ||
347 | } | ||
348 | pk.g.bytes, pk.g.bitLength, err = readMPI(r) | ||
349 | if err != nil { | ||
350 | return | ||
351 | } | ||
352 | pk.y.bytes, pk.y.bitLength, err = readMPI(r) | ||
353 | if err != nil { | ||
354 | return | ||
355 | } | ||
356 | |||
357 | dsa := new(dsa.PublicKey) | ||
358 | dsa.P = new(big.Int).SetBytes(pk.p.bytes) | ||
359 | dsa.Q = new(big.Int).SetBytes(pk.q.bytes) | ||
360 | dsa.G = new(big.Int).SetBytes(pk.g.bytes) | ||
361 | dsa.Y = new(big.Int).SetBytes(pk.y.bytes) | ||
362 | pk.PublicKey = dsa | ||
363 | return | ||
364 | } | ||
365 | |||
366 | // parseElGamal parses ElGamal public key material from the given Reader. See | ||
367 | // RFC 4880, section 5.5.2. | ||
368 | func (pk *PublicKey) parseElGamal(r io.Reader) (err error) { | ||
369 | pk.p.bytes, pk.p.bitLength, err = readMPI(r) | ||
370 | if err != nil { | ||
371 | return | ||
372 | } | ||
373 | pk.g.bytes, pk.g.bitLength, err = readMPI(r) | ||
374 | if err != nil { | ||
375 | return | ||
376 | } | ||
377 | pk.y.bytes, pk.y.bitLength, err = readMPI(r) | ||
378 | if err != nil { | ||
379 | return | ||
380 | } | ||
381 | |||
382 | elgamal := new(elgamal.PublicKey) | ||
383 | elgamal.P = new(big.Int).SetBytes(pk.p.bytes) | ||
384 | elgamal.G = new(big.Int).SetBytes(pk.g.bytes) | ||
385 | elgamal.Y = new(big.Int).SetBytes(pk.y.bytes) | ||
386 | pk.PublicKey = elgamal | ||
387 | return | ||
388 | } | ||
389 | |||
390 | // SerializeSignaturePrefix writes the prefix for this public key to the given Writer. | ||
391 | // The prefix is used when calculating a signature over this public key. See | ||
392 | // RFC 4880, section 5.2.4. | ||
393 | func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) { | ||
394 | var pLength uint16 | ||
395 | switch pk.PubKeyAlgo { | ||
396 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
397 | pLength += 2 + uint16(len(pk.n.bytes)) | ||
398 | pLength += 2 + uint16(len(pk.e.bytes)) | ||
399 | case PubKeyAlgoDSA: | ||
400 | pLength += 2 + uint16(len(pk.p.bytes)) | ||
401 | pLength += 2 + uint16(len(pk.q.bytes)) | ||
402 | pLength += 2 + uint16(len(pk.g.bytes)) | ||
403 | pLength += 2 + uint16(len(pk.y.bytes)) | ||
404 | case PubKeyAlgoElGamal: | ||
405 | pLength += 2 + uint16(len(pk.p.bytes)) | ||
406 | pLength += 2 + uint16(len(pk.g.bytes)) | ||
407 | pLength += 2 + uint16(len(pk.y.bytes)) | ||
408 | case PubKeyAlgoECDSA: | ||
409 | pLength += uint16(pk.ec.byteLen()) | ||
410 | case PubKeyAlgoECDH: | ||
411 | pLength += uint16(pk.ec.byteLen()) | ||
412 | pLength += uint16(pk.ecdh.byteLen()) | ||
413 | default: | ||
414 | panic("unknown public key algorithm") | ||
415 | } | ||
416 | pLength += 6 | ||
417 | h.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)}) | ||
418 | return | ||
419 | } | ||
420 | |||
421 | func (pk *PublicKey) Serialize(w io.Writer) (err error) { | ||
422 | length := 6 // 6 byte header | ||
423 | |||
424 | switch pk.PubKeyAlgo { | ||
425 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
426 | length += 2 + len(pk.n.bytes) | ||
427 | length += 2 + len(pk.e.bytes) | ||
428 | case PubKeyAlgoDSA: | ||
429 | length += 2 + len(pk.p.bytes) | ||
430 | length += 2 + len(pk.q.bytes) | ||
431 | length += 2 + len(pk.g.bytes) | ||
432 | length += 2 + len(pk.y.bytes) | ||
433 | case PubKeyAlgoElGamal: | ||
434 | length += 2 + len(pk.p.bytes) | ||
435 | length += 2 + len(pk.g.bytes) | ||
436 | length += 2 + len(pk.y.bytes) | ||
437 | case PubKeyAlgoECDSA: | ||
438 | length += pk.ec.byteLen() | ||
439 | case PubKeyAlgoECDH: | ||
440 | length += pk.ec.byteLen() | ||
441 | length += pk.ecdh.byteLen() | ||
442 | default: | ||
443 | panic("unknown public key algorithm") | ||
444 | } | ||
445 | |||
446 | packetType := packetTypePublicKey | ||
447 | if pk.IsSubkey { | ||
448 | packetType = packetTypePublicSubkey | ||
449 | } | ||
450 | err = serializeHeader(w, packetType, length) | ||
451 | if err != nil { | ||
452 | return | ||
453 | } | ||
454 | return pk.serializeWithoutHeaders(w) | ||
455 | } | ||
456 | |||
457 | // serializeWithoutHeaders marshals the PublicKey to w in the form of an | ||
458 | // OpenPGP public key packet, not including the packet header. | ||
459 | func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) { | ||
460 | var buf [6]byte | ||
461 | buf[0] = 4 | ||
462 | t := uint32(pk.CreationTime.Unix()) | ||
463 | buf[1] = byte(t >> 24) | ||
464 | buf[2] = byte(t >> 16) | ||
465 | buf[3] = byte(t >> 8) | ||
466 | buf[4] = byte(t) | ||
467 | buf[5] = byte(pk.PubKeyAlgo) | ||
468 | |||
469 | _, err = w.Write(buf[:]) | ||
470 | if err != nil { | ||
471 | return | ||
472 | } | ||
473 | |||
474 | switch pk.PubKeyAlgo { | ||
475 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
476 | return writeMPIs(w, pk.n, pk.e) | ||
477 | case PubKeyAlgoDSA: | ||
478 | return writeMPIs(w, pk.p, pk.q, pk.g, pk.y) | ||
479 | case PubKeyAlgoElGamal: | ||
480 | return writeMPIs(w, pk.p, pk.g, pk.y) | ||
481 | case PubKeyAlgoECDSA: | ||
482 | return pk.ec.serialize(w) | ||
483 | case PubKeyAlgoECDH: | ||
484 | if err = pk.ec.serialize(w); err != nil { | ||
485 | return | ||
486 | } | ||
487 | return pk.ecdh.serialize(w) | ||
488 | } | ||
489 | return errors.InvalidArgumentError("bad public-key algorithm") | ||
490 | } | ||
491 | |||
492 | // CanSign returns true iff this public key can generate signatures | ||
493 | func (pk *PublicKey) CanSign() bool { | ||
494 | return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly && pk.PubKeyAlgo != PubKeyAlgoElGamal | ||
495 | } | ||
496 | |||
497 | // VerifySignature returns nil iff sig is a valid signature, made by this | ||
498 | // public key, of the data hashed into signed. signed is mutated by this call. | ||
499 | func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err error) { | ||
500 | if !pk.CanSign() { | ||
501 | return errors.InvalidArgumentError("public key cannot generate signatures") | ||
502 | } | ||
503 | |||
504 | signed.Write(sig.HashSuffix) | ||
505 | hashBytes := signed.Sum(nil) | ||
506 | |||
507 | if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { | ||
508 | return errors.SignatureError("hash tag doesn't match") | ||
509 | } | ||
510 | |||
511 | if pk.PubKeyAlgo != sig.PubKeyAlgo { | ||
512 | return errors.InvalidArgumentError("public key and signature use different algorithms") | ||
513 | } | ||
514 | |||
515 | switch pk.PubKeyAlgo { | ||
516 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
517 | rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey) | ||
518 | err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes) | ||
519 | if err != nil { | ||
520 | return errors.SignatureError("RSA verification failure") | ||
521 | } | ||
522 | return nil | ||
523 | case PubKeyAlgoDSA: | ||
524 | dsaPublicKey, _ := pk.PublicKey.(*dsa.PublicKey) | ||
525 | // Need to truncate hashBytes to match FIPS 186-3 section 4.6. | ||
526 | subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8 | ||
527 | if len(hashBytes) > subgroupSize { | ||
528 | hashBytes = hashBytes[:subgroupSize] | ||
529 | } | ||
530 | if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) { | ||
531 | return errors.SignatureError("DSA verification failure") | ||
532 | } | ||
533 | return nil | ||
534 | case PubKeyAlgoECDSA: | ||
535 | ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey) | ||
536 | if !ecdsa.Verify(ecdsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.ECDSASigR.bytes), new(big.Int).SetBytes(sig.ECDSASigS.bytes)) { | ||
537 | return errors.SignatureError("ECDSA verification failure") | ||
538 | } | ||
539 | return nil | ||
540 | default: | ||
541 | return errors.SignatureError("Unsupported public key algorithm used in signature") | ||
542 | } | ||
543 | } | ||
544 | |||
545 | // VerifySignatureV3 returns nil iff sig is a valid signature, made by this | ||
546 | // public key, of the data hashed into signed. signed is mutated by this call. | ||
547 | func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) { | ||
548 | if !pk.CanSign() { | ||
549 | return errors.InvalidArgumentError("public key cannot generate signatures") | ||
550 | } | ||
551 | |||
552 | suffix := make([]byte, 5) | ||
553 | suffix[0] = byte(sig.SigType) | ||
554 | binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix())) | ||
555 | signed.Write(suffix) | ||
556 | hashBytes := signed.Sum(nil) | ||
557 | |||
558 | if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { | ||
559 | return errors.SignatureError("hash tag doesn't match") | ||
560 | } | ||
561 | |||
562 | if pk.PubKeyAlgo != sig.PubKeyAlgo { | ||
563 | return errors.InvalidArgumentError("public key and signature use different algorithms") | ||
564 | } | ||
565 | |||
566 | switch pk.PubKeyAlgo { | ||
567 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
568 | rsaPublicKey := pk.PublicKey.(*rsa.PublicKey) | ||
569 | if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil { | ||
570 | return errors.SignatureError("RSA verification failure") | ||
571 | } | ||
572 | return | ||
573 | case PubKeyAlgoDSA: | ||
574 | dsaPublicKey := pk.PublicKey.(*dsa.PublicKey) | ||
575 | // Need to truncate hashBytes to match FIPS 186-3 section 4.6. | ||
576 | subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8 | ||
577 | if len(hashBytes) > subgroupSize { | ||
578 | hashBytes = hashBytes[:subgroupSize] | ||
579 | } | ||
580 | if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) { | ||
581 | return errors.SignatureError("DSA verification failure") | ||
582 | } | ||
583 | return nil | ||
584 | default: | ||
585 | panic("shouldn't happen") | ||
586 | } | ||
587 | } | ||
588 | |||
589 | // keySignatureHash returns a Hash of the message that needs to be signed for | ||
590 | // pk to assert a subkey relationship to signed. | ||
591 | func keySignatureHash(pk, signed signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) { | ||
592 | if !hashFunc.Available() { | ||
593 | return nil, errors.UnsupportedError("hash function") | ||
594 | } | ||
595 | h = hashFunc.New() | ||
596 | |||
597 | // RFC 4880, section 5.2.4 | ||
598 | pk.SerializeSignaturePrefix(h) | ||
599 | pk.serializeWithoutHeaders(h) | ||
600 | signed.SerializeSignaturePrefix(h) | ||
601 | signed.serializeWithoutHeaders(h) | ||
602 | return | ||
603 | } | ||
604 | |||
605 | // VerifyKeySignature returns nil iff sig is a valid signature, made by this | ||
606 | // public key, of signed. | ||
607 | func (pk *PublicKey) VerifyKeySignature(signed *PublicKey, sig *Signature) error { | ||
608 | h, err := keySignatureHash(pk, signed, sig.Hash) | ||
609 | if err != nil { | ||
610 | return err | ||
611 | } | ||
612 | if err = pk.VerifySignature(h, sig); err != nil { | ||
613 | return err | ||
614 | } | ||
615 | |||
616 | if sig.FlagSign { | ||
617 | // Signing subkeys must be cross-signed. See | ||
618 | // https://www.gnupg.org/faq/subkey-cross-certify.html. | ||
619 | if sig.EmbeddedSignature == nil { | ||
620 | return errors.StructuralError("signing subkey is missing cross-signature") | ||
621 | } | ||
622 | // Verify the cross-signature. This is calculated over the same | ||
623 | // data as the main signature, so we cannot just recursively | ||
624 | // call signed.VerifyKeySignature(...) | ||
625 | if h, err = keySignatureHash(pk, signed, sig.EmbeddedSignature.Hash); err != nil { | ||
626 | return errors.StructuralError("error while hashing for cross-signature: " + err.Error()) | ||
627 | } | ||
628 | if err := signed.VerifySignature(h, sig.EmbeddedSignature); err != nil { | ||
629 | return errors.StructuralError("error while verifying cross-signature: " + err.Error()) | ||
630 | } | ||
631 | } | ||
632 | |||
633 | return nil | ||
634 | } | ||
635 | |||
636 | func keyRevocationHash(pk signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) { | ||
637 | if !hashFunc.Available() { | ||
638 | return nil, errors.UnsupportedError("hash function") | ||
639 | } | ||
640 | h = hashFunc.New() | ||
641 | |||
642 | // RFC 4880, section 5.2.4 | ||
643 | pk.SerializeSignaturePrefix(h) | ||
644 | pk.serializeWithoutHeaders(h) | ||
645 | |||
646 | return | ||
647 | } | ||
648 | |||
649 | // VerifyRevocationSignature returns nil iff sig is a valid signature, made by this | ||
650 | // public key. | ||
651 | func (pk *PublicKey) VerifyRevocationSignature(sig *Signature) (err error) { | ||
652 | h, err := keyRevocationHash(pk, sig.Hash) | ||
653 | if err != nil { | ||
654 | return err | ||
655 | } | ||
656 | return pk.VerifySignature(h, sig) | ||
657 | } | ||
658 | |||
659 | // userIdSignatureHash returns a Hash of the message that needs to be signed | ||
660 | // to assert that pk is a valid key for id. | ||
661 | func userIdSignatureHash(id string, pk *PublicKey, hashFunc crypto.Hash) (h hash.Hash, err error) { | ||
662 | if !hashFunc.Available() { | ||
663 | return nil, errors.UnsupportedError("hash function") | ||
664 | } | ||
665 | h = hashFunc.New() | ||
666 | |||
667 | // RFC 4880, section 5.2.4 | ||
668 | pk.SerializeSignaturePrefix(h) | ||
669 | pk.serializeWithoutHeaders(h) | ||
670 | |||
671 | var buf [5]byte | ||
672 | buf[0] = 0xb4 | ||
673 | buf[1] = byte(len(id) >> 24) | ||
674 | buf[2] = byte(len(id) >> 16) | ||
675 | buf[3] = byte(len(id) >> 8) | ||
676 | buf[4] = byte(len(id)) | ||
677 | h.Write(buf[:]) | ||
678 | h.Write([]byte(id)) | ||
679 | |||
680 | return | ||
681 | } | ||
682 | |||
683 | // VerifyUserIdSignature returns nil iff sig is a valid signature, made by this | ||
684 | // public key, that id is the identity of pub. | ||
685 | func (pk *PublicKey) VerifyUserIdSignature(id string, pub *PublicKey, sig *Signature) (err error) { | ||
686 | h, err := userIdSignatureHash(id, pub, sig.Hash) | ||
687 | if err != nil { | ||
688 | return err | ||
689 | } | ||
690 | return pk.VerifySignature(h, sig) | ||
691 | } | ||
692 | |||
693 | // VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this | ||
694 | // public key, that id is the identity of pub. | ||
695 | func (pk *PublicKey) VerifyUserIdSignatureV3(id string, pub *PublicKey, sig *SignatureV3) (err error) { | ||
696 | h, err := userIdSignatureV3Hash(id, pub, sig.Hash) | ||
697 | if err != nil { | ||
698 | return err | ||
699 | } | ||
700 | return pk.VerifySignatureV3(h, sig) | ||
701 | } | ||
702 | |||
703 | // KeyIdString returns the public key's fingerprint in capital hex | ||
704 | // (e.g. "6C7EE1B8621CC013"). | ||
705 | func (pk *PublicKey) KeyIdString() string { | ||
706 | return fmt.Sprintf("%X", pk.Fingerprint[12:20]) | ||
707 | } | ||
708 | |||
709 | // KeyIdShortString returns the short form of public key's fingerprint | ||
710 | // in capital hex, as shown by gpg --list-keys (e.g. "621CC013"). | ||
711 | func (pk *PublicKey) KeyIdShortString() string { | ||
712 | return fmt.Sprintf("%X", pk.Fingerprint[16:20]) | ||
713 | } | ||
714 | |||
715 | // A parsedMPI is used to store the contents of a big integer, along with the | ||
716 | // bit length that was specified in the original input. This allows the MPI to | ||
717 | // be reserialized exactly. | ||
718 | type parsedMPI struct { | ||
719 | bytes []byte | ||
720 | bitLength uint16 | ||
721 | } | ||
722 | |||
723 | // writeMPIs is a utility function for serializing several big integers to the | ||
724 | // given Writer. | ||
725 | func writeMPIs(w io.Writer, mpis ...parsedMPI) (err error) { | ||
726 | for _, mpi := range mpis { | ||
727 | err = writeMPI(w, mpi.bitLength, mpi.bytes) | ||
728 | if err != nil { | ||
729 | return | ||
730 | } | ||
731 | } | ||
732 | return | ||
733 | } | ||
734 | |||
735 | // BitLength returns the bit length for the given public key. | ||
736 | func (pk *PublicKey) BitLength() (bitLength uint16, err error) { | ||
737 | switch pk.PubKeyAlgo { | ||
738 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
739 | bitLength = pk.n.bitLength | ||
