github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/engine/pgp_export_key.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  package engine
     5  
     6  //
     7  // engine.PGPKeyImportEngine is a class for optionally generating PGP keys,
     8  // and pushing them into the keybase sigchain via the Delegator.
     9  //
    10  
    11  import (
    12  	"bytes"
    13  	"errors"
    14  	"fmt"
    15  
    16  	"github.com/keybase/client/go/kbcrypto"
    17  	"github.com/keybase/client/go/libkb"
    18  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    19  )
    20  
    21  type queryType int
    22  
    23  const (
    24  	unset queryType = iota
    25  	fingerprint
    26  	kid
    27  	either
    28  )
    29  
    30  type PGPKeyExportEngine struct {
    31  	libkb.Contextified
    32  	arg       keybase1.PGPQuery
    33  	encrypted bool
    34  	qtype     queryType
    35  	res       []keybase1.KeyInfo
    36  	me        *libkb.User
    37  }
    38  
    39  func (e *PGPKeyExportEngine) Prereqs() Prereqs {
    40  	return Prereqs{
    41  		Device: true,
    42  	}
    43  }
    44  
    45  func (e *PGPKeyExportEngine) Name() string {
    46  	return "PGPKeyExportEngine"
    47  }
    48  
    49  func (e *PGPKeyExportEngine) RequiredUIs() []libkb.UIKind {
    50  	return []libkb.UIKind{
    51  		libkb.SecretUIKind,
    52  	}
    53  }
    54  
    55  func (e *PGPKeyExportEngine) SubConsumers() []libkb.UIConsumer {
    56  	return nil
    57  }
    58  
    59  func (e *PGPKeyExportEngine) Results() []keybase1.KeyInfo {
    60  	return e.res
    61  }
    62  
    63  func NewPGPKeyExportEngine(g *libkb.GlobalContext, arg keybase1.PGPExportArg) *PGPKeyExportEngine {
    64  	return &PGPKeyExportEngine{
    65  		arg:          arg.Options,
    66  		qtype:        either,
    67  		encrypted:    arg.Encrypted,
    68  		Contextified: libkb.NewContextified(g),
    69  	}
    70  }
    71  
    72  func NewPGPKeyExportByKIDEngine(g *libkb.GlobalContext, arg keybase1.PGPExportByKIDArg) *PGPKeyExportEngine {
    73  	return &PGPKeyExportEngine{
    74  		arg:          arg.Options,
    75  		qtype:        kid,
    76  		encrypted:    arg.Encrypted,
    77  		Contextified: libkb.NewContextified(g),
    78  	}
    79  }
    80  
    81  func NewPGPKeyExportByFingerprintEngine(g *libkb.GlobalContext, arg keybase1.PGPExportByFingerprintArg) *PGPKeyExportEngine {
    82  	return &PGPKeyExportEngine{
    83  		arg:          arg.Options,
    84  		qtype:        fingerprint,
    85  		encrypted:    arg.Encrypted,
    86  		Contextified: libkb.NewContextified(g),
    87  	}
    88  }
    89  
    90  func (e *PGPKeyExportEngine) pushRes(fp libkb.PGPFingerprint, key string, desc string) {
    91  	e.res = append(e.res, keybase1.KeyInfo{
    92  		Fingerprint: fp.String(),
    93  		Key:         key,
    94  		Desc:        desc,
    95  	})
    96  }
    97  
    98  func (e *PGPKeyExportEngine) queryMatch(k libkb.GenericKey) bool {
    99  	if len(e.arg.Query) == 0 {
   100  		return true
   101  	}
   102  	var match bool
   103  	switch e.qtype {
   104  	case either:
   105  		match = libkb.KeyMatchesQuery(k, e.arg.Query, e.arg.ExactMatch)
   106  	case fingerprint:
   107  		if fp := libkb.GetPGPFingerprintFromGenericKey(k); fp != nil {
   108  			match = fp.Match(e.arg.Query, e.arg.ExactMatch)
   109  		}
   110  	case kid:
   111  		match = k.GetKID().Match(e.arg.Query, e.arg.ExactMatch)
   112  	}
   113  	return match
   114  }
   115  
   116  func (e *PGPKeyExportEngine) exportPublic() (err error) {
   117  	keys := e.me.GetActivePGPKeys(false)
   118  	for _, k := range keys {
   119  		fp := k.GetFingerprintP()
   120  		s, err := k.Encode()
   121  		if fp == nil || err != nil {
   122  			continue
   123  		}
   124  		if !e.queryMatch(k) {
   125  			continue
   126  		}
   127  		e.pushRes(*fp, s, k.VerboseDescription())
   128  	}
   129  	return
   130  }
   131  
   132  func (e *PGPKeyExportEngine) exportSecret(m libkb.MetaContext) error {
   133  	ska := libkb.SecretKeyArg{
   134  		Me:         e.me,
   135  		KeyType:    libkb.PGPKeyType,
   136  		KeyQuery:   e.arg.Query,
   137  		ExactMatch: e.arg.ExactMatch,
   138  	}
   139  	key, skb, err := m.G().Keyrings.GetSecretKeyAndSKBWithPrompt(m, m.SecretKeyPromptArg(ska, "key export"))
   140  	if err != nil {
   141  		if _, ok := err.(libkb.NoSecretKeyError); ok {
   142  			// if no secret key found, don't return an error, just let
   143  			// the result be empty
   144  			return nil
   145  		}
   146  		return err
   147  	}
   148  	fp := libkb.GetPGPFingerprintFromGenericKey(key)
   149  	if fp == nil {
   150  		return kbcrypto.BadKeyError{Msg: "no fingerprint found"}
   151  	}
   152  
   153  	if !e.queryMatch(key) {
   154  		return nil
   155  	}
   156  
   157  	if _, ok := key.(*libkb.PGPKeyBundle); !ok {
   158  		return kbcrypto.BadKeyError{Msg: "Expected a PGP key"}
   159  	}
   160  
   161  	raw := skb.RawUnlockedKey()
   162  	if raw == nil {
   163  		return kbcrypto.BadKeyError{Msg: "can't get raw representation of key"}
   164  	}
   165  
   166  	if e.encrypted {
   167  		// Make encrypted PGP key bundle using provided passphrase.
