github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/engine/gpg_import_key.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  package engine
     5  
     6  //
     7  // engine.GPGImportKeyEngine is a class that selects key from the GPG keyring via
     8  // shell-out to the gpg command line client. It's useful in `client mykey select`
     9  // and other places in which the user picks existing PGP keys on the existing
    10  // system for use in Keybase tasks.
    11  //
    12  
    13  import (
    14  	"fmt"
    15  
    16  	"github.com/keybase/client/go/libkb"
    17  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    18  )
    19  
    20  type GPGImportKeyArg struct {
    21  	Query                string
    22  	Signer               libkb.GenericKey
    23  	AllowMulti           bool
    24  	SkipImport           bool
    25  	OnlyImport           bool
    26  	HasProvisionedDevice bool
    27  	Me                   *libkb.User
    28  	Lks                  *libkb.LKSec
    29  }
    30  
    31  type GPGImportKeyEngine struct {
    32  	last                   *libkb.PGPKeyBundle
    33  	arg                    *GPGImportKeyArg
    34  	duplicatedFingerprints []libkb.PGPFingerprint
    35  	libkb.Contextified
    36  }
    37  
    38  func NewGPGImportKeyEngine(g *libkb.GlobalContext, arg *GPGImportKeyArg) *GPGImportKeyEngine {
    39  	return &GPGImportKeyEngine{
    40  		arg:          arg,
    41  		Contextified: libkb.NewContextified(g),
    42  	}
    43  }
    44  
    45  func (e *GPGImportKeyEngine) Prereqs() Prereqs {
    46  	if !e.arg.HasProvisionedDevice {
    47  		return Prereqs{TemporarySession: true}
    48  	}
    49  	return Prereqs{Device: true}
    50  }
    51  
    52  func (e *GPGImportKeyEngine) Name() string {
    53  	return "GPGImportKeyEngine"
    54  }
    55  
    56  func (e *GPGImportKeyEngine) RequiredUIs() []libkb.UIKind {
    57  	return []libkb.UIKind{
    58  		libkb.GPGUIKind,
    59  		libkb.SecretUIKind,
    60  	}
    61  }
    62  
    63  func (e *GPGImportKeyEngine) SubConsumers() []libkb.UIConsumer {
    64  	return []libkb.UIConsumer{
    65  		&PGPKeyImportEngine{},
    66  		&PGPUpdateEngine{},
    67  	}
    68  }
    69  
    70  func (e *GPGImportKeyEngine) WantsGPG(mctx libkb.MetaContext) (bool, error) {
    71  	gpg := e.G().GetGpgClient()
    72  	canExec, err := gpg.CanExec(mctx)
    73  	if err != nil {
    74  		return false, err
    75  	}
    76  	if !canExec {
    77  		return false, nil
    78  	}
    79  
    80  	// they have gpg
    81  
    82  	// get an index of all the secret keys
    83  	index, _, err := gpg.Index(mctx, true, "")
    84  	if err != nil {
    85  		return false, err
    86  	}
    87  	if index.Len() == 0 {
    88  		// no private keys available, so don't offer
    89  		return false, nil
    90  	}
    91  
    92  	res, err := mctx.UIs().GPGUI.WantToAddGPGKey(mctx.Ctx(), 0)
    93  	if err != nil {
    94  		return false, err
    95  	}
    96  	return res, nil
    97  }
    98  
    99  func (e *GPGImportKeyEngine) Run(mctx libkb.MetaContext) (err error) {
   100  	gpg := e.G().GetGpgClient()
   101  
   102  	me := e.arg.Me
   103  	if me == nil {
   104  		if me, err = libkb.LoadMe(libkb.NewLoadUserPubOptionalArg(e.G())); err != nil {
   105  			return err
   106  		}
   107  	}
   108  
   109  	if !e.arg.OnlyImport {
   110  		if err = PGPCheckMulti(me, e.arg.AllowMulti); err != nil {
   111  			return err
   112  		}
   113  	}
   114  
   115  	if err = gpg.Configure(mctx); err != nil {
   116  		return err
   117  	}
   118  	index, warns, err := gpg.Index(mctx, true, e.arg.Query)
   119  	if err != nil {
   120  		return err
   121  	}
   122  	warns.Warn(e.G())
   123  
   124  	var gks []keybase1.GPGKey
   125  	for _, key := range index.Keys {
   126  		gk := keybase1.GPGKey{
   127  			Algorithm:  fmt.Sprintf("%d%s", key.Bits, key.AlgoString()),
   128  			KeyID:      key.GetFingerprint().ToKeyID(),
   129  			Expiration: key.ExpirationString(),
   130  			Identities: key.GetPGPIdentities(),
   131  		}
   132  		gks = append(gks, gk)
   133  	}
   134  
   135  	if len(gks) == 0 {
   136  		return fmt.Errorf("No PGP keys available to choose from.")
   137  	}
   138  
   139  	res, err := mctx.UIs().GPGUI.SelectKeyAndPushOption(mctx.Ctx(), keybase1.SelectKeyAndPushOptionArg{Keys: gks})
   140  	if err != nil {
   141  		return err
   142  	}
   143  	mctx.Debug("SelectKey result: %+v", res)
   144  
   145  	var selected *libkb.GpgPrimaryKey
   146  	for _, key := range index.Keys {
   147  		if key.GetFingerprint().ToKeyID() == res.KeyID {
   148  			selected = key
   149  			break
   150  		}
   151  	}
   152  
   153  	if selected == nil {
   154  		return nil
   155  	}
   156  
   157  	publicKeys := me.GetActivePGPKeys(false)
   158  	duplicate := false
   159  	for _, key := range publicKeys {
   160  		if key.GetFingerprint().Eq(*(selected.GetFingerprint())) {
   161  			duplicate = true
   162  			break
   163  		}
   164  	}
   165  	if duplicate && !e.arg.OnlyImport {
   166  		// This key's already been posted to the server.