740 | case PubKeyAlgoDSA: | ||
741 | bitLength = pk.p.bitLength | ||
742 | case PubKeyAlgoElGamal: | ||
743 | bitLength = pk.p.bitLength | ||
744 | default: | ||
745 | err = errors.InvalidArgumentError("bad public-key algorithm") | ||
746 | } | ||
747 | return | ||
748 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go new file mode 100644 index 0000000..5daf7b6 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go | |||
@@ -0,0 +1,279 @@ | |||
1 | // Copyright 2013 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto" | ||
9 | "crypto/md5" | ||
10 | "crypto/rsa" | ||
11 | "encoding/binary" | ||
12 | "fmt" | ||
13 | "hash" | ||
14 | "io" | ||
15 | "math/big" | ||
16 | "strconv" | ||
17 | "time" | ||
18 | |||
19 | "golang.org/x/crypto/openpgp/errors" | ||
20 | ) | ||
21 | |||
22 | // PublicKeyV3 represents older, version 3 public keys. These keys are less secure and | ||
23 | // should not be used for signing or encrypting. They are supported here only for | ||
24 | // parsing version 3 key material and validating signatures. | ||
25 | // See RFC 4880, section 5.5.2. | ||
26 | type PublicKeyV3 struct { | ||
27 | CreationTime time.Time | ||
28 | DaysToExpire uint16 | ||
29 | PubKeyAlgo PublicKeyAlgorithm | ||
30 | PublicKey *rsa.PublicKey | ||
31 | Fingerprint [16]byte | ||
32 | KeyId uint64 | ||
33 | IsSubkey bool | ||
34 | |||
35 | n, e parsedMPI | ||
36 | } | ||
37 | |||
38 | // newRSAPublicKeyV3 returns a PublicKey that wraps the given rsa.PublicKey. | ||
39 | // Included here for testing purposes only. RFC 4880, section 5.5.2: | ||
40 | // "an implementation MUST NOT generate a V3 key, but MAY accept it." | ||
41 | func newRSAPublicKeyV3(creationTime time.Time, pub *rsa.PublicKey) *PublicKeyV3 { | ||
42 | pk := &PublicKeyV3{ | ||
43 | CreationTime: creationTime, | ||
44 | PublicKey: pub, | ||
45 | n: fromBig(pub.N), | ||
46 | e: fromBig(big.NewInt(int64(pub.E))), | ||
47 | } | ||
48 | |||
49 | pk.setFingerPrintAndKeyId() | ||
50 | return pk | ||
51 | } | ||
52 | |||
53 | func (pk *PublicKeyV3) parse(r io.Reader) (err error) { | ||
54 | // RFC 4880, section 5.5.2 | ||
55 | var buf [8]byte | ||
56 | if _, err = readFull(r, buf[:]); err != nil { | ||
57 | return | ||
58 | } | ||
59 | if buf[0] < 2 || buf[0] > 3 { | ||
60 | return errors.UnsupportedError("public key version") | ||
61 | } | ||
62 | pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0) | ||
63 | pk.DaysToExpire = binary.BigEndian.Uint16(buf[5:7]) | ||
64 | pk.PubKeyAlgo = PublicKeyAlgorithm(buf[7]) | ||
65 | switch pk.PubKeyAlgo { | ||
66 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
67 | err = pk.parseRSA(r) | ||
68 | default: | ||
69 | err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo))) | ||
70 | } | ||
71 | if err != nil { | ||
72 | return | ||
73 | } | ||
74 | |||
75 | pk.setFingerPrintAndKeyId() | ||
76 | return | ||
77 | } | ||
78 | |||
79 | func (pk *PublicKeyV3) setFingerPrintAndKeyId() { | ||
80 | // RFC 4880, section 12.2 | ||
81 | fingerPrint := md5.New() | ||
82 | fingerPrint.Write(pk.n.bytes) | ||
83 | fingerPrint.Write(pk.e.bytes) | ||
84 | fingerPrint.Sum(pk.Fingerprint[:0]) | ||
85 | pk.KeyId = binary.BigEndian.Uint64(pk.n.bytes[len(pk.n.bytes)-8:]) | ||
86 | } | ||
87 | |||
88 | // parseRSA parses RSA public key material from the given Reader. See RFC 4880, | ||
89 | // section 5.5.2. | ||
90 | func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) { | ||
91 | if pk.n.bytes, pk.n.bitLength, err = readMPI(r); err != nil { | ||
92 | return | ||
93 | } | ||
94 | if pk.e.bytes, pk.e.bitLength, err = readMPI(r); err != nil { | ||
95 | return | ||
96 | } | ||
97 | |||
98 | // RFC 4880 Section 12.2 requires the low 8 bytes of the | ||
99 | // modulus to form the key id. | ||
100 | if len(pk.n.bytes) < 8 { | ||
101 | return errors.StructuralError("v3 public key modulus is too short") | ||
102 | } | ||
103 | if len(pk.e.bytes) > 3 { | ||
104 | err = errors.UnsupportedError("large public exponent") | ||
105 | return | ||
106 | } | ||
107 | rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)} | ||
108 | for i := 0; i < len(pk.e.bytes); i++ { | ||
109 | rsa.E <<= 8 | ||
110 | rsa.E |= int(pk.e.bytes[i]) | ||
111 | } | ||
112 | pk.PublicKey = rsa | ||
113 | return | ||
114 | } | ||
115 | |||
116 | // SerializeSignaturePrefix writes the prefix for this public key to the given Writer. | ||
117 | // The prefix is used when calculating a signature over this public key. See | ||
118 | // RFC 4880, section 5.2.4. | ||
119 | func (pk *PublicKeyV3) SerializeSignaturePrefix(w io.Writer) { | ||
120 | var pLength uint16 | ||
121 | switch pk.PubKeyAlgo { | ||
122 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
123 | pLength += 2 + uint16(len(pk.n.bytes)) | ||
124 | pLength += 2 + uint16(len(pk.e.bytes)) | ||
125 | default: | ||
126 | panic("unknown public key algorithm") | ||
127 | } | ||
128 | pLength += 6 | ||
129 | w.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)}) | ||
130 | return | ||
131 | } | ||
132 | |||
133 | func (pk *PublicKeyV3) Serialize(w io.Writer) (err error) { | ||
134 | length := 8 // 8 byte header | ||
135 | |||
136 | switch pk.PubKeyAlgo { | ||
137 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
138 | length += 2 + len(pk.n.bytes) | ||
139 | length += 2 + len(pk.e.bytes) | ||
140 | default: | ||
141 | panic("unknown public key algorithm") | ||
142 | } | ||
143 | |||
144 | packetType := packetTypePublicKey | ||
145 | if pk.IsSubkey { | ||
146 | packetType = packetTypePublicSubkey | ||
147 | } | ||
148 | if err = serializeHeader(w, packetType, length); err != nil { | ||
149 | return | ||
150 | } | ||
151 | return pk.serializeWithoutHeaders(w) | ||
152 | } | ||
153 | |||
154 | // serializeWithoutHeaders marshals the PublicKey to w in the form of an | ||
155 | // OpenPGP public key packet, not including the packet header. | ||
156 | func (pk *PublicKeyV3) serializeWithoutHeaders(w io.Writer) (err error) { | ||
157 | var buf [8]byte | ||
158 | // Version 3 | ||
159 | buf[0] = 3 | ||
160 | // Creation time | ||
161 | t := uint32(pk.CreationTime.Unix()) | ||
162 | buf[1] = byte(t >> 24) | ||
163 | buf[2] = byte(t >> 16) | ||
164 | buf[3] = byte(t >> 8) | ||
165 | buf[4] = byte(t) | ||
166 | // Days to expire | ||
167 | buf[5] = byte(pk.DaysToExpire >> 8) | ||
168 | buf[6] = byte(pk.DaysToExpire) | ||
169 | // Public key algorithm | ||
170 | buf[7] = byte(pk.PubKeyAlgo) | ||
171 | |||
172 | if _, err = w.Write(buf[:]); err != nil { | ||
173 | return | ||
174 | } | ||
175 | |||
176 | switch pk.PubKeyAlgo { | ||
177 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
178 | return writeMPIs(w, pk.n, pk.e) | ||
179 | } | ||
180 | return errors.InvalidArgumentError("bad public-key algorithm") | ||
181 | } | ||
182 | |||
183 | // CanSign returns true iff this public key can generate signatures | ||
184 | func (pk *PublicKeyV3) CanSign() bool { | ||
185 | return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly | ||
186 | } | ||
187 | |||
188 | // VerifySignatureV3 returns nil iff sig is a valid signature, made by this | ||
189 | // public key, of the data hashed into signed. signed is mutated by this call. | ||
190 | func (pk *PublicKeyV3) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) { | ||
191 | if !pk.CanSign() { | ||
192 | return errors.InvalidArgumentError("public key cannot generate signatures") | ||
193 | } | ||
194 | |||
195 | suffix := make([]byte, 5) | ||
196 | suffix[0] = byte(sig.SigType) | ||
197 | binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix())) | ||
198 | signed.Write(suffix) | ||
199 | hashBytes := signed.Sum(nil) | ||
200 | |||
201 | if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { | ||
202 | return errors.SignatureError("hash tag doesn't match") | ||
203 | } | ||
204 | |||
205 | if pk.PubKeyAlgo != sig.PubKeyAlgo { | ||
206 | return errors.InvalidArgumentError("public key and signature use different algorithms") | ||
207 | } | ||
208 | |||
209 | switch pk.PubKeyAlgo { | ||
210 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
211 | if err = rsa.VerifyPKCS1v15(pk.PublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil { | ||
212 | return errors.SignatureError("RSA verification failure") | ||
213 | } | ||
214 | return | ||
215 | default: | ||
216 | // V3 public keys only support RSA. | ||
217 | panic("shouldn't happen") | ||
218 | } | ||
219 | } | ||
220 | |||
221 | // VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this | ||
222 | // public key, that id is the identity of pub. | ||
223 | func (pk *PublicKeyV3) VerifyUserIdSignatureV3(id string, pub *PublicKeyV3, sig *SignatureV3) (err error) { | ||
224 | h, err := userIdSignatureV3Hash(id, pk, sig.Hash) | ||
225 | if err != nil { | ||
226 | return err | ||
227 | } | ||
228 | return pk.VerifySignatureV3(h, sig) | ||
229 | } | ||
230 | |||
231 | // VerifyKeySignatureV3 returns nil iff sig is a valid signature, made by this | ||
232 | // public key, of signed. | ||
233 | func (pk *PublicKeyV3) VerifyKeySignatureV3(signed *PublicKeyV3, sig *SignatureV3) (err error) { | ||
234 | h, err := keySignatureHash(pk, signed, sig.Hash) | ||
235 | if err != nil { | ||
236 | return err | ||
237 | } | ||
238 | return pk.VerifySignatureV3(h, sig) | ||
239 | } | ||
240 | |||
241 | // userIdSignatureV3Hash returns a Hash of the message that needs to be signed | ||
242 | // to assert that pk is a valid key for id. | ||
243 | func userIdSignatureV3Hash(id string, pk signingKey, hfn crypto.Hash) (h hash.Hash, err error) { | ||
244 | if !hfn.Available() { | ||
245 | return nil, errors.UnsupportedError("hash function") | ||
246 | } | ||
247 | h = hfn.New() | ||
248 | |||
249 | // RFC 4880, section 5.2.4 | ||
250 | pk.SerializeSignaturePrefix(h) | ||
251 | pk.serializeWithoutHeaders(h) | ||
252 | |||
253 | h.Write([]byte(id)) | ||
254 | |||
255 | return | ||
256 | } | ||
257 | |||
258 | // KeyIdString returns the public key's fingerprint in capital hex | ||
259 | // (e.g. "6C7EE1B8621CC013"). | ||
260 | func (pk *PublicKeyV3) KeyIdString() string { | ||
261 | return fmt.Sprintf("%X", pk.KeyId) | ||
262 | } | ||
263 | |||
264 | // KeyIdShortString returns the short form of public key's fingerprint | ||
265 | // in capital hex, as shown by gpg --list-keys (e.g. "621CC013"). | ||
266 | func (pk *PublicKeyV3) KeyIdShortString() string { | ||
267 | return fmt.Sprintf("%X", pk.KeyId&0xFFFFFFFF) | ||
268 | } | ||
269 | |||
270 | // BitLength returns the bit length for the given public key. | ||
271 | func (pk *PublicKeyV3) BitLength() (bitLength uint16, err error) { | ||
272 | switch pk.PubKeyAlgo { | ||
273 | case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: | ||
274 | bitLength = pk.n.bitLength | ||
275 | default: | ||
276 | err = errors.InvalidArgumentError("bad public-key algorithm") | ||
277 | } | ||
278 | return | ||
279 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/reader.go b/vendor/golang.org/x/crypto/openpgp/packet/reader.go new file mode 100644 index 0000000..34bc7c6 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/reader.go | |||
@@ -0,0 +1,76 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "golang.org/x/crypto/openpgp/errors" | ||
9 | "io" | ||
10 | ) | ||
11 | |||
12 | // Reader reads packets from an io.Reader and allows packets to be 'unread' so | ||
13 | // that they result from the next call to Next. | ||
14 | type Reader struct { | ||
15 | q []Packet | ||
16 | readers []io.Reader | ||
17 | } | ||
18 | |||
19 | // New io.Readers are pushed when a compressed or encrypted packet is processed | ||
20 | // and recursively treated as a new source of packets. However, a carefully | ||
21 | // crafted packet can trigger an infinite recursive sequence of packets. See | ||
22 | // http://mumble.net/~campbell/misc/pgp-quine | ||
23 | // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402 | ||
24 | // This constant limits the number of recursive packets that may be pushed. | ||
25 | const maxReaders = 32 | ||
26 | |||
27 | // Next returns the most recently unread Packet, or reads another packet from | ||
28 | // the top-most io.Reader. Unknown packet types are skipped. | ||
29 | func (r *Reader) Next() (p Packet, err error) { | ||
30 | if len(r.q) > 0 { | ||
31 | p = r.q[len(r.q)-1] | ||
32 | r.q = r.q[:len(r.q)-1] | ||
33 | return | ||
34 | } | ||
35 | |||
36 | for len(r.readers) > 0 { | ||
37 | p, err = Read(r.readers[len(r.readers)-1]) | ||
38 | if err == nil { | ||
39 | return | ||
40 | } | ||
41 | if err == io.EOF { | ||
42 | r.readers = r.readers[:len(r.readers)-1] | ||
43 | continue | ||
44 | } | ||
45 | if _, ok := err.(errors.UnknownPacketTypeError); !ok { | ||
46 | return nil, err | ||
47 | } | ||
48 | } | ||
49 | |||
50 | return nil, io.EOF | ||
51 | } | ||
52 | |||
53 | // Push causes the Reader to start reading from a new io.Reader. When an EOF | ||
54 | // error is seen from the new io.Reader, it is popped and the Reader continues | ||
55 | // to read from the next most recent io.Reader. Push returns a StructuralError | ||
56 | // if pushing the reader would exceed the maximum recursion level, otherwise it | ||
57 | // returns nil. | ||
58 | func (r *Reader) Push(reader io.Reader) (err error) { | ||
59 | if len(r.readers) >= maxReaders { | ||
60 | return errors.StructuralError("too many layers of packets") | ||
61 | } | ||
62 | r.readers = append(r.readers, reader) | ||
63 | return nil | ||
64 | } | ||
65 | |||
66 | // Unread causes the given Packet to be returned from the next call to Next. | ||
67 | func (r *Reader) Unread(p Packet) { | ||
68 | r.q = append(r.q, p) | ||
69 | } | ||
70 | |||
71 | func NewReader(r io.Reader) *Reader { | ||
72 | return &Reader{ | ||
73 | q: nil, | ||
74 | readers: []io.Reader{r}, | ||
75 | } | ||
76 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature.go b/vendor/golang.org/x/crypto/openpgp/packet/signature.go new file mode 100644 index 0000000..6ce0cbe --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/signature.go | |||
@@ -0,0 +1,731 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "crypto" | ||
10 | "crypto/dsa" | ||
11 | "crypto/ecdsa" | ||
12 | "encoding/asn1" | ||
13 | "encoding/binary" | ||
14 | "hash" | ||
15 | "io" | ||
16 | "math/big" | ||
17 | "strconv" | ||
18 | "time" | ||
19 | |||
20 | "golang.org/x/crypto/openpgp/errors" | ||
21 | "golang.org/x/crypto/openpgp/s2k" | ||
22 | ) | ||
23 | |||
24 | const ( | ||
25 | // See RFC 4880, section 5.2.3.21 for details. | ||
26 | KeyFlagCertify = 1 << iota | ||
27 | KeyFlagSign | ||
28 | KeyFlagEncryptCommunications | ||
29 | KeyFlagEncryptStorage | ||
30 | ) | ||
31 | |||
32 | // Signature represents a signature. See RFC 4880, section 5.2. | ||
33 | type Signature struct { | ||
34 | SigType SignatureType | ||
35 | PubKeyAlgo PublicKeyAlgorithm | ||
36 | Hash crypto.Hash | ||
37 | |||
38 | // HashSuffix is extra data that is hashed in after the signed data. | ||
39 | HashSuffix []byte | ||
40 | // HashTag contains the first two bytes of the hash for fast rejection | ||
41 | // of bad signed data. | ||
42 | HashTag [2]byte | ||
43 | CreationTime time.Time | ||
44 | |||
45 | RSASignature parsedMPI | ||
46 | DSASigR, DSASigS parsedMPI | ||
47 | ECDSASigR, ECDSASigS parsedMPI | ||
48 | |||
49 | // rawSubpackets contains the unparsed subpackets, in order. | ||
50 | rawSubpackets []outputSubpacket | ||
51 | |||
52 | // The following are optional so are nil when not included in the | ||
53 | // signature. | ||
54 | |||
55 | SigLifetimeSecs, KeyLifetimeSecs *uint32 | ||
56 | PreferredSymmetric, PreferredHash, PreferredCompression []uint8 | ||
57 | IssuerKeyId *uint64 | ||
58 | IsPrimaryId *bool | ||
59 | |||
60 | // FlagsValid is set if any flags were given. See RFC 4880, section | ||
61 | // 5.2.3.21 for details. | ||
62 | FlagsValid bool | ||
