1 files changed, 111 insertions, 54 deletions
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go
index 744e293..3e25186 100644
--- a/vendor/golang.org/x/crypto/openpgp/keys.go
+++ b/vendor/golang.org/x/crypto/openpgp/keys.go
@@ -333,7 +333,6 @@ func ReadEntity(packets *packet.Reader) (*Entity, error) {
                return nil, errors.StructuralError("primary key cannot be used for signatures")
        }
-        var current *Identity
        var revocations []*packet.Signature
 EachPacket:
        for {
@@ -346,32 +345,8 @@ EachPacket:
                switch pkt := p.(type) {
                case *packet.UserId:
-                        current = new(Identity)
+                        if err := addUserID(e, packets, pkt); err != nil {
-                        current.Name = pkt.Id
+                                return nil, err
-                        current.UserId = pkt
-                        e.Identities[pkt.Id] = current
-                        for {
-                                p, err = packets.Next()
-                                if err == io.EOF {
-                                        return nil, io.ErrUnexpectedEOF
-                                } else if err != nil {
-                                        return nil, err
-                                }
-                                sig, ok := p.(*packet.Signature)
-                                if !ok {
-                                        return nil, errors.StructuralError("user ID packet not followed by self-signature")
-                                }
-                                if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
-                                        if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
-                                                return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
-                                        }
-                                        current.SelfSignature = sig
-                                        break
-                                }
-                                current.Signatures = append(current.Signatures, sig)
                        }
                case *packet.Signature:
                        if pkt.SigType == packet.SigTypeKeyRevocation {
@@ -380,11 +355,9 @@ EachPacket:
                                // TODO: RFC4880 5.2.1 permits signatures
                                // directly on keys (eg. to bind additional
                                // revocation keys).
-                        } else if current == nil {
-                                return nil, errors.StructuralError("signature packet found before user id packet")
-                        } else {
-                                current.Signatures = append(current.Signatures, pkt)
                        }
+                        // Else, ignoring the signature as it does not follow anything
+                        // we would know to attach it to.
                case *packet.PrivateKey:
                        if pkt.IsSubkey == false {
                                packets.Unread(p)
@@ -425,33 +398,105 @@ EachPacket:
        return e, nil
 }
+func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error {
+        // Make a new Identity object, that we might wind up throwing away.
+        // We'll only add it if we get a valid self-signature over this
+        // userID.
+        identity := new(Identity)
+        identity.Name = pkt.Id
+        identity.UserId = pkt
+        for {
+                p, err := packets.Next()
+                if err == io.EOF {
+                        break
+                } else if err != nil {
+                        return err
+                }
+                sig, ok := p.(*packet.Signature)
+                if !ok {
+                        packets.Unread(p)
+                        break
+                }
+                if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
+                        if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
+                                return errors.StructuralError("user ID self-signature invalid: " + err.Error())
+                        }
+                        identity.SelfSignature = sig
+                        e.Identities[pkt.Id] = identity
+                } else {
+                        identity.Signatures = append(identity.Signatures, sig)
+                }
+        }
+        return nil
+}
 func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
        var subKey Subkey
        subKey.PublicKey = pub
        subKey.PrivateKey = priv
-        p, err := packets.Next()
-        if err == io.EOF {
+        for {
-                return io.ErrUnexpectedEOF
+                p, err := packets.Next()
-        }
+                if err == io.EOF {
-        if err != nil {
+                        break
-                return errors.StructuralError("subkey signature invalid: " + err.Error())
+                } else if err != nil {
+                        return errors.StructuralError("subkey signature invalid: " + err.Error())
+                }
+                sig, ok := p.(*packet.Signature)
+                if !ok {
+                        packets.Unread(p)
+                        break
+                }
+                if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
+                        return errors.StructuralError("subkey signature with wrong type")
+                }
+                if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil {
+                        return errors.StructuralError("subkey signature invalid: " + err.Error())
+                }
+                switch sig.SigType {
+                case packet.SigTypeSubkeyRevocation:
+                        subKey.Sig = sig
+                case packet.SigTypeSubkeyBinding:
+                        if shouldReplaceSubkeySig(subKey.Sig, sig) {
