github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/updater/saltpack/saltpack.go

github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/updater/saltpack/saltpack.go (about)

     1  // Copyright 2015 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  package saltpack
     5  
     6  import (
     7  	"fmt"
     8  	"io"
     9  	"os"
    10  
    11  	"github.com/keybase/client/go/kbcrypto"
    12  	"github.com/keybase/client/go/protocol/keybase1"
    13  	"github.com/keybase/client/go/updater/util"
    14  	sp "github.com/keybase/saltpack"
    15  	"github.com/keybase/saltpack/basic"
    16  )
    17  
    18  // Log is log interface for this package
    19  type Log interface {
    20  	Debugf(s string, args ...interface{})
    21  	Infof(s string, args ...interface{})
    22  }
    23  
    24  // VerifyDetachedFileAtPath verifies a file
    25  func VerifyDetachedFileAtPath(path string, signature string, validKIDs map[string]bool, log Log) error {
    26  	file, err := os.Open(path)
    27  	defer util.Close(file)
    28  	if err != nil {
    29  		return err
    30  	}
    31  	err = VerifyDetached(file, signature, validKIDs, log)
    32  	if err != nil {
    33  		return fmt.Errorf("error verifying signature: %s", err)
    34  	}
    35  	return nil
    36  }
    37  
    38  func SigningPublicKeyToKeybaseKID(k sp.SigningPublicKey) (ret keybase1.KID) {
    39  	if k == nil {
    40  		return ret
    41  	}
    42  	p := k.ToKID()
    43  	return keybase1.KIDFromRawKey(p, byte(kbcrypto.KIDNaclEddsa))
    44  }
    45  
    46  func checkSender(key sp.SigningPublicKey, validKIDs map[string]bool, log Log) error {
    47  	if key == nil {
    48  		return fmt.Errorf("no key")
    49  	}
    50  	kid := SigningPublicKeyToKeybaseKID(key)
    51  	if kid.IsNil() {
    52  		return fmt.Errorf("no KID for key")
    53  	}
    54  	log.Infof("Signed by %s", kid)
    55  	if !validKIDs[kid.String()] {
    56  		return fmt.Errorf("unknown signer KID: %s", kid)
    57  	}
    58  	log.Debugf("Valid KID: %s", kid)
    59  	return nil
    60  }
    61  
    62  // VerifyDetached verifies a message signature
    63  func VerifyDetached(reader io.Reader, signature string, validKIDs map[string]bool, log Log) error {
    64  	if reader == nil {
    65  		return fmt.Errorf("no reader")
    66  	}
    67  	check := func(key sp.SigningPublicKey) error {
    68  		return checkSender(key, validKIDs, log)
    69  	}
    70  	return VerifyDetachedCheckSender(reader, []byte(signature), check)
    71  }
    72  
    73  // VerifyDetachedCheckSender verifies a message signature
    74  func VerifyDetachedCheckSender(message io.Reader, signature []byte, checkSender func(sp.SigningPublicKey) error) error {
    75  	kr := basic.NewKeyring()
    76  	var skey sp.SigningPublicKey
    77  	var err error
    78  	skey, _, err = sp.Dearmor62VerifyDetachedReader(sp.CheckKnownMajorVersion, message, string(signature), kr)
    79  	if err != nil {
    80  		return err
    81  	}
    82  
    83  	if err = checkSender(skey); err != nil {
    84  		return err
    85  	}
    86  
    87  	return nil
    88  }