   167  		res, err := mctx.UIs().GPGUI.ConfirmDuplicateKeyChosen(mctx.Ctx(), 0)
   168  		if err != nil {
   169  			return err
   170  		}
   171  		if !res {
   172  			return libkb.SibkeyAlreadyExistsError{}
   173  		}
   174  		// We're sending a key update, then.
   175  		fp := selected.GetFingerprint().String()
   176  		eng := NewPGPUpdateEngine(e.G(), []string{fp}, false)
   177  		err = RunEngine2(mctx, eng)
   178  		e.duplicatedFingerprints = eng.duplicatedFingerprints
   179  
   180  		if err != nil {
   181  			return err
   182  		}
   183  
   184  		if !e.arg.SkipImport {
   185  			// Key is duplicate, but caller wants to import secret
   186  			// half.
   187  			res, err := mctx.UIs().GPGUI.ConfirmImportSecretToExistingKey(mctx.Ctx(), 0)
   188  			if err != nil {
   189  				return err
   190  			}
   191  			if !res {
   192  				// But update itself has finished, so this
   193  				// cancellation is not an error.
   194  				mctx.Info("User cancelled secret key import.")
   195  				return nil
   196  			}
   197  			// Fall through with OnlyImport=true so it skips sig posting
   198  			// (which would be rejected because of duplicate kid).
   199  			e.arg.OnlyImport = true
   200  		} else {
   201  			// Nothing to more do.
   202  			return nil
   203  		}
   204  	}
   205  
   206  	tty, err := mctx.UIs().GPGUI.GetTTY(mctx.Ctx())
   207  	if err != nil {
   208  		mctx.Warning("error getting TTY for GPG: %s", err)
   209  		err = nil
   210  	}
   211  
   212  	var bundle *libkb.PGPKeyBundle
   213  
   214  	if e.arg.SkipImport {
   215  		// If we don't need secret key to save in Keybase keyring,
   216  		// just import public key and rely on GPG fallback for reverse
   217  		// signature.
   218  		bundle, err = gpg.ImportKey(mctx, false, *(selected.GetFingerprint()), tty)
   219  		if err != nil {
   220  			return fmt.Errorf("ImportKey (secret: false) error: %s", err)
   221  		}
   222  	} else {
   223  		bundle, err = gpg.ImportKey(mctx, true, *(selected.GetFingerprint()), tty)
   224  		if err != nil {
   225  			return fmt.Errorf("ImportKey (secret: true) error: %s", err)
   226  		}
   227  
   228  		if err := bundle.Unlock(mctx, "Import of key into Keybase keyring", mctx.UIs().SecretUI); err != nil {
   229  			return err
   230  		}
   231  
   232  		if !libkb.FindPGPPrivateKey(bundle) {
   233  			return PGPImportStubbedError{KeyIDString: selected.GetFingerprint().ToKeyID()}
   234  		}
   235  	}
   236  
   237  	if e.arg.OnlyImport {
   238  		if err := e.ensurePublicPartIsPublished(me, bundle.GetKID()); err != nil {
   239  			// Make sure key is active in user's sigchain. Otherwise,
   240  			// after importing to local keychain, Keybase will refuse
   241  			// to use it for any operation anyway.
   242  			return err
   243  		}
   244  	}
   245  
   246  	mctx.Debug("Bundle unlocked: %s", selected.GetFingerprint().ToKeyID())
   247  
   248  	eng := NewPGPKeyImportEngine(mctx.G(), PGPKeyImportEngineArg{
   249  		Pregen:      bundle,
   250  		SigningKey:  e.arg.Signer,
   251  		Me:          me,
   252  		AllowMulti:  e.arg.AllowMulti,
   253  		NoSave:      e.arg.SkipImport,
   254  		OnlySave:    e.arg.OnlyImport,
   255  		Lks:         e.arg.Lks,
   256  		GPGFallback: true,
   257  	})
   258  
   259  	if err = RunEngine2(mctx, eng); err != nil {
   260  
   261  		// It's important to propagate a CanceledError unmolested,
   262  		// since the UI needs to know that. See:
   263  		//  https://github.com/keybase/client/issues/226
   264  		if _, ok := err.(libkb.CanceledError); !ok {
   265  			err = libkb.KeyGenError{Msg: err.Error()}
   266  		}
   267  		return
   268  	}
   269  
   270  	mctx.Debug("Key %s imported", selected.GetFingerprint().ToKeyID())
   271  
   272  	e.last = bundle
   273  
   274  	return nil
   275  }
   276  
   277  func (e *GPGImportKeyEngine) LastKey() *libkb.PGPKeyBundle {
   278  	return e.last
   279  }
   280  
   281  func (e *GPGImportKeyEngine) ensurePublicPartIsPublished(me *libkb.User, kid keybase1.KID) error {
   282  	ckf := me.GetComputedKeyFamily()
   283  	if ckf == nil {
   284  		return fmt.Errorf("cannot get ComputedKeyFamily")
   285  	}
   286  	active := ckf.GetKeyRole(kid)
   287  	if active != libkb.DLGSibkey {
   288  		return PGPNotActiveForLocalImport{kid}
   289  	}
   290  	return nil
   291  }