+                                subKey.Sig = sig
+                        }
+                }
        }
-        var ok bool
-        subKey.Sig, ok = p.(*packet.Signature)
+        if subKey.Sig == nil {
-        if !ok {
                return errors.StructuralError("subkey packet not followed by signature")
        }
-        if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {
-                return errors.StructuralError("subkey signature with wrong type")
-        }
-        err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
-        if err != nil {
-                return errors.StructuralError("subkey signature invalid: " + err.Error())
-        }
        e.Subkeys = append(e.Subkeys, subKey)
        return nil
 }
+func shouldReplaceSubkeySig(existingSig, potentialNewSig *packet.Signature) bool {
+        if potentialNewSig == nil {
+                return false
+        }
+        if existingSig == nil {
+                return true
+        }
+        if existingSig.SigType == packet.SigTypeSubkeyRevocation {
+                return false // never override a revocation signature
+        }
+        return potentialNewSig.CreationTime.After(existingSig.CreationTime)
+}
 const defaultRSAKeyBits = 2048
 // NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
@@ -486,7 +531,7 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
        }
        isPrimaryId := true
        e.Identities[uid.Id] = &Identity{
-                Name:   uid.Name,
+                Name:   uid.Id,
                UserId: uid,
                SelfSignature: &packet.Signature{
                        CreationTime: currentTime,
@@ -500,6 +545,10 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
                        IssuerKeyId:  &e.PrimaryKey.KeyId,
                },
        }
+        err = e.Identities[uid.Id].SelfSignature.SignUserId(uid.Id, e.PrimaryKey, e.PrivateKey, config)
+        if err != nil {
+                return nil, err
+        }
        // If the user passes in a DefaultHash via packet.Config,
        // set the PreferredHash for the SelfSignature.
@@ -507,6 +556,11 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
                e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
        }
+        // Likewise for DefaultCipher.
+        if config != nil && config.DefaultCipher != 0 {
+                e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)}
+        }
        e.Subkeys = make([]Subkey, 1)
        e.Subkeys[0] = Subkey{
                PublicKey:  packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
@@ -524,13 +578,16 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
        }
        e.Subkeys[0].PublicKey.IsSubkey = true
        e.Subkeys[0].PrivateKey.IsSubkey = true
+        err = e.Subkeys[0].Sig.SignKey(e.Subkeys[0].PublicKey, e.PrivateKey, config)
+        if err != nil {
+                return nil, err
+        }
        return e, nil
 }
-// SerializePrivate serializes an Entity, including private key material, to
+// SerializePrivate serializes an Entity, including private key material, but
-// the given Writer. For now, it must only be used on an Entity returned from
+// excluding signatures from other entities, to the given Writer.
-// NewEntity.
+// Identities and subkeys are re-signed in case they changed since NewEntry.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
        err = e.PrivateKey.Serialize(w)
@@ -568,8 +625,8 @@ func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error
        return nil
 }
-// Serialize writes the public part of the given Entity to w. (No private
+// Serialize writes the public part of the given Entity to w, including
-// key material will be output).
+// signatures from other entities. No private key material will be output.
 func (e *Entity) Serialize(w io.Writer) error {
        err := e.PrimaryKey.Serialize(w)
        if err != nil {

diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go index 744e293..3e25186 100644 --- a/vendor/golang.org/x/crypto/openpgp/keys.go +++ b/vendor/golang.org/x/crypto/openpgp/keys.go
@@ -333,7 +333,6 @@ func ReadEntity(packets packet.Reader) (Entity, error) {
333	return nil, errors.StructuralError("primary key cannot be used for signatures")	333	return nil, errors.StructuralError("primary key cannot be used for signatures")
334	}	334	}
335		335
336	var current *Identity
337	var revocations []*packet.Signature	336	var revocations []*packet.Signature
338	EachPacket:	337	EachPacket:
339	for {	338	for {
@@ -346,32 +345,8 @@ EachPacket:
346		345
347	switch pkt := p.(type) {	346	switch pkt := p.(type) {
348	case *packet.UserId:	347	case *packet.UserId:
349	current = new(Identity)	348	if err := addUserID(e, packets, pkt); err != nil {
350	current.Name = pkt.Id	349	return nil, err
351	current.UserId = pkt
352	e.Identities[pkt.Id] = current
353
354	for {
355	p, err = packets.Next()
356	if err == io.EOF {
357	return nil, io.ErrUnexpectedEOF
358	} else if err != nil {
359	return nil, err
360	}
361
362	sig, ok := p.(*packet.Signature)
363	if !ok {
364	return nil, errors.StructuralError("user ID packet not followed by self-signature")
365	}
366
367	if (sig.SigType == packet.SigTypePositiveCert \|\| sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
368	if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
369	return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
370	}
371	current.SelfSignature = sig
372	break
373	}
374	current.Signatures = append(current.Signatures, sig)
375	}	350	}
376	case *packet.Signature:	351	case *packet.Signature:
377	if pkt.SigType == packet.SigTypeKeyRevocation {	352	if pkt.SigType == packet.SigTypeKeyRevocation {
@@ -380,11 +355,9 @@ EachPacket:
380	// TODO: RFC4880 5.2.1 permits signatures	355	// TODO: RFC4880 5.2.1 permits signatures
381	// directly on keys (eg. to bind additional	356	// directly on keys (eg. to bind additional
382	// revocation keys).	357	// revocation keys).