   168  		// Key will be reimported from bytes so we don't mutate SKB.
   169  		raw, err = e.encryptKey(m, raw)
   170  		if err != nil {
   171  			return err
   172  		}
   173  	}
   174  
   175  	ret, err := libkb.PGPKeyRawToArmored(raw, true)
   176  	if err != nil {
   177  		return err
   178  	}
   179  
   180  	e.pushRes(*fp, ret, "")
   181  
   182  	return nil
   183  }
   184  
   185  func GetPGPExportPassphrase(m libkb.MetaContext, ui libkb.SecretUI, desc string) (keybase1.GetPassphraseRes, error) {
   186  	pRes, err := libkb.GetSecret(m, ui, "PGP key passphrase", desc, "", false)
   187  	if err != nil {
   188  		return keybase1.GetPassphraseRes{}, err
   189  	}
   190  
   191  	desc = "Please reenter your passphrase for confirmation"
   192  	pRes2, err := libkb.GetSecret(m, ui, "PGP key passphrase", desc, "", false)
   193  	if err != nil {
   194  		return keybase1.GetPassphraseRes{}, err
   195  	}
   196  	if pRes.Passphrase != pRes2.Passphrase {
   197  		return keybase1.GetPassphraseRes{}, errors.New("Passphrase mismatch")
   198  	}
   199  
   200  	return pRes, nil
   201  }
   202  
   203  func (e *PGPKeyExportEngine) encryptKey(m libkb.MetaContext, raw []byte) ([]byte, error) {
   204  	entity, _, err := libkb.ReadOneKeyFromBytes(raw)
   205  	if err != nil {
   206  		return nil, err
   207  	}
   208  
   209  	if entity.PrivateKey == nil {
   210  		return nil, kbcrypto.BadKeyError{Msg: "No secret part in PGP key."}
   211  	}
   212  
   213  	desc := "Enter passphrase to protect your PGP key. Secure passphrases have at least 8 characters."
   214  	pRes, err := GetPGPExportPassphrase(m, m.UIs().SecretUI, desc)
   215  	if err != nil {
   216  		return nil, err
   217  	}
   218  
   219  	if err = libkb.EncryptPGPKey(entity.Entity, pRes.Passphrase); err != nil {
   220  		return nil, err
   221  	}
   222  
   223  	var buf bytes.Buffer
   224  	if err = entity.SerializePrivate(&buf); err != nil {
   225  		return nil, err
   226  	}
   227  
   228  	return buf.Bytes(), nil
   229  }
   230  
   231  func (e *PGPKeyExportEngine) loadMe(m libkb.MetaContext) (err error) {
   232  	e.me, err = libkb.LoadMe(libkb.NewLoadUserArgWithMetaContext(m).WithPublicKeyOptional())
   233  	return
   234  }
   235  
   236  func (e *PGPKeyExportEngine) Run(m libkb.MetaContext) (err error) {
   237  	defer m.Trace("PGPKeyExportEngine::Run", &err)()
   238  
   239  	if e.qtype == unset {
   240  		return fmt.Errorf("PGPKeyExportEngine: query type not set")
   241  	}
   242  
   243  	if err = e.loadMe(m); err != nil {
   244  		return
   245  	}
   246  
   247  	if e.arg.Secret {
   248  		err = e.exportSecret(m)
   249  	} else {
   250  		err = e.exportPublic()
   251  	}
   252  
   253  	return
   254  }