63 | FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool | ||
64 | |||
65 | // RevocationReason is set if this signature has been revoked. | ||
66 | // See RFC 4880, section 5.2.3.23 for details. | ||
67 | RevocationReason *uint8 | ||
68 | RevocationReasonText string | ||
69 | |||
70 | // MDC is set if this signature has a feature packet that indicates | ||
71 | // support for MDC subpackets. | ||
72 | MDC bool | ||
73 | |||
74 | // EmbeddedSignature, if non-nil, is a signature of the parent key, by | ||
75 | // this key. This prevents an attacker from claiming another's signing | ||
76 | // subkey as their own. | ||
77 | EmbeddedSignature *Signature | ||
78 | |||
79 | outSubpackets []outputSubpacket | ||
80 | } | ||
81 | |||
82 | func (sig *Signature) parse(r io.Reader) (err error) { | ||
83 | // RFC 4880, section 5.2.3 | ||
84 | var buf [5]byte | ||
85 | _, err = readFull(r, buf[:1]) | ||
86 | if err != nil { | ||
87 | return | ||
88 | } | ||
89 | if buf[0] != 4 { | ||
90 | err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0]))) | ||
91 | return | ||
92 | } | ||
93 | |||
94 | _, err = readFull(r, buf[:5]) | ||
95 | if err != nil { | ||
96 | return | ||
97 | } | ||
98 | sig.SigType = SignatureType(buf[0]) | ||
99 | sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1]) | ||
100 | switch sig.PubKeyAlgo { | ||
101 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA: | ||
102 | default: | ||
103 | err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo))) | ||
104 | return | ||
105 | } | ||
106 | |||
107 | var ok bool | ||
108 | sig.Hash, ok = s2k.HashIdToHash(buf[2]) | ||
109 | if !ok { | ||
110 | return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2]))) | ||
111 | } | ||
112 | |||
113 | hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4]) | ||
114 | l := 6 + hashedSubpacketsLength | ||
115 | sig.HashSuffix = make([]byte, l+6) | ||
116 | sig.HashSuffix[0] = 4 | ||
117 | copy(sig.HashSuffix[1:], buf[:5]) | ||
118 | hashedSubpackets := sig.HashSuffix[6:l] | ||
119 | _, err = readFull(r, hashedSubpackets) | ||
120 | if err != nil { | ||
121 | return | ||
122 | } | ||
123 | // See RFC 4880, section 5.2.4 | ||
124 | trailer := sig.HashSuffix[l:] | ||
125 | trailer[0] = 4 | ||
126 | trailer[1] = 0xff | ||
127 | trailer[2] = uint8(l >> 24) | ||
128 | trailer[3] = uint8(l >> 16) | ||
129 | trailer[4] = uint8(l >> 8) | ||
130 | trailer[5] = uint8(l) | ||
131 | |||
132 | err = parseSignatureSubpackets(sig, hashedSubpackets, true) | ||
133 | if err != nil { | ||
134 | return | ||
135 | } | ||
136 | |||
137 | _, err = readFull(r, buf[:2]) | ||
138 | if err != nil { | ||
139 | return | ||
140 | } | ||
141 | unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1]) | ||
142 | unhashedSubpackets := make([]byte, unhashedSubpacketsLength) | ||
143 | _, err = readFull(r, unhashedSubpackets) | ||
144 | if err != nil { | ||
145 | return | ||
146 | } | ||
147 | err = parseSignatureSubpackets(sig, unhashedSubpackets, false) | ||
148 | if err != nil { | ||
149 | return | ||
150 | } | ||
151 | |||
152 | _, err = readFull(r, sig.HashTag[:2]) | ||
153 | if err != nil { | ||
154 | return | ||
155 | } | ||
156 | |||
157 | switch sig.PubKeyAlgo { | ||
158 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
159 | sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r) | ||
160 | case PubKeyAlgoDSA: | ||
161 | sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r) | ||
162 | if err == nil { | ||
163 | sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r) | ||
164 | } | ||
165 | case PubKeyAlgoECDSA: | ||
166 | sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r) | ||
167 | if err == nil { | ||
168 | sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r) | ||
169 | } | ||
170 | default: | ||
171 | panic("unreachable") | ||
172 | } | ||
173 | return | ||
174 | } | ||
175 | |||
176 | // parseSignatureSubpackets parses subpackets of the main signature packet. See | ||
177 | // RFC 4880, section 5.2.3.1. | ||
178 | func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) { | ||
179 | for len(subpackets) > 0 { | ||
180 | subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed) | ||
181 | if err != nil { | ||
182 | return | ||
183 | } | ||
184 | } | ||
185 | |||
186 | if sig.CreationTime.IsZero() { | ||
187 | err = errors.StructuralError("no creation time in signature") | ||
188 | } | ||
189 | |||
190 | return | ||
191 | } | ||
192 | |||
193 | type signatureSubpacketType uint8 | ||
194 | |||
195 | const ( | ||
196 | creationTimeSubpacket signatureSubpacketType = 2 | ||
197 | signatureExpirationSubpacket signatureSubpacketType = 3 | ||
198 | keyExpirationSubpacket signatureSubpacketType = 9 | ||
199 | prefSymmetricAlgosSubpacket signatureSubpacketType = 11 | ||
200 | issuerSubpacket signatureSubpacketType = 16 | ||
201 | prefHashAlgosSubpacket signatureSubpacketType = 21 | ||
202 | prefCompressionSubpacket signatureSubpacketType = 22 | ||
203 | primaryUserIdSubpacket signatureSubpacketType = 25 | ||
204 | keyFlagsSubpacket signatureSubpacketType = 27 | ||
205 | reasonForRevocationSubpacket signatureSubpacketType = 29 | ||
206 | featuresSubpacket signatureSubpacketType = 30 | ||
207 | embeddedSignatureSubpacket signatureSubpacketType = 32 | ||
208 | ) | ||
209 | |||
210 | // parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1. | ||
211 | func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) { | ||
212 | // RFC 4880, section 5.2.3.1 | ||
213 | var ( | ||
214 | length uint32 | ||
215 | packetType signatureSubpacketType | ||
216 | isCritical bool | ||
217 | ) | ||
218 | switch { | ||
219 | case subpacket[0] < 192: | ||
220 | length = uint32(subpacket[0]) | ||
221 | subpacket = subpacket[1:] | ||
222 | case subpacket[0] < 255: | ||
223 | if len(subpacket) < 2 { | ||
224 | goto Truncated | ||
225 | } | ||
226 | length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192 | ||
227 | subpacket = subpacket[2:] | ||
228 | default: | ||
229 | if len(subpacket) < 5 { | ||
230 | goto Truncated | ||
231 | } | ||
232 | length = uint32(subpacket[1])<<24 | | ||
233 | uint32(subpacket[2])<<16 | | ||
234 | uint32(subpacket[3])<<8 | | ||
235 | uint32(subpacket[4]) | ||
236 | subpacket = subpacket[5:] | ||
237 | } | ||
238 | if length > uint32(len(subpacket)) { | ||
239 | goto Truncated | ||
240 | } | ||
241 | rest = subpacket[length:] | ||
242 | subpacket = subpacket[:length] | ||
243 | if len(subpacket) == 0 { | ||
244 | err = errors.StructuralError("zero length signature subpacket") | ||
245 | return | ||
246 | } | ||
247 | packetType = signatureSubpacketType(subpacket[0] & 0x7f) | ||
248 | isCritical = subpacket[0]&0x80 == 0x80 | ||
249 | subpacket = subpacket[1:] | ||
250 | sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket}) | ||
251 | switch packetType { | ||
252 | case creationTimeSubpacket: | ||
253 | if !isHashed { | ||
254 | err = errors.StructuralError("signature creation time in non-hashed area") | ||
255 | return | ||
256 | } | ||
257 | if len(subpacket) != 4 { | ||
258 | err = errors.StructuralError("signature creation time not four bytes") | ||
259 | return | ||
260 | } | ||
261 | t := binary.BigEndian.Uint32(subpacket) | ||
262 | sig.CreationTime = time.Unix(int64(t), 0) | ||
263 | case signatureExpirationSubpacket: | ||
264 | // Signature expiration time, section 5.2.3.10 | ||
265 | if !isHashed { | ||
266 | return | ||
267 | } | ||
268 | if len(subpacket) != 4 { | ||
269 | err = errors.StructuralError("expiration subpacket with bad length") | ||
270 | return | ||
271 | } | ||
272 | sig.SigLifetimeSecs = new(uint32) | ||
273 | *sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket) | ||
274 | case keyExpirationSubpacket: | ||
275 | // Key expiration time, section 5.2.3.6 | ||
276 | if !isHashed { | ||
277 | return | ||
278 | } | ||
279 | if len(subpacket) != 4 { | ||
280 | err = errors.StructuralError("key expiration subpacket with bad length") | ||
281 | return | ||
282 | } | ||
283 | sig.KeyLifetimeSecs = new(uint32) | ||
284 | *sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket) | ||
285 | case prefSymmetricAlgosSubpacket: | ||
286 | // Preferred symmetric algorithms, section 5.2.3.7 | ||
287 | if !isHashed { | ||
288 | return | ||
289 | } | ||
290 | sig.PreferredSymmetric = make([]byte, len(subpacket)) | ||
291 | copy(sig.PreferredSymmetric, subpacket) | ||
292 | case issuerSubpacket: | ||
293 | // Issuer, section 5.2.3.5 | ||
294 | if len(subpacket) != 8 { | ||
295 | err = errors.StructuralError("issuer subpacket with bad length") | ||
296 | return | ||
297 | } | ||
298 | sig.IssuerKeyId = new(uint64) | ||
299 | *sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket) | ||
300 | case prefHashAlgosSubpacket: | ||
301 | // Preferred hash algorithms, section 5.2.3.8 | ||
302 | if !isHashed { | ||
303 | return | ||
304 | } | ||
305 | sig.PreferredHash = make([]byte, len(subpacket)) | ||
306 | copy(sig.PreferredHash, subpacket) | ||
307 | case prefCompressionSubpacket: | ||
308 | // Preferred compression algorithms, section 5.2.3.9 | ||
309 | if !isHashed { | ||
310 | return | ||
311 | } | ||
312 | sig.PreferredCompression = make([]byte, len(subpacket)) | ||
313 | copy(sig.PreferredCompression, subpacket) | ||
314 | case primaryUserIdSubpacket: | ||
315 | // Primary User ID, section 5.2.3.19 | ||
316 | if !isHashed { | ||
317 | return | ||
318 | } | ||
319 | if len(subpacket) != 1 { | ||
320 | err = errors.StructuralError("primary user id subpacket with bad length") | ||
321 | return | ||
322 | } | ||
323 | sig.IsPrimaryId = new(bool) | ||
324 | if subpacket[0] > 0 { | ||
325 | *sig.IsPrimaryId = true | ||
326 | } | ||
327 | case keyFlagsSubpacket: | ||
328 | // Key flags, section 5.2.3.21 | ||
329 | if !isHashed { | ||
330 | return | ||
331 | } | ||
332 | if len(subpacket) == 0 { | ||
333 | err = errors.StructuralError("empty key flags subpacket") | ||
334 | return | ||
335 | } | ||
336 | sig.FlagsValid = true | ||
337 | if subpacket[0]&KeyFlagCertify != 0 { | ||
338 | sig.FlagCertify = true | ||
339 | } | ||
340 | if subpacket[0]&KeyFlagSign != 0 { | ||
341 | sig.FlagSign = true | ||
342 | } | ||
343 | if subpacket[0]&KeyFlagEncryptCommunications != 0 { | ||
344 | sig.FlagEncryptCommunications = true | ||
345 | } | ||
346 | if subpacket[0]&KeyFlagEncryptStorage != 0 { | ||
347 | sig.FlagEncryptStorage = true | ||
348 | } | ||
349 | case reasonForRevocationSubpacket: | ||
350 | // Reason For Revocation, section 5.2.3.23 | ||
351 | if !isHashed { | ||
352 | return | ||
353 | } | ||
354 | if len(subpacket) == 0 { | ||
355 | err = errors.StructuralError("empty revocation reason subpacket") | ||
356 | return | ||
357 | } | ||
358 | sig.RevocationReason = new(uint8) | ||
359 | *sig.RevocationReason = subpacket[0] | ||
360 | sig.RevocationReasonText = string(subpacket[1:]) | ||
361 | case featuresSubpacket: | ||
362 | // Features subpacket, section 5.2.3.24 specifies a very general | ||
363 | // mechanism for OpenPGP implementations to signal support for new | ||
364 | // features. In practice, the subpacket is used exclusively to | ||
365 | // indicate support for MDC-protected encryption. | ||
366 | sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1 | ||
367 | case embeddedSignatureSubpacket: | ||
368 | // Only usage is in signatures that cross-certify | ||
369 | // signing subkeys. section 5.2.3.26 describes the | ||
370 | // format, with its usage described in section 11.1 | ||
371 | if sig.EmbeddedSignature != nil { | ||
372 | err = errors.StructuralError("Cannot have multiple embedded signatures") | ||
373 | return | ||
374 | } | ||
375 | sig.EmbeddedSignature = new(Signature) | ||
376 | // Embedded signatures are required to be v4 signatures see | ||
377 | // section 12.1. However, we only parse v4 signatures in this | ||
378 | // file anyway. | ||
379 | if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil { | ||
380 | return nil, err | ||
381 | } | ||
382 | if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding { | ||
383 | return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType))) | ||
384 | } | ||
385 | default: | ||
386 | if isCritical { | ||
387 | err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType))) | ||
388 | return | ||
389 | } | ||
390 | } | ||
391 | return | ||
392 | |||
393 | Truncated: | ||
394 | err = errors.StructuralError("signature subpacket truncated") | ||
395 | return | ||
396 | } | ||
397 | |||
398 | // subpacketLengthLength returns the length, in bytes, of an encoded length value. | ||
399 | func subpacketLengthLength(length int) int { | ||
400 | if length < 192 { | ||
401 | return 1 | ||
402 | } | ||
403 | if length < 16320 { | ||
404 | return 2 | ||
405 | } | ||
406 | return 5 | ||
407 | } | ||
408 | |||
409 | // serializeSubpacketLength marshals the given length into to. | ||
410 | func serializeSubpacketLength(to []byte, length int) int { | ||
411 | // RFC 4880, Section 4.2.2. | ||
412 | if length < 192 { | ||
413 | to[0] = byte(length) | ||
414 | return 1 | ||
415 | } | ||
416 | if length < 16320 { | ||
417 | length -= 192 | ||
418 | to[0] = byte((length >> 8) + 192) | ||
419 | to[1] = byte(length) | ||
420 | return 2 | ||
421 | } | ||
422 | to[0] = 255 | ||
423 | to[1] = byte(length >> 24) | ||
424 | to[2] = byte(length >> 16) | ||
425 | to[3] = byte(length >> 8) | ||
426 | to[4] = byte(length) | ||
427 | return 5 | ||
428 | } | ||
429 | |||
430 | // subpacketsLength returns the serialized length, in bytes, of the given | ||
431 | // subpackets. | ||
432 | func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) { | ||
433 | for _, subpacket := range subpackets { | ||
434 | if subpacket.hashed == hashed { | ||
435 | length += subpacketLengthLength(len(subpacket.contents) + 1) | ||
436 | length += 1 // type byte | ||
437 | length += len(subpacket.contents) | ||
438 | } | ||
439 | } | ||
440 | return | ||
441 | } | ||
442 | |||
443 | // serializeSubpackets marshals the given subpackets into to. | ||
444 | func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) { | ||
445 | for _, subpacket := range subpackets { | ||
446 | if subpacket.hashed == hashed { | ||
447 | n := serializeSubpacketLength(to, len(subpacket.contents)+1) | ||
448 | to[n] = byte(subpacket.subpacketType) | ||
449 | to = to[1+n:] | ||
450 | n = copy(to, subpacket.contents) | ||
451 | to = to[n:] | ||
452 | } | ||
453 | } | ||
454 | return | ||
455 | } | ||
456 | |||
457 | // KeyExpired returns whether sig is a self-signature of a key that has | ||
458 | // expired. | ||
459 | func (sig *Signature) KeyExpired(currentTime time.Time) bool { | ||
460 | if sig.KeyLifetimeSecs == nil { | ||
461 | return false | ||
462 | } | ||
463 | expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second) | ||
464 | return currentTime.After(expiry) | ||
465 | } | ||
466 | |||
467 | // buildHashSuffix constructs the HashSuffix member of sig in preparation for signing. | ||
468 | func (sig *Signature) buildHashSuffix() (err error) { | ||
469 | hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true) | ||
470 | |||
471 | var ok bool | ||
472 | l := 6 + hashedSubpacketsLen | ||
473 | sig.HashSuffix = make([]byte, l+6) | ||
474 | sig.HashSuffix[0] = 4 | ||
475 | sig.HashSuffix[1] = uint8(sig.SigType) | ||
476 | sig.HashSuffix[2] = uint8(sig.PubKeyAlgo) | ||
477 | sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash) | ||
478 | if !ok { | ||
479 | sig.HashSuffix = nil | ||
480 | return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash))) | ||
481 | } | ||
482 | sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8) | ||
483 | sig.HashSuffix[5] = byte(hashedSubpacketsLen) | ||
484 | serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true) | ||
485 | trailer := sig.HashSuffix[l:] | ||
486 | trailer[0] = 4 | ||