383	} else if current == nil {
384	return nil, errors.StructuralError("signature packet found before user id packet")
385	} else {
386	current.Signatures = append(current.Signatures, pkt)
387	}	358	}
		359	// Else, ignoring the signature as it does not follow anything
		360	// we would know to attach it to.
388	case *packet.PrivateKey:	361	case *packet.PrivateKey:
389	if pkt.IsSubkey == false {	362	if pkt.IsSubkey == false {
390	packets.Unread(p)	363	packets.Unread(p)
@@ -425,33 +398,105 @@ EachPacket:
425	return e, nil	398	return e, nil
426	}	399	}
427		400
		401	func addUserID(e Entity, packets packet.Reader, pkt *packet.UserId) error {
		402	// Make a new Identity object, that we might wind up throwing away.
		403	// We'll only add it if we get a valid self-signature over this
		404	// userID.
		405	identity := new(Identity)
		406	identity.Name = pkt.Id
		407	identity.UserId = pkt
		408
		409	for {
		410	p, err := packets.Next()
		411	if err == io.EOF {
		412	break
		413	} else if err != nil {
		414	return err
		415	}
		416
		417	sig, ok := p.(*packet.Signature)
		418	if !ok {
		419	packets.Unread(p)
		420	break
		421	}
		422
		423	if (sig.SigType == packet.SigTypePositiveCert \|\| sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
		424	if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
		425	return errors.StructuralError("user ID self-signature invalid: " + err.Error())
		426	}
		427	identity.SelfSignature = sig
		428	e.Identities[pkt.Id] = identity
		429	} else {
		430	identity.Signatures = append(identity.Signatures, sig)
		431	}
		432	}
		433
		434	return nil
		435	}
		436
428	func addSubkey(e Entity, packets packet.Reader, pub packet.PublicKey, priv packet.PrivateKey) error {	437	func addSubkey(e Entity, packets packet.Reader, pub packet.PublicKey, priv packet.PrivateKey) error {
429	var subKey Subkey	438	var subKey Subkey
430	subKey.PublicKey = pub	439	subKey.PublicKey = pub
431	subKey.PrivateKey = priv	440	subKey.PrivateKey = priv
432	p, err := packets.Next()	441
433	if err == io.EOF {	442	for {
434	return io.ErrUnexpectedEOF	443	p, err := packets.Next()
435	}	444	if err == io.EOF {
436	if err != nil {	445	break
437	return errors.StructuralError("subkey signature invalid: " + err.Error())	446	} else if err != nil {
		447	return errors.StructuralError("subkey signature invalid: " + err.Error())
		448	}
		449
		450	sig, ok := p.(*packet.Signature)
		451	if !ok {
		452	packets.Unread(p)
		453	break
		454	}
		455
		456	if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
		457	return errors.StructuralError("subkey signature with wrong type")
		458	}
		459
		460	if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil {
		461	return errors.StructuralError("subkey signature invalid: " + err.Error())
		462	}
		463
		464	switch sig.SigType {
		465	case packet.SigTypeSubkeyRevocation:
		466	subKey.Sig = sig
		467	case packet.SigTypeSubkeyBinding:
		468
		469	if shouldReplaceSubkeySig(subKey.Sig, sig) {
		470	subKey.Sig = sig
		471	}
		472	}
438	}	473	}
439	var ok bool	474
440	subKey.Sig, ok = p.(*packet.Signature)	475	if subKey.Sig == nil {
441	if !ok {
442	return errors.StructuralError("subkey packet not followed by signature")	476	return errors.StructuralError("subkey packet not followed by signature")
443	}	477	}
444	if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {	478
445	return errors.StructuralError("subkey signature with wrong type")
446	}
447	err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
448	if err != nil {
449	return errors.StructuralError("subkey signature invalid: " + err.Error())
450	}
451	e.Subkeys = append(e.Subkeys, subKey)	479	e.Subkeys = append(e.Subkeys, subKey)
		480
452	return nil	481	return nil
453	}	482	}
454		483
		484	func shouldReplaceSubkeySig(existingSig, potentialNewSig *packet.Signature) bool {
		485	if potentialNewSig == nil {
		486	return false
		487	}
		488
		489	if existingSig == nil {
		490	return true
		491	}
		492