487 | trailer[1] = 0xff | ||
488 | trailer[2] = byte(l >> 24) | ||
489 | trailer[3] = byte(l >> 16) | ||
490 | trailer[4] = byte(l >> 8) | ||
491 | trailer[5] = byte(l) | ||
492 | return | ||
493 | } | ||
494 | |||
495 | func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) { | ||
496 | err = sig.buildHashSuffix() | ||
497 | if err != nil { | ||
498 | return | ||
499 | } | ||
500 | |||
501 | h.Write(sig.HashSuffix) | ||
502 | digest = h.Sum(nil) | ||
503 | copy(sig.HashTag[:], digest) | ||
504 | return | ||
505 | } | ||
506 | |||
507 | // Sign signs a message with a private key. The hash, h, must contain | ||
508 | // the hash of the message to be signed and will be mutated by this function. | ||
509 | // On success, the signature is stored in sig. Call Serialize to write it out. | ||
510 | // If config is nil, sensible defaults will be used. | ||
511 | func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) { | ||
512 | sig.outSubpackets = sig.buildSubpackets() | ||
513 | digest, err := sig.signPrepareHash(h) | ||
514 | if err != nil { | ||
515 | return | ||
516 | } | ||
517 | |||
518 | switch priv.PubKeyAlgo { | ||
519 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
520 | // supports both *rsa.PrivateKey and crypto.Signer | ||
521 | sig.RSASignature.bytes, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash) | ||
522 | sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes)) | ||
523 | case PubKeyAlgoDSA: | ||
524 | dsaPriv := priv.PrivateKey.(*dsa.PrivateKey) | ||
525 | |||
526 | // Need to truncate hashBytes to match FIPS 186-3 section 4.6. | ||
527 | subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8 | ||
528 | if len(digest) > subgroupSize { | ||
529 | digest = digest[:subgroupSize] | ||
530 | } | ||
531 | r, s, err := dsa.Sign(config.Random(), dsaPriv, digest) | ||
532 | if err == nil { | ||
533 | sig.DSASigR.bytes = r.Bytes() | ||
534 | sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes)) | ||
535 | sig.DSASigS.bytes = s.Bytes() | ||
536 | sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes)) | ||
537 | } | ||
538 | case PubKeyAlgoECDSA: | ||
539 | var r, s *big.Int | ||
540 | if pk, ok := priv.PrivateKey.(*ecdsa.PrivateKey); ok { | ||
541 | // direct support, avoid asn1 wrapping/unwrapping | ||
542 | r, s, err = ecdsa.Sign(config.Random(), pk, digest) | ||
543 | } else { | ||
544 | var b []byte | ||
545 | b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, nil) | ||
546 | if err == nil { | ||
547 | r, s, err = unwrapECDSASig(b) | ||
548 | } | ||
549 | } | ||
550 | if err == nil { | ||
551 | sig.ECDSASigR = fromBig(r) | ||
552 | sig.ECDSASigS = fromBig(s) | ||
553 | } | ||
554 | default: | ||
555 | err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo))) | ||
556 | } | ||
557 | |||
558 | return | ||
559 | } | ||
560 | |||
561 | // unwrapECDSASig parses the two integer components of an ASN.1-encoded ECDSA | ||
562 | // signature. | ||
563 | func unwrapECDSASig(b []byte) (r, s *big.Int, err error) { | ||
564 | var ecsdaSig struct { | ||
565 | R, S *big.Int | ||
566 | } | ||
567 | _, err = asn1.Unmarshal(b, &ecsdaSig) | ||
568 | if err != nil { | ||
569 | return | ||
570 | } | ||
571 | return ecsdaSig.R, ecsdaSig.S, nil | ||
572 | } | ||
573 | |||
574 | // SignUserId computes a signature from priv, asserting that pub is a valid | ||
575 | // key for the identity id. On success, the signature is stored in sig. Call | ||
576 | // Serialize to write it out. | ||
577 | // If config is nil, sensible defaults will be used. | ||
578 | func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error { | ||
579 | h, err := userIdSignatureHash(id, pub, sig.Hash) | ||
580 | if err != nil { | ||
581 | return err | ||
582 | } | ||
583 | return sig.Sign(h, priv, config) | ||
584 | } | ||
585 | |||
586 | // SignKey computes a signature from priv, asserting that pub is a subkey. On | ||
587 | // success, the signature is stored in sig. Call Serialize to write it out. | ||
588 | // If config is nil, sensible defaults will be used. | ||
589 | func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error { | ||
590 | h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash) | ||
591 | if err != nil { | ||
592 | return err | ||
593 | } | ||
594 | return sig.Sign(h, priv, config) | ||
595 | } | ||
596 | |||
597 | // Serialize marshals sig to w. Sign, SignUserId or SignKey must have been | ||
598 | // called first. | ||
599 | func (sig *Signature) Serialize(w io.Writer) (err error) { | ||
600 | if len(sig.outSubpackets) == 0 { | ||
601 | sig.outSubpackets = sig.rawSubpackets | ||
602 | } | ||
603 | if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil && sig.ECDSASigR.bytes == nil { | ||
604 | return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize") | ||
605 | } | ||
606 | |||
607 | sigLength := 0 | ||
608 | switch sig.PubKeyAlgo { | ||
609 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
610 | sigLength = 2 + len(sig.RSASignature.bytes) | ||
611 | case PubKeyAlgoDSA: | ||
612 | sigLength = 2 + len(sig.DSASigR.bytes) | ||
613 | sigLength += 2 + len(sig.DSASigS.bytes) | ||
614 | case PubKeyAlgoECDSA: | ||
615 | sigLength = 2 + len(sig.ECDSASigR.bytes) | ||
616 | sigLength += 2 + len(sig.ECDSASigS.bytes) | ||
617 | default: | ||
618 | panic("impossible") | ||
619 | } | ||
620 | |||
621 | unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false) | ||
622 | length := len(sig.HashSuffix) - 6 /* trailer not included */ + | ||
623 | 2 /* length of unhashed subpackets */ + unhashedSubpacketsLen + | ||
624 | 2 /* hash tag */ + sigLength | ||
625 | err = serializeHeader(w, packetTypeSignature, length) | ||
626 | if err != nil { | ||
627 | return | ||
628 | } | ||
629 | |||
630 | _, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6]) | ||
631 | if err != nil { | ||
632 | return | ||
633 | } | ||
634 | |||
635 | unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen) | ||
636 | unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8) | ||
637 | unhashedSubpackets[1] = byte(unhashedSubpacketsLen) | ||
638 | serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false) | ||
639 | |||
640 | _, err = w.Write(unhashedSubpackets) | ||
641 | if err != nil { | ||
642 | return | ||
643 | } | ||
644 | _, err = w.Write(sig.HashTag[:]) | ||
645 | if err != nil { | ||
646 | return | ||
647 | } | ||
648 | |||
649 | switch sig.PubKeyAlgo { | ||
650 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
651 | err = writeMPIs(w, sig.RSASignature) | ||
652 | case PubKeyAlgoDSA: | ||
653 | err = writeMPIs(w, sig.DSASigR, sig.DSASigS) | ||
654 | case PubKeyAlgoECDSA: | ||
655 | err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS) | ||
656 | default: | ||
657 | panic("impossible") | ||
658 | } | ||
659 | return | ||
660 | } | ||
661 | |||
662 | // outputSubpacket represents a subpacket to be marshaled. | ||
663 | type outputSubpacket struct { | ||
664 | hashed bool // true if this subpacket is in the hashed area. | ||
665 | subpacketType signatureSubpacketType | ||
666 | isCritical bool | ||
667 | contents []byte | ||
668 | } | ||
669 | |||
670 | func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) { | ||
671 | creationTime := make([]byte, 4) | ||
672 | binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix())) | ||
673 | subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime}) | ||
674 | |||
675 | if sig.IssuerKeyId != nil { | ||
676 | keyId := make([]byte, 8) | ||
677 | binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId) | ||
678 | subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId}) | ||
679 | } | ||
680 | |||
681 | if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 { | ||
682 | sigLifetime := make([]byte, 4) | ||
683 | binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs) | ||
684 | subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime}) | ||
685 | } | ||
686 | |||
687 | // Key flags may only appear in self-signatures or certification signatures. | ||
688 | |||
689 | if sig.FlagsValid { | ||
690 | var flags byte | ||
691 | if sig.FlagCertify { | ||
692 | flags |= KeyFlagCertify | ||
693 | } | ||
694 | if sig.FlagSign { | ||
695 | flags |= KeyFlagSign | ||
696 | } | ||
697 | if sig.FlagEncryptCommunications { | ||
698 | flags |= KeyFlagEncryptCommunications | ||
699 | } | ||
700 | if sig.FlagEncryptStorage { | ||
701 | flags |= KeyFlagEncryptStorage | ||
702 | } | ||
703 | subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{flags}}) | ||
704 | } | ||
705 | |||
706 | // The following subpackets may only appear in self-signatures | ||
707 | |||
708 | if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 { | ||
709 | keyLifetime := make([]byte, 4) | ||
710 | binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs) | ||
711 | subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime}) | ||
712 | } | ||
713 | |||
714 | if sig.IsPrimaryId != nil && *sig.IsPrimaryId { | ||
715 | subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}}) | ||
716 | } | ||
717 | |||
718 | if len(sig.PreferredSymmetric) > 0 { | ||
719 | subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric}) | ||
720 | } | ||
721 | |||
722 | if len(sig.PreferredHash) > 0 { | ||
723 | subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash}) | ||
724 | } | ||
725 | |||
726 | if len(sig.PreferredCompression) > 0 { | ||
727 | subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression}) | ||
728 | } | ||
729 | |||
730 | return | ||
731 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go new file mode 100644 index 0000000..6edff88 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go | |||
@@ -0,0 +1,146 @@ | |||
1 | // Copyright 2013 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto" | ||
9 | "encoding/binary" | ||
10 | "fmt" | ||
11 | "io" | ||
12 | "strconv" | ||
13 | "time" | ||
14 | |||
15 | "golang.org/x/crypto/openpgp/errors" | ||
16 | "golang.org/x/crypto/openpgp/s2k" | ||
17 | ) | ||
18 | |||
19 | // SignatureV3 represents older version 3 signatures. These signatures are less secure | ||
20 | // than version 4 and should not be used to create new signatures. They are included | ||
21 | // here for backwards compatibility to read and validate with older key material. | ||
22 | // See RFC 4880, section 5.2.2. | ||
23 | type SignatureV3 struct { | ||
24 | SigType SignatureType | ||
25 | CreationTime time.Time | ||
26 | IssuerKeyId uint64 | ||
27 | PubKeyAlgo PublicKeyAlgorithm | ||
28 | Hash crypto.Hash | ||
29 | HashTag [2]byte | ||
30 | |||
31 | RSASignature parsedMPI | ||
32 | DSASigR, DSASigS parsedMPI | ||
33 | } | ||
34 | |||
35 | func (sig *SignatureV3) parse(r io.Reader) (err error) { | ||
36 | // RFC 4880, section 5.2.2 | ||
37 | var buf [8]byte | ||
38 | if _, err = readFull(r, buf[:1]); err != nil { | ||
39 | return | ||
40 | } | ||
41 | if buf[0] < 2 || buf[0] > 3 { | ||
42 | err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0]))) | ||
43 | return | ||
44 | } | ||
45 | if _, err = readFull(r, buf[:1]); err != nil { | ||
46 | return | ||
47 | } | ||
48 | if buf[0] != 5 { | ||
49 | err = errors.UnsupportedError( | ||
50 | "invalid hashed material length " + strconv.Itoa(int(buf[0]))) | ||
51 | return | ||
52 | } | ||
53 | |||
54 | // Read hashed material: signature type + creation time | ||
55 | if _, err = readFull(r, buf[:5]); err != nil { | ||
56 | return | ||
57 | } | ||
58 | sig.SigType = SignatureType(buf[0]) | ||
59 | t := binary.BigEndian.Uint32(buf[1:5]) | ||
60 | sig.CreationTime = time.Unix(int64(t), 0) | ||
61 | |||
62 | // Eight-octet Key ID of signer. | ||
63 | if _, err = readFull(r, buf[:8]); err != nil { | ||
64 | return | ||
65 | } | ||
66 | sig.IssuerKeyId = binary.BigEndian.Uint64(buf[:]) | ||
67 | |||
68 | // Public-key and hash algorithm | ||
69 | if _, err = readFull(r, buf[:2]); err != nil { | ||
70 | return | ||
71 | } | ||
72 | sig.PubKeyAlgo = PublicKeyAlgorithm(buf[0]) | ||
73 | switch sig.PubKeyAlgo { | ||
74 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA: | ||
75 | default: | ||
76 | err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo))) | ||
77 | return | ||
78 | } | ||
79 | var ok bool | ||
80 | if sig.Hash, ok = s2k.HashIdToHash(buf[1]); !ok { | ||
81 | return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2]))) | ||
82 | } | ||
83 | |||
84 | // Two-octet field holding left 16 bits of signed hash value. | ||
85 | if _, err = readFull(r, sig.HashTag[:2]); err != nil { | ||
86 | return | ||
87 | } | ||
88 | |||
89 | switch sig.PubKeyAlgo { | ||
90 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
91 | sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r) | ||
92 | case PubKeyAlgoDSA: | ||
93 | if sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r); err != nil { | ||
94 | return | ||
95 | } | ||
96 | sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r) | ||
97 | default: | ||
98 | panic("unreachable") | ||
99 | } | ||
100 | return | ||
101 | } | ||
102 | |||
103 | // Serialize marshals sig to w. Sign, SignUserId or SignKey must have been | ||
104 | // called first. | ||
105 | func (sig *SignatureV3) Serialize(w io.Writer) (err error) { | ||
106 | buf := make([]byte, 8) | ||
107 | |||
108 | // Write the sig type and creation time | ||
109 | buf[0] = byte(sig.SigType) | ||
110 | binary.BigEndian.PutUint32(buf[1:5], uint32(sig.CreationTime.Unix())) | ||
111 | if _, err = w.Write(buf[:5]); err != nil { | ||
112 | return | ||
113 | } | ||
114 | |||
115 | // Write the issuer long key ID | ||
116 | binary.BigEndian.PutUint64(buf[:8], sig.IssuerKeyId) | ||
117 | if _, err = w.Write(buf[:8]); err != nil { | ||
118 | return | ||
119 | } | ||
120 | |||
121 | // Write public key algorithm, hash ID, and hash value | ||
122 | buf[0] = byte(sig.PubKeyAlgo) | ||
123 | hashId, ok := s2k.HashToHashId(sig.Hash) | ||
124 | if !ok { | ||
125 | return errors.UnsupportedError(fmt.Sprintf("hash function %v", sig.Hash)) | ||
126 | } | ||
127 | buf[1] = hashId | ||
128 | copy(buf[2:4], sig.HashTag[:]) | ||
129 | if _, err = w.Write(buf[:4]); err != nil { | ||
130 | return | ||
131 | } | ||
132 | |||
133 | if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil { | ||
134 | return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize") | ||
135 | } | ||
136 | |||
137 | switch sig.PubKeyAlgo { | ||
138 | case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: | ||
139 | err = writeMPIs(w, sig.RSASignature) | ||
140 | case PubKeyAlgoDSA: | ||
141 | err = writeMPIs(w, sig.DSASigR, sig.DSASigS) | ||
142 | default: | ||
143 | panic("impossible") | ||
144 | } | ||
145 | return | ||
146 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go new file mode 100644 index 0000000..744c2d2 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go | |||
@@ -0,0 +1,155 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "crypto/cipher" | ||
10 | "io" | ||
11 | "strconv" | ||
12 | |||
13 | "golang.org/x/crypto/openpgp/errors" | ||
14 | "golang.org/x/crypto/openpgp/s2k" | ||
15 | ) | ||
16 | |||
17 | // This is the largest session key that we'll support. Since no 512-bit cipher | ||
18 | // has even been seriously used, this is comfortably large. | ||
19 | const maxSessionKeySizeInBytes = 64 | ||
20 | |||
21 | // SymmetricKeyEncrypted represents a passphrase protected session key. See RFC | ||
22 | // 4880, section 5.3. | ||
23 | type SymmetricKeyEncrypted struct { | ||
24 | CipherFunc CipherFunction | ||
25 | s2k func(out, in []byte) | ||
26 | encryptedKey []byte | ||
27 | } | ||
28 | |||
29 | const symmetricKeyEncryptedVersion = 4 | ||
30 | |||
31 | func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error { | ||
32 | // RFC 4880, section 5.3. | ||
33 | var buf [2]byte | ||
34 | if _, err := readFull(r, buf[:]); err != nil { | ||
35 | return err | ||