		493	if existingSig.SigType == packet.SigTypeSubkeyRevocation {
		494	return false // never override a revocation signature
		495	}
		496
		497	return potentialNewSig.CreationTime.After(existingSig.CreationTime)
		498	}
		499
455	const defaultRSAKeyBits = 2048	500	const defaultRSAKeyBits = 2048
456		501
457	// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a	502	// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
@@ -486,7 +531,7 @@ func NewEntity(name, comment, email string, config packet.Config) (Entity, err
486	}	531	}
487	isPrimaryId := true	532	isPrimaryId := true
488	e.Identities[uid.Id] = &Identity{	533	e.Identities[uid.Id] = &Identity{
489	Name: uid.Name,	534	Name: uid.Id,
490	UserId: uid,	535	UserId: uid,
491	SelfSignature: &packet.Signature{	536	SelfSignature: &packet.Signature{
492	CreationTime: currentTime,	537	CreationTime: currentTime,
@@ -500,6 +545,10 @@ func NewEntity(name, comment, email string, config packet.Config) (Entity, err
500	IssuerKeyId: &e.PrimaryKey.KeyId,	545	IssuerKeyId: &e.PrimaryKey.KeyId,
501	},	546	},
502	}	547	}
		548	err = e.Identities[uid.Id].SelfSignature.SignUserId(uid.Id, e.PrimaryKey, e.PrivateKey, config)
		549	if err != nil {
		550	return nil, err
		551	}
503		552
504	// If the user passes in a DefaultHash via packet.Config,	553	// If the user passes in a DefaultHash via packet.Config,
505	// set the PreferredHash for the SelfSignature.	554	// set the PreferredHash for the SelfSignature.
@@ -507,6 +556,11 @@ func NewEntity(name, comment, email string, config packet.Config) (Entity, err
507	e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}	556	e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
508	}	557	}
509		558
		559	// Likewise for DefaultCipher.
		560	if config != nil && config.DefaultCipher != 0 {
		561	e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)}
		562	}
		563
510	e.Subkeys = make([]Subkey, 1)	564	e.Subkeys = make([]Subkey, 1)
511	e.Subkeys[0] = Subkey{	565	e.Subkeys[0] = Subkey{
512	PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),	566	PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
@@ -524,13 +578,16 @@ func NewEntity(name, comment, email string, config packet.Config) (Entity, err
524	}	578	}
525	e.Subkeys[0].PublicKey.IsSubkey = true	579	e.Subkeys[0].PublicKey.IsSubkey = true
526	e.Subkeys[0].PrivateKey.IsSubkey = true	580	e.Subkeys[0].PrivateKey.IsSubkey = true
527		581	err = e.Subkeys[0].Sig.SignKey(e.Subkeys[0].PublicKey, e.PrivateKey, config)
		582	if err != nil {
		583	return nil, err
		584	}
528	return e, nil	585	return e, nil
529	}	586	}
530		587
531	// SerializePrivate serializes an Entity, including private key material, to	588	// SerializePrivate serializes an Entity, including private key material, but
532	// the given Writer. For now, it must only be used on an Entity returned from	589	// excluding signatures from other entities, to the given Writer.
533	// NewEntity.	590	// Identities and subkeys are re-signed in case they changed since NewEntry.
534	// If config is nil, sensible defaults will be used.	591	// If config is nil, sensible defaults will be used.
535	func (e Entity) SerializePrivate(w io.Writer, config packet.Config) (err error) {	592	func (e Entity) SerializePrivate(w io.Writer, config packet.Config) (err error) {
536	err = e.PrivateKey.Serialize(w)	593	err = e.PrivateKey.Serialize(w)
@@ -568,8 +625,8 @@ func (e Entity) SerializePrivate(w io.Writer, config packet.Config) (err error
568	return nil	625	return nil
569	}	626	}
570		627
571	// Serialize writes the public part of the given Entity to w. (No private	628	// Serialize writes the public part of the given Entity to w, including
572	// key material will be output).	629	// signatures from other entities. No private key material will be output.
573	func (e *Entity) Serialize(w io.Writer) error {	630	func (e *Entity) Serialize(w io.Writer) error {
574	err := e.PrimaryKey.Serialize(w)	631	err := e.PrimaryKey.Serialize(w)
575	if err != nil {	632	if err != nil {