36 | } | ||
37 | if buf[0] != symmetricKeyEncryptedVersion { | ||
38 | return errors.UnsupportedError("SymmetricKeyEncrypted version") | ||
39 | } | ||
40 | ske.CipherFunc = CipherFunction(buf[1]) | ||
41 | |||
42 | if ske.CipherFunc.KeySize() == 0 { | ||
43 | return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1]))) | ||
44 | } | ||
45 | |||
46 | var err error | ||
47 | ske.s2k, err = s2k.Parse(r) | ||
48 | if err != nil { | ||
49 | return err | ||
50 | } | ||
51 | |||
52 | encryptedKey := make([]byte, maxSessionKeySizeInBytes) | ||
53 | // The session key may follow. We just have to try and read to find | ||
54 | // out. If it exists then we limit it to maxSessionKeySizeInBytes. | ||
55 | n, err := readFull(r, encryptedKey) | ||
56 | if err != nil && err != io.ErrUnexpectedEOF { | ||
57 | return err | ||
58 | } | ||
59 | |||
60 | if n != 0 { | ||
61 | if n == maxSessionKeySizeInBytes { | ||
62 | return errors.UnsupportedError("oversized encrypted session key") | ||
63 | } | ||
64 | ske.encryptedKey = encryptedKey[:n] | ||
65 | } | ||
66 | |||
67 | return nil | ||
68 | } | ||
69 | |||
70 | // Decrypt attempts to decrypt an encrypted session key and returns the key and | ||
71 | // the cipher to use when decrypting a subsequent Symmetrically Encrypted Data | ||
72 | // packet. | ||
73 | func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) { | ||
74 | key := make([]byte, ske.CipherFunc.KeySize()) | ||
75 | ske.s2k(key, passphrase) | ||
76 | |||
77 | if len(ske.encryptedKey) == 0 { | ||
78 | return key, ske.CipherFunc, nil | ||
79 | } | ||
80 | |||
81 | // the IV is all zeros | ||
82 | iv := make([]byte, ske.CipherFunc.blockSize()) | ||
83 | c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv) | ||
84 | plaintextKey := make([]byte, len(ske.encryptedKey)) | ||
85 | c.XORKeyStream(plaintextKey, ske.encryptedKey) | ||
86 | cipherFunc := CipherFunction(plaintextKey[0]) | ||
87 | if cipherFunc.blockSize() == 0 { | ||
88 | return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) | ||
89 | } | ||
90 | plaintextKey = plaintextKey[1:] | ||
91 | if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() { | ||
92 | return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " + | ||
93 | "not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")") | ||
94 | } | ||
95 | return plaintextKey, cipherFunc, nil | ||
96 | } | ||
97 | |||
98 | // SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The | ||
99 | // packet contains a random session key, encrypted by a key derived from the | ||
100 | // given passphrase. The session key is returned and must be passed to | ||
101 | // SerializeSymmetricallyEncrypted. | ||
102 | // If config is nil, sensible defaults will be used. | ||
103 | func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) { | ||
104 | cipherFunc := config.Cipher() | ||
105 | keySize := cipherFunc.KeySize() | ||
106 | if keySize == 0 { | ||
107 | return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) | ||
108 | } | ||
109 | |||
110 | s2kBuf := new(bytes.Buffer) | ||
111 | keyEncryptingKey := make([]byte, keySize) | ||
112 | // s2k.Serialize salts and stretches the passphrase, and writes the | ||
113 | // resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf. | ||
114 | err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()}) | ||
115 | if err != nil { | ||
116 | return | ||
117 | } | ||
118 | s2kBytes := s2kBuf.Bytes() | ||
119 | |||
120 | packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize | ||
121 | err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength) | ||
122 | if err != nil { | ||
123 | return | ||
124 | } | ||
125 | |||
126 | var buf [2]byte | ||
127 | buf[0] = symmetricKeyEncryptedVersion | ||
128 | buf[1] = byte(cipherFunc) | ||
129 | _, err = w.Write(buf[:]) | ||
130 | if err != nil { | ||
131 | return | ||
132 | } | ||
133 | _, err = w.Write(s2kBytes) | ||
134 | if err != nil { | ||
135 | return | ||
136 | } | ||
137 | |||
138 | sessionKey := make([]byte, keySize) | ||
139 | _, err = io.ReadFull(config.Random(), sessionKey) | ||
140 | if err != nil { | ||
141 | return | ||
142 | } | ||
143 | iv := make([]byte, cipherFunc.blockSize()) | ||
144 | c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv) | ||
145 | encryptedCipherAndKey := make([]byte, keySize+1) | ||
146 | c.XORKeyStream(encryptedCipherAndKey, buf[1:]) | ||
147 | c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey) | ||
148 | _, err = w.Write(encryptedCipherAndKey) | ||
149 | if err != nil { | ||
150 | return | ||
151 | } | ||
152 | |||
153 | key = sessionKey | ||
154 | return | ||
155 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go new file mode 100644 index 0000000..6126030 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go | |||
@@ -0,0 +1,290 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "crypto/cipher" | ||
9 | "crypto/sha1" | ||
10 | "crypto/subtle" | ||
11 | "golang.org/x/crypto/openpgp/errors" | ||
12 | "hash" | ||
13 | "io" | ||
14 | "strconv" | ||
15 | ) | ||
16 | |||
17 | // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The | ||
18 | // encrypted contents will consist of more OpenPGP packets. See RFC 4880, | ||
19 | // sections 5.7 and 5.13. | ||
20 | type SymmetricallyEncrypted struct { | ||
21 | MDC bool // true iff this is a type 18 packet and thus has an embedded MAC. | ||
22 | contents io.Reader | ||
23 | prefix []byte | ||
24 | } | ||
25 | |||
26 | const symmetricallyEncryptedVersion = 1 | ||
27 | |||
28 | func (se *SymmetricallyEncrypted) parse(r io.Reader) error { | ||
29 | if se.MDC { | ||
30 | // See RFC 4880, section 5.13. | ||
31 | var buf [1]byte | ||
32 | _, err := readFull(r, buf[:]) | ||
33 | if err != nil { | ||
34 | return err | ||
35 | } | ||
36 | if buf[0] != symmetricallyEncryptedVersion { | ||
37 | return errors.UnsupportedError("unknown SymmetricallyEncrypted version") | ||
38 | } | ||
39 | } | ||
40 | se.contents = r | ||
41 | return nil | ||
42 | } | ||
43 | |||
44 | // Decrypt returns a ReadCloser, from which the decrypted contents of the | ||
45 | // packet can be read. An incorrect key can, with high probability, be detected | ||
46 | // immediately and this will result in a KeyIncorrect error being returned. | ||
47 | func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { | ||
48 | keySize := c.KeySize() | ||
49 | if keySize == 0 { | ||
50 | return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) | ||
51 | } | ||
52 | if len(key) != keySize { | ||
53 | return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") | ||
54 | } | ||
55 | |||
56 | if se.prefix == nil { | ||
57 | se.prefix = make([]byte, c.blockSize()+2) | ||
58 | _, err := readFull(se.contents, se.prefix) | ||
59 | if err != nil { | ||
60 | return nil, err | ||
61 | } | ||
62 | } else if len(se.prefix) != c.blockSize()+2 { | ||
63 | return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") | ||
64 | } | ||
65 | |||
66 | ocfbResync := OCFBResync | ||
67 | if se.MDC { | ||
68 | // MDC packets use a different form of OCFB mode. | ||
69 | ocfbResync = OCFBNoResync | ||
70 | } | ||
71 | |||
72 | s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) | ||
73 | if s == nil { | ||
74 | return nil, errors.ErrKeyIncorrect | ||
75 | } | ||
76 | |||
77 | plaintext := cipher.StreamReader{S: s, R: se.contents} | ||
78 | |||
79 | if se.MDC { | ||
80 | // MDC packets have an embedded hash that we need to check. | ||
81 | h := sha1.New() | ||
82 | h.Write(se.prefix) | ||
83 | return &seMDCReader{in: plaintext, h: h}, nil | ||
84 | } | ||
85 | |||
86 | // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. | ||
87 | return seReader{plaintext}, nil | ||
88 | } | ||
89 | |||
90 | // seReader wraps an io.Reader with a no-op Close method. | ||
91 | type seReader struct { | ||
92 | in io.Reader | ||
93 | } | ||
94 | |||
95 | func (ser seReader) Read(buf []byte) (int, error) { | ||
96 | return ser.in.Read(buf) | ||
97 | } | ||
98 | |||
99 | func (ser seReader) Close() error { | ||
100 | return nil | ||
101 | } | ||
102 | |||
103 | const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size | ||
104 | |||
105 | // An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold | ||
106 | // of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an | ||
107 | // MDC packet containing a hash of the previous contents which is checked | ||
108 | // against the running hash. See RFC 4880, section 5.13. | ||
109 | type seMDCReader struct { | ||
110 | in io.Reader | ||
111 | h hash.Hash | ||
112 | trailer [mdcTrailerSize]byte | ||
113 | scratch [mdcTrailerSize]byte | ||
114 | trailerUsed int | ||
115 | error bool | ||
116 | eof bool | ||
117 | } | ||
118 | |||
119 | func (ser *seMDCReader) Read(buf []byte) (n int, err error) { | ||
120 | if ser.error { | ||
121 | err = io.ErrUnexpectedEOF | ||
122 | return | ||
123 | } | ||
124 | if ser.eof { | ||
125 | err = io.EOF | ||
126 | return | ||
127 | } | ||
128 | |||
129 | // If we haven't yet filled the trailer buffer then we must do that | ||
130 | // first. | ||
131 | for ser.trailerUsed < mdcTrailerSize { | ||
132 | n, err = ser.in.Read(ser.trailer[ser.trailerUsed:]) | ||
133 | ser.trailerUsed += n | ||
134 | if err == io.EOF { | ||
135 | if ser.trailerUsed != mdcTrailerSize { | ||
136 | n = 0 | ||
137 | err = io.ErrUnexpectedEOF | ||
138 | ser.error = true | ||
139 | return | ||
140 | } | ||
141 | ser.eof = true | ||
142 | n = 0 | ||
143 | return | ||
144 | } | ||
145 | |||
146 | if err != nil { | ||
147 | n = 0 | ||
148 | return | ||
149 | } | ||
150 | } | ||
151 | |||
152 | // If it's a short read then we read into a temporary buffer and shift | ||
153 | // the data into the caller's buffer. | ||
154 | if len(buf) <= mdcTrailerSize { | ||
155 | n, err = readFull(ser.in, ser.scratch[:len(buf)]) | ||
156 | copy(buf, ser.trailer[:n]) | ||
157 | ser.h.Write(buf[:n]) | ||
158 | copy(ser.trailer[:], ser.trailer[n:]) | ||
159 | copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:]) | ||
160 | if n < len(buf) { | ||
161 | ser.eof = true | ||
162 | err = io.EOF | ||
163 | } | ||
164 | return | ||
165 | } | ||
166 | |||
167 | n, err = ser.in.Read(buf[mdcTrailerSize:]) | ||
168 | copy(buf, ser.trailer[:]) | ||
169 | ser.h.Write(buf[:n]) | ||
170 | copy(ser.trailer[:], buf[n:]) | ||
171 | |||
172 | if err == io.EOF { | ||
173 | ser.eof = true | ||
174 | } | ||
175 | return | ||
176 | } | ||
177 | |||
178 | // This is a new-format packet tag byte for a type 19 (MDC) packet. | ||
179 | const mdcPacketTagByte = byte(0x80) | 0x40 | 19 | ||
180 | |||
181 | func (ser *seMDCReader) Close() error { | ||
182 | if ser.error { | ||
183 | return errors.SignatureError("error during reading") | ||
184 | } | ||
185 | |||
186 | for !ser.eof { | ||
187 | // We haven't seen EOF so we need to read to the end | ||
188 | var buf [1024]byte | ||
189 | _, err := ser.Read(buf[:]) | ||
190 | if err == io.EOF { | ||
191 | break | ||
192 | } | ||
193 | if err != nil { | ||
194 | return errors.SignatureError("error during reading") | ||
195 | } | ||
196 | } | ||
197 | |||
198 | if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size { | ||
199 | return errors.SignatureError("MDC packet not found") | ||
200 | } | ||
201 | ser.h.Write(ser.trailer[:2]) | ||
202 | |||
203 | final := ser.h.Sum(nil) | ||
204 | if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 { | ||
205 | return errors.SignatureError("hash mismatch") | ||
206 | } | ||
207 | return nil | ||
208 | } | ||
209 | |||
210 | // An seMDCWriter writes through to an io.WriteCloser while maintains a running | ||
211 | // hash of the data written. On close, it emits an MDC packet containing the | ||
212 | // running hash. | ||
213 | type seMDCWriter struct { | ||
214 | w io.WriteCloser | ||
215 | h hash.Hash | ||
216 | } | ||
217 | |||
218 | func (w *seMDCWriter) Write(buf []byte) (n int, err error) { | ||
219 | w.h.Write(buf) | ||
220 | return w.w.Write(buf) | ||
221 | } | ||
222 | |||
223 | func (w *seMDCWriter) Close() (err error) { | ||
224 | var buf [mdcTrailerSize]byte | ||
225 | |||
226 | buf[0] = mdcPacketTagByte | ||
227 | buf[1] = sha1.Size | ||
228 | w.h.Write(buf[:2]) | ||
229 | digest := w.h.Sum(nil) | ||
230 | copy(buf[2:], digest) | ||
231 | |||
232 | _, err = w.w.Write(buf[:]) | ||
233 | if err != nil { | ||
234 | return | ||
235 | } | ||
236 | return w.w.Close() | ||
237 | } | ||
238 | |||
239 | // noOpCloser is like an ioutil.NopCloser, but for an io.Writer. | ||
240 | type noOpCloser struct { | ||
241 | w io.Writer | ||
242 | } | ||
243 | |||
244 | func (c noOpCloser) Write(data []byte) (n int, err error) { | ||
245 | return c.w.Write(data) | ||
246 | } | ||
247 | |||
248 | func (c noOpCloser) Close() error { | ||
249 | return nil | ||
250 | } | ||
251 | |||
252 | // SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet | ||
253 | // to w and returns a WriteCloser to which the to-be-encrypted packets can be | ||
254 | // written. | ||
255 | // If config is nil, sensible defaults will be used. | ||
256 | func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { | ||
257 | if c.KeySize() != len(key) { | ||
258 | return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") | ||
259 | } | ||
260 | writeCloser := noOpCloser{w} | ||
261 | ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) | ||
262 | if err != nil { | ||
263 | return | ||
264 | } | ||
265 | |||
266 | _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) | ||
267 | if err != nil { | ||
268 | return | ||
269 | } | ||
270 | |||
271 | block := c.new(key) | ||
272 | blockSize := block.BlockSize() | ||
273 | iv := make([]byte, blockSize) | ||
274 | _, err = config.Random().Read(iv) | ||
275 | if err != nil { | ||
276 | return | ||
277 | } | ||
278 | s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) | ||
279 | _, err = ciphertext.Write(prefix) | ||
280 | if err != nil { | ||
281 | return | ||
282 | } | ||
283 | plaintext := cipher.StreamWriter{S: s, W: ciphertext} | ||
284 | |||
285 | h := sha1.New() | ||
286 | h.Write(iv) | ||
287 | h.Write(iv[blockSize-2:]) | ||
288 | contents = &seMDCWriter{w: plaintext, h: h} | ||
289 | return | ||
290 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go new file mode 100644 index 0000000..96a2b38 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go | |||
@@ -0,0 +1,91 @@ | |||
1 | // Copyright 2013 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "bytes" | ||
9 | "image" | ||
10 | "image/jpeg" | ||
11 | "io" | ||
12 | "io/ioutil" | ||
13 | ) | ||
14 | |||
15 | const UserAttrImageSubpacket = 1 | ||
16 | |||
17 | // UserAttribute is capable of storing other types of data about a user | ||
18 | // beyond name, email and a text comment. In practice, user attributes are typically used | ||
19 | // to store a signed thumbnail photo JPEG image of the user. | ||
20 | // See RFC 4880, section 5.12. | ||
21 | type UserAttribute struct { | ||
22 | Contents []*OpaqueSubpacket | ||
23 | } | ||
24 | |||
25 | // NewUserAttributePhoto creates a user attribute packet | ||
26 | // containing the given images. | ||
27 | func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) { | ||
28 | uat = new(UserAttribute) | ||
29 | for _, photo := range photos { | ||
30 | var buf bytes.Buffer | ||
31 | // RFC 4880, Section 5.12.1. | ||
32 | data := []byte{ | ||
33 | 0x10, 0x00, // Little-endian image header length (16 bytes) | ||
34 | 0x01, // Image header version 1 | ||
35 | 0x01, // JPEG | ||
36 | 0, 0, 0, 0, // 12 reserved octets, must be all zero. | ||
37 | 0, 0, 0, 0, | ||
38 | 0, 0, 0, 0} | ||
39 | if _, err = buf.Write(data); err != nil { | ||
40 | return | ||
41 | } | ||
42 | if err = jpeg.Encode(&buf, photo, nil); err != nil { | ||
43 | return | ||
44 | } | ||
45 | uat.Contents = append(uat.Contents, &OpaqueSubpacket{ | ||
46 | SubType: UserAttrImageSubpacket, | ||
47 | Contents: buf.Bytes()}) | ||
48 | } | ||
49 | return | ||
50 | } | ||
51 | |||
52 | // NewUserAttribute creates a new user attribute packet containing the given subpackets. | ||
53 | func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute { | ||
54 | return &UserAttribute{Contents: contents} | ||
55 | } | ||
56 | |||
57 | func (uat *UserAttribute) parse(r io.Reader) (err error) { | ||
58 | // RFC 4880, section 5.13 | ||
59 | b, err := ioutil.ReadAll(r) | ||
60 | if err != nil { | ||
61 | return | ||
62 | } | ||
63 | uat.Contents, err = OpaqueSubpackets(b) | ||
64 | return | ||
65 | } | ||
66 | |||
67 | // Serialize marshals the user attribute to w in the form of an OpenPGP packet, including | ||
68 | // header. | ||
69 | func (uat *UserAttribute) Serialize(w io.Writer) (err error) { | ||
70 | var buf bytes.Buffer | ||
71 | for _, sp := range uat.Contents { | ||
72 | sp.Serialize(&buf) | ||
73 | } | ||
74 | if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil { | ||
75 | return err | ||
76 | } | ||
77 | _, err = w.Write(buf.Bytes()) | ||
78 | return | ||
79 | } | ||
80 | |||
81 | // ImageData returns zero or more byte slices, each containing | ||
82 | // JPEG File Interchange Format (JFIF), for each photo in the | ||
83 | // the user attribute packet. | ||
84 | func (uat *UserAttribute) ImageData() (imageData [][]byte) { | ||
85 | for _, sp := range uat.Contents { | ||
86 | if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 { | ||
87 | imageData = append(imageData, sp.Contents[16:]) | ||
88 | } | ||
89 | } | ||
90 | return | ||
91 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userid.go b/vendor/golang.org/x/crypto/openpgp/packet/userid.go new file mode 100644 index 0000000..d6bea7d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/userid.go | |||
@@ -0,0 +1,160 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package packet | ||
6 | |||
7 | import ( | ||
8 | "io" | ||
9 | "io/ioutil" | ||
10 | "strings" | ||
11 | ) | ||
12 | |||
13 | // UserId contains text that is intended to represent the name and email | ||
14 | // address of the key holder. See RFC 4880, section 5.11. By convention, this | ||
15 | // takes the form "Full Name (Comment) <email@example.com>" | ||
16 | type UserId struct { | ||
17 | Id string // By convention, this takes the form "Full Name (Comment) <email@example.com>" which is split out in the fields below. | ||
18 | |||
19 | Name, Comment, Email string | ||
20 | } | ||
21 | |||
22 | func hasInvalidCharacters(s string) bool { | ||
23 | for _, c := range s { | ||
24 | switch c { | ||
25 | case '(', ')', '<', '>', 0: | ||
26 | return true | ||
27 | } | ||
28 | } | ||
29 | return false | ||
30 | } | ||
31 | |||
32 | // NewUserId returns a UserId or nil if any of the arguments contain invalid | ||
33 | // characters. The invalid characters are '\x00', '(', ')', '<' and '>' | ||
34 | func NewUserId(name, comment, email string) *UserId { | ||
35 | // RFC 4880 doesn't deal with the structure of userid strings; the | ||
36 | // name, comment and email form is just a convention. However, there's | ||
37 | // no convention about escaping the metacharacters and GPG just refuses | ||
38 | // to create user ids where, say, the name contains a '('. We mirror | ||
39 | // this behaviour. | ||
40 | |||
41 | if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) { | ||
42 | return nil | ||
43 | } | ||
44 | |||
45 | uid := new(UserId) | ||
46 | uid.Name, uid.Comment, uid.Email = name, comment, email | ||
47 | uid.Id = name | ||
48 | if len(comment) > 0 { | ||
49 | if len(uid.Id) > 0 { | ||
50 | uid.Id += " " | ||
51 | } | ||
52 | uid.Id += "(" | ||
53 | uid.Id += comment | ||
54 | uid.Id += ")" | ||
55 | } | ||
56 | if len(email) > 0 { | ||
57 | if len(uid.Id) > 0 { | ||
58 | uid.Id += " " | ||
59 | } | ||
60 | uid.Id += "<" | ||
61 | uid.Id += email | ||
62 | uid.Id += ">" | ||
63 | } | ||
64 | return uid | ||
65 | } | ||
66 | |||
67 | func (uid *UserId) parse(r io.Reader) (err error) { | ||
68 | // RFC 4880, section 5.11 | ||
69 | b, err := ioutil.ReadAll(r) | ||
70 | if err != nil { | ||
71 | return | ||
72 | } | ||
73 | uid.Id = string(b) | ||
74 | uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id) | ||
75 | return | ||
76 | } | ||
77 | |||
78 | // Serialize marshals uid to w in the form of an OpenPGP packet, including | ||
79 | // header. | ||
80 | func (uid *UserId) Serialize(w io.Writer) error { | ||
81 | err := serializeHeader(w, packetTypeUserId, len(uid.Id)) | ||
82 | if err != nil { | ||
83 | return err | ||
84 | } | ||
85 | _, err = w.Write([]byte(uid.Id)) | ||
86 | return err | ||
87 | } | ||
88 | |||
89 | // parseUserId extracts the name, comment and email from a user id string that | ||
90 | // is formatted as "Full Name (Comment) <email@example.com>". | ||
91 | func parseUserId(id string) (name, comment, email string) { | ||
92 | var n, c, e struct { | ||
93 | start, end int | ||
94 | } | ||
95 | var state int | ||
96 | |||
97 | for offset, rune := range id { | ||
98 | switch state { | ||
99 | case 0: | ||
100 | // Entering name | ||
101 | n.start = offset | ||
102 | state = 1 | ||
103 | fallthrough | ||
104 | case 1: | ||
105 | // In name | ||
106 | if rune == '(' { | ||
107 | state = 2 | ||
108 | n.end = offset | ||
109 | } else if rune == '<' { | ||
110 | state = 5 | ||
111 | n.end = offset | ||
112 | } | ||
113 | case 2: | ||
114 | // Entering comment | ||
115 | c.start = offset | ||
116 | state = 3 | ||
117 | fallthrough | ||
118 | case 3: | ||
119 | // In comment | ||
120 | if rune == ')' { | ||
121 | state = 4 | ||
122 | c.end = offset | ||
123 | } | ||
124 | case 4: | ||
125 | // Between comment and email | ||
126 | if rune == '<' { | ||
127 | state = 5 | ||
128 | } | ||
129 | case 5: | ||
130 | // Entering email | ||
131 | e.start = offset | ||
132 | state = 6 | ||
133 | fallthrough | ||
134 | case 6: | ||
135 | // In email | ||
136 | if rune == '>' { | ||
137 | state = 7 | ||
138 | e.end = offset | ||
139 | } | ||
140 | default: | ||
141 | // After email | ||
142 | } | ||
143 | } | ||
144 | switch state { | ||
145 | case 1: | ||
146 | // ended in the name | ||
147 | n.end = len(id) | ||
148 | case 3: | ||
149 | // ended in comment | ||
150 | c.end = len(id) | ||
151 | case 6: | ||
152 | // ended in email | ||
153 | e.end = len(id) | ||
154 | } | ||
155 | |||
156 | name = strings.TrimSpace(id[n.start:n.end]) | ||
157 | comment = strings.TrimSpace(id[c.start:c.end]) | ||
158 | email = strings.TrimSpace(id[e.start:e.end]) | ||
159 | return | ||
160 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/read.go b/vendor/golang.org/x/crypto/openpgp/read.go new file mode 100644 index 0000000..6ec664f --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/read.go | |||
@@ -0,0 +1,442 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package openpgp implements high level operations on OpenPGP messages. | ||
6 | package openpgp // import "golang.org/x/crypto/openpgp" | ||
7 | |||
8 | import ( | ||
9 | "crypto" | ||
10 | _ "crypto/sha256" | ||
11 | "hash" | ||
12 | "io" | ||
13 | "strconv" | ||
14 | |||
15 | "golang.org/x/crypto/openpgp/armor" | ||
16 | "golang.org/x/crypto/openpgp/errors" | ||
17 | "golang.org/x/crypto/openpgp/packet" | ||
18 | ) | ||
19 | |||
20 | // SignatureType is the armor type for a PGP signature. | ||
21 | var SignatureType = "PGP SIGNATURE" | ||
22 | |||
23 | // readArmored reads an armored block with the given type. | ||
24 | func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) { | ||
25 | block, err := armor.Decode(r) | ||
26 | if err != nil { | ||
27 | return | ||
28 | } | ||
29 | |||
30 | if block.Type != expectedType { | ||
31 | return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type) | ||
32 | } | ||
33 | |||
34 | return block.Body, nil | ||
35 | } | ||
36 | |||
37 | // MessageDetails contains the result of parsing an OpenPGP encrypted and/or | ||
38 | // signed message. | ||
39 | type MessageDetails struct { | ||
40 | IsEncrypted bool // true if the message was encrypted. | ||
41 | EncryptedToKeyIds []uint64 // the list of recipient key ids. | ||
42 | IsSymmetricallyEncrypted bool // true if a passphrase could have decrypted the message. | ||
43 | DecryptedWith Key // the private key used to decrypt the message, if any. | ||
44 | IsSigned bool // true if the message is signed. | ||
45 | SignedByKeyId uint64 // the key id of the signer, if any. | ||
46 | SignedBy *Key // the key of the signer, if available. | ||
47 | LiteralData *packet.LiteralData // the metadata of the contents | ||
48 | UnverifiedBody io.Reader // the contents of the message. | ||
49 | |||
50 | // If IsSigned is true and SignedBy is non-zero then the signature will | ||
51 | // be verified as UnverifiedBody is read. The signature cannot be | ||
52 | // checked until the whole of UnverifiedBody is read so UnverifiedBody | ||
53 | // must be consumed until EOF before the data can be trusted. Even if a | ||
54 | // message isn't signed (or the signer is unknown) the data may contain | ||
55 | // an authentication code that is only checked once UnverifiedBody has | ||
56 | // been consumed. Once EOF has been seen, the following fields are | ||
57 | // valid. (An authentication code failure is reported as a | ||
58 | // SignatureError error when reading from UnverifiedBody.) | ||
59 | SignatureError error // nil if the signature is good. | ||
60 | Signature *packet.Signature // the signature packet itself, if v4 (default) | ||
61 | SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature | ||
62 | |||
63 | decrypted io.ReadCloser | ||
64 | } | ||
65 | |||
66 | // A PromptFunction is used as a callback by functions that may need to decrypt | ||
67 | // a private key, or prompt for a passphrase. It is called with a list of | ||
68 | // acceptable, encrypted private keys and a boolean that indicates whether a | ||
69 | // passphrase is usable. It should either decrypt a private key or return a | ||
70 | // passphrase to try. If the decrypted private key or given passphrase isn't | ||
71 | // correct, the function will be called again, forever. Any error returned will | ||
72 | // be passed up. | ||
73 | type PromptFunction func(keys []Key, symmetric bool) ([]byte, error) | ||
74 | |||
75 | // A keyEnvelopePair is used to store a private key with the envelope that | ||
76 | // contains a symmetric key, encrypted with that key. | ||
77 | type keyEnvelopePair struct { | ||
78 | key Key | ||
79 | encryptedKey *packet.EncryptedKey | ||
80 | } | ||
81 | |||
82 | // ReadMessage parses an OpenPGP message that may be signed and/or encrypted. | ||
83 | // The given KeyRing should contain both public keys (for signature | ||
84 | // verification) and, possibly encrypted, private keys for decrypting. | ||
85 | // If config is nil, sensible defaults will be used. | ||
86 | func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) { | ||
87 | var p packet.Packet | ||
88 | |||
89 | var symKeys []*packet.SymmetricKeyEncrypted | ||
90 | var pubKeys []keyEnvelopePair | ||
91 | var se *packet.SymmetricallyEncrypted | ||
92 | |||
93 | packets := packet.NewReader(r) | ||
94 | md = new(MessageDetails) | ||
95 | md.IsEncrypted = true | ||
96 | |||
97 | // The message, if encrypted, starts with a number of packets | ||
98 | // containing an encrypted decryption key. The decryption key is either | ||
99 | // encrypted to a public key, or with a passphrase. This loop | ||
100 | // collects these packets. | ||
101 | ParsePackets: | ||
102 | for { | ||
103 | p, err = packets.Next() | ||
104 | if err != nil { | ||
105 | return nil, err | ||
106 | } | ||
107 | switch p := p.(type) { | ||
108 | case *packet.SymmetricKeyEncrypted: | ||
109 | // This packet contains the decryption key encrypted with a passphrase. | ||
110 | md.IsSymmetricallyEncrypted = true | ||
111 | symKeys = append(symKeys, p) | ||
112 | case *packet.EncryptedKey: | ||
113 | // This packet contains the decryption key encrypted to a public key. | ||
114 | md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId) | ||
115 | switch p.Algo { | ||
116 | case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal: | ||
117 | break | ||
118 | default: | ||
119 | continue | ||
120 | } | ||
121 | var keys []Key | ||
122 | if p.KeyId == 0 { | ||
123 | keys = keyring.DecryptionKeys() | ||
124 | } else { | ||
125 | keys = keyring.KeysById(p.KeyId) | ||
126 | } | ||
127 | for _, k := range keys { | ||
128 | pubKeys = append(pubKeys, keyEnvelopePair{k, p}) | ||
129 | } | ||
130 | case *packet.SymmetricallyEncrypted: | ||
131 | se = p | ||
132 | break ParsePackets | ||
133 | case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature: | ||
134 | // This message isn't encrypted. | ||
135 | if len(symKeys) != 0 || len(pubKeys) != 0 { | ||
136 | return nil, errors.StructuralError("key material not followed by encrypted message") | ||
137 | } | ||
138 | packets.Unread(p) | ||
139 | return readSignedMessage(packets, nil, keyring) | ||
140 | } | ||
141 | } | ||
142 | |||
143 | var candidates []Key | ||
144 | var decrypted io.ReadCloser | ||
145 | |||
146 | // Now that we have the list of encrypted keys we need to decrypt at | ||
147 | // least one of them or, if we cannot, we need to call the prompt | ||
148 | // function so that it can decrypt a key or give us a passphrase. | ||
149 | FindKey: | ||
150 | for { | ||
151 | // See if any of the keys already have a private key available | ||
152 | candidates = candidates[:0] | ||
153 | candidateFingerprints := make(map[string]bool) | ||
154 | |||
155 | for _, pk := range pubKeys { | ||
156 | if pk.key.PrivateKey == nil { | ||
157 | continue | ||
158 | } | ||
159 | if !pk.key.PrivateKey.Encrypted { | ||
160 | if len(pk.encryptedKey.Key) == 0 { | ||
161 | pk.encryptedKey.Decrypt(pk.key.PrivateKey, config) | ||
162 | } | ||
163 | if len(pk.encryptedKey.Key) == 0 { | ||
164 | continue | ||
165 | } | ||
166 | decrypted, err = se.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key) | ||
167 | if err != nil && err != errors.ErrKeyIncorrect { | ||
168 | return nil, err | ||
169 | } | ||
170 | if decrypted != nil { | ||
171 | md.DecryptedWith = pk.key | ||
172 | break FindKey | ||
173 | } | ||
174 | } else { | ||
175 | fpr := string(pk.key.PublicKey.Fingerprint[:]) | ||
176 | if v := candidateFingerprints[fpr]; v { | ||
177 | continue | ||
178 | } | ||
179 | candidates = append(candidates, pk.key) | ||
180 | candidateFingerprints[fpr] = true | ||
181 | } | ||
182 | } | ||
183 | |||
184 | if len(candidates) == 0 && len(symKeys) == 0 { | ||
185 | return nil, errors.ErrKeyIncorrect | ||
186 | } | ||
187 | |||
188 | if prompt == nil { | ||
189 | return nil, errors.ErrKeyIncorrect | ||
190 | } | ||
191 | |||
192 | passphrase, err := prompt(candidates, len(symKeys) != 0) | ||
193 | if err != nil { | ||
194 | return nil, err | ||
195 | } | ||
196 | |||
197 | // Try the symmetric passphrase first | ||
198 | if len(symKeys) != 0 && passphrase != nil { | ||
199 | for _, s := range symKeys { | ||
200 | key, cipherFunc, err := s.Decrypt(passphrase) | ||
201 | if err == nil { | ||
202 | decrypted, err = se.Decrypt(cipherFunc, key) | ||
203 | if err != nil && err != errors.ErrKeyIncorrect { | ||
204 | return nil, err | ||
205 | } | ||
206 | if decrypted != nil { | ||
207 | break FindKey | ||
208 | } | ||
209 | } | ||
210 | |||
211 | } | ||
212 | } | ||
213 | } | ||
214 | |||
215 | md.decrypted = decrypted | ||
216 | if err := packets.Push(decrypted); err != nil { | ||
217 | return nil, err | ||
218 | } | ||
219 | return readSignedMessage(packets, md, keyring) | ||
220 | } | ||
221 | |||
222 | // readSignedMessage reads a possibly signed message if mdin is non-zero then | ||
223 | // that structure is updated and returned. Otherwise a fresh MessageDetails is | ||
224 | // used. | ||
225 | func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing) (md *MessageDetails, err error) { | ||
226 | if mdin == nil { | ||
227 | mdin = new(MessageDetails) | ||
228 | } | ||
229 | md = mdin | ||
230 | |||
231 | var p packet.Packet | ||
232 | var h hash.Hash | ||
233 | var wrappedHash hash.Hash | ||
234 | FindLiteralData: | ||
235 | for { | ||
236 | p, err = packets.Next() | ||
237 | if err != nil { | ||
238 | return nil, err | ||
239 | } | ||
240 | switch p := p.(type) { | ||
241 | case *packet.Compressed: | ||
242 | if err := packets.Push(p.Body); err != nil { | ||
243 | return nil, err | ||
244 | } | ||
245 | case *packet.OnePassSignature: | ||
246 | if !p.IsLast { | ||
247 | return nil, errors.UnsupportedError("nested signatures") | ||
248 | } | ||
249 | |||
250 | h, wrappedHash, err = hashForSignature(p.Hash, p.SigType) | ||
251 | if err != nil { | ||
252 | md = nil | ||
253 | return | ||
254 | } | ||
255 | |||
256 | md.IsSigned = true | ||
257 | md.SignedByKeyId = p.KeyId | ||
258 | keys := keyring.KeysByIdUsage(p.KeyId, packet.KeyFlagSign) | ||
259 | if len(keys) > 0 { | ||
260 | md.SignedBy = &keys[0] | ||
261 | } | ||
262 | case *packet.LiteralData: | ||
263 | md.LiteralData = p | ||
264 | break FindLiteralData | ||
265 | } | ||
266 | } | ||
267 | |||
268 | if md.SignedBy != nil { | ||
269 | md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md} | ||
270 | } else if md.decrypted != nil { | ||
271 | md.UnverifiedBody = checkReader{md} | ||
272 | } else { | ||
273 | md.UnverifiedBody = md.LiteralData.Body | ||
274 | } | ||
275 | |||
276 | return md, nil | ||
277 | } | ||
278 | |||
279 | // hashForSignature returns a pair of hashes that can be used to verify a | ||
280 | // signature. The signature may specify that the contents of the signed message | ||
281 | // should be preprocessed (i.e. to normalize line endings). Thus this function | ||
282 | // returns two hashes. The second should be used to hash the message itself and | ||
283 | // performs any needed preprocessing. | ||
284 | func hashForSignature(hashId crypto.Hash, sigType packet.SignatureType) (hash.Hash, hash.Hash, error) { | ||
285 | if !hashId.Available() { | ||
286 | return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashId))) | ||
287 | } | ||
288 | h := hashId.New() | ||
289 | |||
290 | switch sigType { | ||
291 | case packet.SigTypeBinary: | ||
292 | return h, h, nil | ||
293 | case packet.SigTypeText: | ||
294 | return h, NewCanonicalTextHash(h), nil | ||
295 | } | ||
296 | |||
297 | return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType))) | ||
298 | } | ||
299 | |||
300 | // checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF | ||
301 | // it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger | ||
302 | // MDC checks. | ||
303 | type checkReader struct { | ||
304 | md *MessageDetails | ||
305 | } | ||
306 | |||
307 | func (cr checkReader) Read(buf []byte) (n int, err error) { | ||
308 | n, err = cr.md.LiteralData.Body.Read(buf) | ||
309 | if err == io.EOF { | ||
310 | mdcErr := cr.md.decrypted.Close() | ||
311 | if mdcErr != nil { | ||
312 | err = mdcErr | ||
313 | } | ||
314 | } | ||
315 | return | ||
316 | } | ||
317 | |||
318 | // signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes | ||
319 | // the data as it is read. When it sees an EOF from the underlying io.Reader | ||
320 | // it parses and checks a trailing Signature packet and triggers any MDC checks. | ||
321 | type signatureCheckReader struct { | ||
322 | packets *packet.Reader | ||
323 | h, wrappedHash hash.Hash | ||
324 | md *MessageDetails | ||
325 | } | ||
326 | |||
327 | func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) { | ||
328 | n, err = scr.md.LiteralData.Body.Read(buf) | ||
329 | scr.wrappedHash.Write(buf[:n]) | ||
330 | if err == io.EOF { | ||
331 | var p packet.Packet | ||
332 | p, scr.md.SignatureError = scr.packets.Next() | ||
333 | if scr.md.SignatureError != nil { | ||
334 | return | ||
335 | } | ||
336 | |||
337 | var ok bool | ||
338 | if scr.md.Signature, ok = p.(*packet.Signature); ok { | ||
339 | scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature) | ||
340 | } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok { | ||
341 | scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3) | ||
342 | } else { | ||
343 | scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature") | ||
344 | return | ||
345 | } | ||
346 | |||
347 | // The SymmetricallyEncrypted packet, if any, might have an | ||
348 | // unsigned hash of its own. In order to check this we need to | ||
349 | // close that Reader. | ||
350 | if scr.md.decrypted != nil { | ||
351 | mdcErr := scr.md.decrypted.Close() | ||
352 | if mdcErr != nil { | ||
353 | err = mdcErr | ||
354 | } | ||
355 | } | ||
356 | } | ||
357 | return | ||
358 | } | ||
359 | |||
360 | // CheckDetachedSignature takes a signed file and a detached signature and | ||
361 | // returns the signer if the signature is valid. If the signer isn't known, | ||
362 | // ErrUnknownIssuer is returned. | ||
363 | func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) { | ||
364 | var issuerKeyId uint64 | ||
365 | var hashFunc crypto.Hash | ||
366 | var sigType packet.SignatureType | ||
367 | var keys []Key | ||
368 | var p packet.Packet | ||
369 | |||
370 | packets := packet.NewReader(signature) | ||
371 | for { | ||
372 | p, err = packets.Next() | ||
373 | if err == io.EOF { | ||
374 | return nil, errors.ErrUnknownIssuer | ||
375 | } | ||
376 | if err != nil { | ||
377 | return nil, err | ||
378 | } | ||
379 | |||
380 | switch sig := p.(type) { | ||
381 | case *packet.Signature: | ||
382 | if sig.IssuerKeyId == nil { | ||
383 | return nil, errors.StructuralError("signature doesn't have an issuer") | ||
384 | } | ||
385 | issuerKeyId = *sig.IssuerKeyId | ||
386 | hashFunc = sig.Hash | ||
387 | sigType = sig.SigType | ||
388 | case *packet.SignatureV3: | ||
389 | issuerKeyId = sig.IssuerKeyId | ||
390 | hashFunc = sig.Hash | ||
391 | sigType = sig.SigType | ||
392 | default: | ||
393 | return nil, errors.StructuralError("non signature packet found") | ||
394 | } | ||
395 | |||
396 | keys = keyring.KeysByIdUsage(issuerKeyId, packet.KeyFlagSign) | ||
397 | if len(keys) > 0 { | ||
398 | break | ||
399 | } | ||
400 | } | ||
401 | |||
402 | if len(keys) == 0 { | ||
403 | panic("unreachable") | ||
404 | } | ||
405 | |||
406 | h, wrappedHash, err := hashForSignature(hashFunc, sigType) | ||
407 | if err != nil { | ||
408 | return nil, err | ||
409 | } | ||
410 | |||
411 | if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF { | ||
412 | return nil, err | ||
413 | } | ||
414 | |||
415 | for _, key := range keys { | ||
416 | switch sig := p.(type) { | ||
417 | case *packet.Signature: | ||
418 | err = key.PublicKey.VerifySignature(h, sig) | ||
419 | case *packet.SignatureV3: | ||
420 | err = key.PublicKey.VerifySignatureV3(h, sig) | ||
421 | default: | ||
422 | panic("unreachable") | ||
423 | } | ||
424 | |||
425 | if err == nil { | ||
426 | return key.Entity, nil | ||
427 | } | ||
428 | } | ||
429 | |||
430 | return nil, err | ||
431 | } | ||
432 | |||
433 | // CheckArmoredDetachedSignature performs the same actions as | ||
434 | // CheckDetachedSignature but expects the signature to be armored. | ||
435 | func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) { | ||
436 | body, err := readArmored(signature, SignatureType) | ||
437 | if err != nil { | ||
438 | return | ||
439 | } | ||
440 | |||
441 | return CheckDetachedSignature(keyring, signed, body) | ||
442 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go new file mode 100644 index 0000000..4b9a44c --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go | |||
@@ -0,0 +1,273 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package s2k implements the various OpenPGP string-to-key transforms as | ||
6 | // specified in RFC 4800 section 3.7.1. | ||
7 | package s2k // import "golang.org/x/crypto/openpgp/s2k" | ||
8 | |||
9 | import ( | ||
10 | "crypto" | ||
11 | "hash" | ||
12 | "io" | ||
13 | "strconv" | ||
14 | |||
15 | "golang.org/x/crypto/openpgp/errors" | ||
16 | ) | ||
17 | |||
18 | // Config collects configuration parameters for s2k key-stretching | ||
19 | // transformatioms. A nil *Config is valid and results in all default | ||
20 | // values. Currently, Config is used only by the Serialize function in | ||
21 | // this package. | ||
22 | type Config struct { | ||
23 | // Hash is the default hash function to be used. If | ||
24 | // nil, SHA1 is used. | ||
25 | Hash crypto.Hash | ||
26 | // S2KCount is only used for symmetric encryption. It | ||
27 | // determines the strength of the passphrase stretching when | ||
28 | // the said passphrase is hashed to produce a key. S2KCount | ||
29 | // should be between 1024 and 65011712, inclusive. If Config | ||
30 | // is nil or S2KCount is 0, the value 65536 used. Not all | ||
31 | // values in the above range can be represented. S2KCount will | ||
32 | // be rounded up to the next representable value if it cannot | ||
33 | // be encoded exactly. When set, it is strongly encrouraged to | ||
34 | // use a value that is at least 65536. See RFC 4880 Section | ||
35 | // 3.7.1.3. | ||
36 | S2KCount int | ||
37 | } | ||
38 | |||
39 | func (c *Config) hash() crypto.Hash { | ||
40 | if c == nil || uint(c.Hash) == 0 { | ||
41 | // SHA1 is the historical default in this package. | ||
42 | return crypto.SHA1 | ||
43 | } | ||
44 | |||
45 | return c.Hash | ||
46 | } | ||
47 | |||
48 | func (c *Config) encodedCount() uint8 { | ||
49 | if c == nil || c.S2KCount == 0 { | ||
50 | return 96 // The common case. Correspoding to 65536 | ||
51 | } | ||
52 | |||
53 | i := c.S2KCount | ||
54 | switch { | ||
55 | // Behave like GPG. Should we make 65536 the lowest value used? | ||
56 | case i < 1024: | ||
57 | i = 1024 | ||
58 | case i > 65011712: | ||
59 | i = 65011712 | ||
60 | } | ||
61 | |||
62 | return encodeCount(i) | ||
63 | } | ||
64 | |||
65 | // encodeCount converts an iterative "count" in the range 1024 to | ||
66 | // 65011712, inclusive, to an encoded count. The return value is the | ||
67 | // octet that is actually stored in the GPG file. encodeCount panics | ||
68 | // if i is not in the above range (encodedCount above takes care to | ||
69 | // pass i in the correct range). See RFC 4880 Section 3.7.7.1. | ||
70 | func encodeCount(i int) uint8 { | ||
71 | if i < 1024 || i > 65011712 { | ||
72 | panic("count arg i outside the required range") | ||
73 | } | ||
74 | |||
75 | for encoded := 0; encoded < 256; encoded++ { | ||
76 | count := decodeCount(uint8(encoded)) | ||
77 | if count >= i { | ||
78 | return uint8(encoded) | ||
79 | } | ||
80 | } | ||
81 | |||
82 | return 255 | ||
83 | } | ||
84 | |||
85 | // decodeCount returns the s2k mode 3 iterative "count" corresponding to | ||
86 | // the encoded octet c. | ||
87 | func decodeCount(c uint8) int { | ||
88 | return (16 + int(c&15)) << (uint32(c>>4) + 6) | ||
89 | } | ||
90 | |||
91 | // Simple writes to out the result of computing the Simple S2K function (RFC | ||
92 | // 4880, section 3.7.1.1) using the given hash and input passphrase. | ||
93 | func Simple(out []byte, h hash.Hash, in []byte) { | ||
94 | Salted(out, h, in, nil) | ||
95 | } | ||
96 | |||
97 | var zero [1]byte | ||
98 | |||
99 | // Salted writes to out the result of computing the Salted S2K function (RFC | ||
100 | // 4880, section 3.7.1.2) using the given hash, input passphrase and salt. | ||
101 | func Salted(out []byte, h hash.Hash, in []byte, salt []byte) { | ||
102 | done := 0 | ||
103 | var digest []byte | ||
104 | |||
105 | for i := 0; done < len(out); i++ { | ||
106 | h.Reset() | ||
107 | for j := 0; j < i; j++ { | ||
108 | h.Write(zero[:]) | ||
109 | } | ||
110 | h.Write(salt) | ||
111 | h.Write(in) | ||
112 | digest = h.Sum(digest[:0]) | ||
113 | n := copy(out[done:], digest) | ||
114 | done += n | ||
115 | } | ||
116 | } | ||
117 | |||
118 | // Iterated writes to out the result of computing the Iterated and Salted S2K | ||
119 | // function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase, | ||
120 | // salt and iteration count. | ||
121 | func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) { | ||
122 | combined := make([]byte, len(in)+len(salt)) | ||
123 | copy(combined, salt) | ||
124 | copy(combined[len(salt):], in) | ||
125 | |||
126 | if count < len(combined) { | ||
127 | count = len(combined) | ||
128 | } | ||
129 | |||
130 | done := 0 | ||
131 | var digest []byte | ||
132 | for i := 0; done < len(out); i++ { | ||
133 | h.Reset() | ||
134 | for j := 0; j < i; j++ { | ||
135 | h.Write(zero[:]) | ||
136 | } | ||
137 | written := 0 | ||
138 | for written < count { | ||
139 | if written+len(combined) > count { | ||
140 | todo := count - written | ||
141 | h.Write(combined[:todo]) | ||
142 | written = count | ||
143 | } else { | ||
144 | h.Write(combined) | ||
145 | written += len(combined) | ||
146 | } | ||
147 | } | ||
148 | digest = h.Sum(digest[:0]) | ||
149 | n := copy(out[done:], digest) | ||
150 | done += n | ||
151 | } | ||
152 | } | ||
153 | |||
154 | // Parse reads a binary specification for a string-to-key transformation from r | ||
155 | // and returns a function which performs that transform. | ||
156 | func Parse(r io.Reader) (f func(out, in []byte), err error) { | ||
157 | var buf [9]byte | ||
158 | |||
159 | _, err = io.ReadFull(r, buf[:2]) | ||
160 | if err != nil { | ||
161 | return | ||
162 | } | ||
163 | |||
164 | hash, ok := HashIdToHash(buf[1]) | ||
165 | if !ok { | ||
166 | return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1]))) | ||
167 | } | ||
168 | if !hash.Available() { | ||
169 | return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash))) | ||
170 | } | ||
171 | h := hash.New() | ||
172 | |||
173 | switch buf[0] { | ||
174 | case 0: | ||
175 | f := func(out, in []byte) { | ||
176 | Simple(out, h, in) | ||
177 | } | ||
178 | return f, nil | ||
179 | case 1: | ||
180 | _, err = io.ReadFull(r, buf[:8]) | ||
181 | if err != nil { | ||
182 | return | ||
183 | } | ||
184 | f := func(out, in []byte) { | ||
185 | Salted(out, h, in, buf[:8]) | ||
186 | } | ||
187 | return f, nil | ||
188 | case 3: | ||
189 | _, err = io.ReadFull(r, buf[:9]) | ||
190 | if err != nil { | ||
191 | return | ||
192 | } | ||
193 | count := decodeCount(buf[8]) | ||
194 | f := func(out, in []byte) { | ||
195 | Iterated(out, h, in, buf[:8], count) | ||
196 | } | ||
197 | return f, nil | ||
198 | } | ||
199 | |||
200 | return nil, errors.UnsupportedError("S2K function") | ||
201 | } | ||
202 | |||
203 | // Serialize salts and stretches the given passphrase and writes the | ||
204 | // resulting key into key. It also serializes an S2K descriptor to | ||
205 | // w. The key stretching can be configured with c, which may be | ||
206 | // nil. In that case, sensible defaults will be used. | ||
207 | func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error { | ||
208 | var buf [11]byte | ||
209 | buf[0] = 3 /* iterated and salted */ | ||
210 | buf[1], _ = HashToHashId(c.hash()) | ||
211 | salt := buf[2:10] | ||
212 | if _, err := io.ReadFull(rand, salt); err != nil { | ||
213 | return err | ||
214 | } | ||
215 | encodedCount := c.encodedCount() | ||
216 | count := decodeCount(encodedCount) | ||
217 | buf[10] = encodedCount | ||
218 | if _, err := w.Write(buf[:]); err != nil { | ||
219 | return err | ||
220 | } | ||
221 | |||
222 | Iterated(key, c.hash().New(), passphrase, salt, count) | ||
223 | return nil | ||
224 | } | ||
225 | |||
226 | // hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with | ||
227 | // Go's crypto.Hash type. See RFC 4880, section 9.4. | ||
228 | var hashToHashIdMapping = []struct { | ||
229 | id byte | ||
230 | hash crypto.Hash | ||
231 | name string | ||
232 | }{ | ||
233 | {1, crypto.MD5, "MD5"}, | ||
234 | {2, crypto.SHA1, "SHA1"}, | ||
235 | {3, crypto.RIPEMD160, "RIPEMD160"}, | ||
236 | {8, crypto.SHA256, "SHA256"}, | ||
237 | {9, crypto.SHA384, "SHA384"}, | ||
238 | {10, crypto.SHA512, "SHA512"}, | ||
239 | {11, crypto.SHA224, "SHA224"}, | ||
240 | } | ||
241 | |||
242 | // HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP | ||
243 | // hash id. | ||
244 | func HashIdToHash(id byte) (h crypto.Hash, ok bool) { | ||
245 | for _, m := range hashToHashIdMapping { | ||
246 | if m.id == id { | ||
247 | return m.hash, true | ||
248 | } | ||
249 | } | ||
250 | return 0, false | ||
251 | } | ||
252 | |||
253 | // HashIdToString returns the name of the hash function corresponding to the | ||
254 | // given OpenPGP hash id. | ||
255 | func HashIdToString(id byte) (name string, ok bool) { | ||
256 | for _, m := range hashToHashIdMapping { | ||
257 | if m.id == id { | ||
258 | return m.name, true | ||
259 | } | ||
260 | } | ||
261 | |||
262 | return "", false | ||
263 | } | ||
264 | |||
265 | // HashIdToHash returns an OpenPGP hash id which corresponds the given Hash. | ||
266 | func HashToHashId(h crypto.Hash) (id byte, ok bool) { | ||
267 | for _, m := range hashToHashIdMapping { | ||
268 | if m.hash == h { | ||
269 | return m.id, true | ||
270 | } | ||
271 | } | ||
272 | return 0, false | ||
273 | } | ||
diff --git a/vendor/golang.org/x/crypto/openpgp/write.go b/vendor/golang.org/x/crypto/openpgp/write.go new file mode 100644 index 0000000..65a304c --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/write.go | |||
@@ -0,0 +1,378 @@ | |||
1 | // Copyright 2011 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | package openpgp | ||
6 | |||
7 | import ( | ||
8 | "crypto" | ||
9 | "hash" | ||
10 | "io" | ||
11 | "strconv" | ||
12 | "time" | ||
13 | |||
14 | "golang.org/x/crypto/openpgp/armor" | ||
15 | "golang.org/x/crypto/openpgp/errors" | ||
16 | "golang.org/x/crypto/openpgp/packet" | ||
17 | "golang.org/x/crypto/openpgp/s2k" | ||
18 | ) | ||
19 | |||
20 | // DetachSign signs message with the private key from signer (which must | ||
21 | // already have been decrypted) and writes the signature to w. | ||
22 | // If config is nil, sensible defaults will be used. | ||
23 | func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { | ||
24 | return detachSign(w, signer, message, packet.SigTypeBinary, config) | ||
25 | } | ||
26 | |||
27 | // ArmoredDetachSign signs message with the private key from signer (which | ||
28 | // must already have been decrypted) and writes an armored signature to w. | ||
29 | // If config is nil, sensible defaults will be used. | ||
30 | func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) { | ||
31 | return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config) | ||
32 | } | ||
33 | |||
34 | // DetachSignText signs message (after canonicalising the line endings) with | ||
35 | // the private key from signer (which must already have been decrypted) and | ||
36 | // writes the signature to w. | ||
37 | // If config is nil, sensible defaults will be used. | ||
38 | func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { | ||
39 | return detachSign(w, signer, message, packet.SigTypeText, config) | ||
40 | } | ||
41 | |||
42 | // ArmoredDetachSignText signs message (after canonicalising the line endings) | ||
43 | // with the private key from signer (which must already have been decrypted) | ||
44 | // and writes an armored signature to w. | ||
45 | // If config is nil, sensible defaults will be used. | ||
46 | func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { | ||
47 | return armoredDetachSign(w, signer, message, packet.SigTypeText, config) | ||
48 | } | ||
49 | |||
50 | func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) { | ||
51 | out, err := armor.Encode(w, SignatureType, nil) | ||
52 | if err != nil { | ||
53 | return | ||
54 | } | ||
55 | err = detachSign(out, signer, message, sigType, config) | ||
56 | if err != nil { | ||
57 | return | ||
58 | } | ||
59 | return out.Close() | ||
60 | } | ||
61 | |||
62 | func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) { | ||
63 | if signer.PrivateKey == nil { | ||
64 | return errors.InvalidArgumentError("signing key doesn't have a private key") | ||
65 | } | ||
66 | if signer.PrivateKey.Encrypted { | ||
67 | return errors.InvalidArgumentError("signing key is encrypted") | ||
68 | } | ||
69 | |||
70 | sig := new(packet.Signature) | ||
71 | sig.SigType = sigType | ||
72 | sig.PubKeyAlgo = signer.PrivateKey.PubKeyAlgo | ||
73 | sig.Hash = config.Hash() | ||
74 | sig.CreationTime = config.Now() | ||
75 | sig.IssuerKeyId = &signer.PrivateKey.KeyId | ||
76 | |||
77 | h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType) | ||
78 | if err != nil { | ||
79 | return | ||
80 | } | ||
81 | io.Copy(wrappedHash, message) | ||
82 | |||
83 | err = sig.Sign(h, signer.PrivateKey, config) | ||
84 | if err != nil { | ||
85 | return | ||
86 | } | ||
87 | |||
88 | return sig.Serialize(w) | ||
89 | } | ||
90 | |||
91 | // FileHints contains metadata about encrypted files. This metadata is, itself, | ||
92 | // encrypted. | ||
93 | type FileHints struct { | ||
94 | // IsBinary can be set to hint that the contents are binary data. | ||
95 | IsBinary bool | ||
96 | // FileName hints at the name of the file that should be written. It's | ||
97 | // truncated to 255 bytes if longer. It may be empty to suggest that the | ||
98 | // file should not be written to disk. It may be equal to "_CONSOLE" to | ||
99 | // suggest the data should not be written to disk. | ||
100 | FileName string | ||
101 | // ModTime contains the modification time of the file, or the zero time if not applicable. | ||
102 | ModTime time.Time | ||
103 | } | ||
104 | |||
105 | // SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase. | ||
106 | // The resulting WriteCloser must be closed after the contents of the file have | ||
107 | // been written. | ||
108 | // If config is nil, sensible defaults will be used. | ||
109 | func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) { | ||
110 | if hints == nil { | ||
111 | hints = &FileHints{} | ||
112 | } | ||
113 | |||
114 | key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config) | ||
115 | if err != nil { | ||
116 | return | ||
117 | } | ||
118 | w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config) | ||
119 | if err != nil { | ||
120 | return | ||
121 | } | ||
122 | |||
123 | literaldata := w | ||
124 | if algo := config.Compression(); algo != packet.CompressionNone { | ||
125 | var compConfig *packet.CompressionConfig | ||
126 | if config != nil { | ||
127 | compConfig = config.CompressionConfig | ||
128 | } | ||
129 | literaldata, err = packet.SerializeCompressed(w, algo, compConfig) | ||
130 | if err != nil { | ||
131 | return | ||
132 | } | ||
133 | } | ||
134 | |||
135 | var epochSeconds uint32 | ||
136 | if !hints.ModTime.IsZero() { | ||
137 | epochSeconds = uint32(hints.ModTime.Unix()) | ||
138 | } | ||
139 | return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds) | ||
140 | } | ||
141 | |||
142 | // intersectPreferences mutates and returns a prefix of a that contains only | ||
143 | // the values in the intersection of a and b. The order of a is preserved. | ||
144 | func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) { | ||
145 | var j int | ||
146 | for _, v := range a { | ||
147 | for _, v2 := range b { | ||
148 | if v == v2 { | ||
149 | a[j] = v | ||
150 | j++ | ||
151 | break | ||
152 | } | ||
153 | } | ||
154 | } | ||
155 | |||
156 | return a[:j] | ||
157 | } | ||
158 | |||
159 | func hashToHashId(h crypto.Hash) uint8 { | ||
160 | v, ok := s2k.HashToHashId(h) | ||
161 | if !ok { | ||
162 | panic("tried to convert unknown hash") | ||
163 | } | ||
164 | return v | ||
165 | } | ||
166 | |||
167 | // Encrypt encrypts a message to a number of recipients and, optionally, signs | ||
168 | // it. hints contains optional information, that is also encrypted, that aids | ||
169 | // the recipients in processing the message. The resulting WriteCloser must | ||
170 | // be closed after the contents of the file have been written. | ||
171 | // If config is nil, sensible defaults will be used. | ||
172 | func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) { | ||
173 | var signer *packet.PrivateKey | ||
174 | if signed != nil { | ||
175 | signKey, ok := signed.signingKey(config.Now()) | ||
176 | if !ok { | ||
177 | return nil, errors.InvalidArgumentError("no valid signing keys") | ||
178 | } | ||
179 | signer = signKey.PrivateKey | ||
180 | if signer == nil { | ||
181 | return nil, errors.InvalidArgumentError("no private key in signing key") | ||
182 | } | ||
183 | if signer.Encrypted { | ||
184 | return nil, errors.InvalidArgumentError("signing key must be decrypted") | ||
185 | } | ||
186 | } | ||
187 | |||
188 | // These are the possible ciphers that we'll use for the message. | ||
189 | candidateCiphers := []uint8{ | ||
190 | uint8(packet.CipherAES128), | ||
191 | uint8(packet.CipherAES256), | ||
192 | uint8(packet.CipherCAST5), | ||
193 | } | ||
194 | // These are the possible hash functions that we'll use for the signature. | ||
195 | candidateHashes := []uint8{ | ||
196 | hashToHashId(crypto.SHA256), | ||
197 | hashToHashId(crypto.SHA512), | ||
198 | hashToHashId(crypto.SHA1), | ||
199 | hashToHashId(crypto.RIPEMD160), | ||
200 | } | ||
201 | // In the event that a recipient doesn't specify any supported ciphers | ||
202 | // or hash functions, these are the ones that we assume that every | ||
203 | // implementation supports. | ||
204 | defaultCiphers := candidateCiphers[len(candidateCiphers)-1:] | ||
205 | defaultHashes := candidateHashes[len(candidateHashes)-1:] | ||
206 | |||
207 | encryptKeys := make([]Key, len(to)) | ||
208 | for i := range to { | ||
209 | var ok bool | ||
210 | encryptKeys[i], ok = to[i].encryptionKey(config.Now()) | ||
211 | if !ok { | ||
212 | return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys") | ||
213 | } | ||
214 | |||
215 | sig := to[i].primaryIdentity().SelfSignature | ||
216 | |||
217 | preferredSymmetric := sig.PreferredSymmetric | ||
218 | if len(preferredSymmetric) == 0 { | ||
219 | preferredSymmetric = defaultCiphers | ||
220 | } | ||
221 | preferredHashes := sig.PreferredHash | ||
222 | if len(preferredHashes) == 0 { | ||
223 | preferredHashes = defaultHashes | ||
224 | } | ||
225 | candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric) | ||
226 | candidateHashes = intersectPreferences(candidateHashes, preferredHashes) | ||
227 | } | ||
228 | |||
229 | if len(candidateCiphers) == 0 || len(candidateHashes) == 0 { | ||
230 | return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common algorithms") | ||
231 | } | ||
232 | |||
233 | cipher := packet.CipherFunction(candidateCiphers[0]) | ||
234 | // If the cipher specified by config is a candidate, we'll use that. | ||
235 | configuredCipher := config.Cipher() | ||
236 | for _, c := range candidateCiphers { | ||
237 | cipherFunc := packet.CipherFunction(c) | ||
238 | if cipherFunc == configuredCipher { | ||
239 | cipher = cipherFunc | ||
240 | break | ||
241 | } | ||
242 | } | ||
243 | |||
244 | var hash crypto.Hash | ||
245 | for _, hashId := range candidateHashes { | ||
246 | if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() { | ||
247 | hash = h | ||
248 | break | ||
249 | } | ||
250 | } | ||
251 | |||
252 | // If the hash specified by config is a candidate, we'll use that. | ||
253 | if configuredHash := config.Hash(); configuredHash.Available() { | ||
254 | for _, hashId := range candidateHashes { | ||
255 | if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash { | ||
256 | hash = h | ||
257 | break | ||
258 | } | ||
259 | } | ||
260 | } | ||
261 | |||
262 | if hash == 0 { | ||
263 | hashId := candidateHashes[0] | ||
264 | name, ok := s2k.HashIdToString(hashId) | ||
265 | if !ok { | ||
266 | name = "#" + strconv.Itoa(int(hashId)) | ||
267 | } | ||
268 | return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)") | ||
269 | } | ||
270 | |||
271 | symKey := make([]byte, cipher.KeySize()) | ||
272 | if _, err := io.ReadFull(config.Random(), symKey); err != nil { | ||
273 | return nil, err | ||
274 | } | ||
275 | |||
276 | for _, key := range encryptKeys { | ||
277 | if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil { | ||
278 | return nil, err | ||
279 | } | ||
280 | } | ||
281 | |||
282 | encryptedData, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config) | ||
283 | if err != nil { | ||
284 | return | ||
285 | } | ||
286 | |||
287 | if signer != nil { | ||
288 | ops := &packet.OnePassSignature{ | ||
289 | SigType: packet.SigTypeBinary, | ||
290 | Hash: hash, | ||
291 | PubKeyAlgo: signer.PubKeyAlgo, | ||
292 | KeyId: signer.KeyId, | ||
293 | IsLast: true, | ||
294 | } | ||
295 | if err := ops.Serialize(encryptedData); err != nil { | ||
296 | return nil, err | ||
297 | } | ||
298 | } | ||
299 | |||
300 | if hints == nil { | ||
301 | hints = &FileHints{} | ||
302 | } | ||
303 | |||
304 | w := encryptedData | ||
305 | if signer != nil { | ||
306 | // If we need to write a signature packet after the literal | ||
307 | // data then we need to stop literalData from closing | ||
308 | // encryptedData. | ||
309 | w = noOpCloser{encryptedData} | ||
310 | |||
311 | } | ||
312 | var epochSeconds uint32 | ||
313 | if !hints.ModTime.IsZero() { | ||
314 | epochSeconds = uint32(hints.ModTime.Unix()) | ||
315 | } | ||
316 | literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds) | ||
317 | if err != nil { | ||
318 | return nil, err | ||
319 | } | ||
320 | |||
321 | if signer != nil { | ||
322 | return signatureWriter{encryptedData, literalData, hash, hash.New(), signer, config}, nil | ||
323 | } | ||
324 | return literalData, nil | ||
325 | } | ||
326 | |||
327 | // signatureWriter hashes the contents of a message while passing it along to | ||
328 | // literalData. When closed, it closes literalData, writes a signature packet | ||
329 | // to encryptedData and then also closes encryptedData. | ||
330 | type signatureWriter struct { | ||
331 | encryptedData io.WriteCloser | ||
332 | literalData io.WriteCloser | ||
333 | hashType crypto.Hash | ||
334 | h hash.Hash | ||
335 | signer *packet.PrivateKey | ||
336 | config *packet.Config | ||
337 | } | ||
338 | |||
339 | func (s signatureWriter) Write(data []byte) (int, error) { | ||
340 | s.h.Write(data) | ||
341 | return s.literalData.Write(data) | ||
342 | } | ||
343 | |||
344 | func (s signatureWriter) Close() error { | ||
345 | sig := &packet.Signature{ | ||
346 | SigType: packet.SigTypeBinary, | ||
347 | PubKeyAlgo: s.signer.PubKeyAlgo, | ||
348 | Hash: s.hashType, | ||
349 | CreationTime: s.config.Now(), | ||
350 | IssuerKeyId: &s.signer.KeyId, | ||
351 | } | ||
352 | |||
353 | if err := sig.Sign(s.h, s.signer, s.config); err != nil { | ||
354 | return err | ||
355 | } | ||
356 | if err := s.literalData.Close(); err != nil { | ||
357 | return err | ||
358 | } | ||
359 | if err := sig.Serialize(s.encryptedData); err != nil { | ||
360 | return err | ||
361 | } | ||
362 | return s.encryptedData.Close() | ||
363 | } | ||
364 | |||
365 | // noOpCloser is like an ioutil.NopCloser, but for an io.Writer. | ||
366 | // TODO: we have two of these in OpenPGP packages alone. This probably needs | ||
367 | // to be promoted somewhere more common. | ||
368 | type noOpCloser struct { | ||
369 | w io.Writer | ||
370 | } | ||
371 | |||
372 | func (c noOpCloser) Write(data []byte) (n int, err error) { | ||
373 | return c.w.Write(data) | ||
374 | } | ||
375 | |||
376 | func (c noOpCloser) Close() error { | ||
377 | return nil | ||
378 | } | ||