登录 注册
开源 企业版 高校版 私有云 模力方舟 模力方舟 AI 队友
扫描微信二维码支付
取消
支付完成
Ai
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 1

mysnapcore/mysnapd

forked from tupelo-shen/mysnapd 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
gpgkeypairmgr.go 10.67 KB
一键复制 编辑 原始数据 按行查看 历史
tupelo-shen 提交于 2022-11-07 17:55 +08:00 . fix: aspects & asserts commit
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413
// -*- Mode: Go; indent-tabs-mode: t -*-



/*

 * Copyright (C) 2016-2021 Canonical Ltd

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 3 as

 * published by the Free Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

 *

 */



package asserts



import (

	"bytes"

	"errors"

	"fmt"

	"os"

	"os/exec"

	"path/filepath"

	"strings"



	"golang.org/x/crypto/openpgp/packet"



	"gitee.com/mysnapcore/mysnapd/osutil"

	"gitee.com/mysnapcore/mysnapd/strutil"

)



func ensureGPGHomeDirectory() (string, error) {

	real, err := osutil.UserMaybeSudoUser()

	if err != nil {

		return "", err

	}



	uid, gid, err := osutil.UidGid(real)

	if err != nil {

		return "", err

	}



	homedir := os.Getenv("SNAP_GNUPG_HOME")

	if homedir == "" {

		homedir = filepath.Join(real.HomeDir, ".snap", "gnupg")

	}



	if err := osutil.MkdirAllChown(homedir, 0700, uid, gid); err != nil {

		return "", err

	}

	return homedir, nil

}



// findGPGCommand returns the path to a suitable GnuPG binary to use.

// GnuPG 2 is mainly intended for desktop use, and is hard for us to use

// here: in particular, it's extremely difficult to use it to delete a

// secret key without a pinentry prompt (which would be necessary in our

// test suite).  GnuPG 1 is still supported so it's reasonable to continue

// using that for now.

func findGPGCommand() (string, error) {

	if path := os.Getenv("SNAP_GNUPG_CMD"); path != "" {

		return path, nil

	}



	path, err := exec.LookPath("gpg1")

	if err != nil {

		path, err = exec.LookPath("gpg")

	}

	return path, err

}



var gpgBatchYes = false



func runGPGImpl(input []byte, args ...string) ([]byte, error) {

	homedir, err := ensureGPGHomeDirectory()

	if err != nil {

		return nil, err

	}



	// Ensure the gpg-agent knows what tty to talk to to ask for

	// the passphrase. This is needed because we drive gpg over

	// a pipe and if the agent is not already started it will

	// fail to be able to ask for a password.

	if os.Getenv("GPG_TTY") == "" {

		tty, err := os.Readlink("/proc/self/fd/0")

		if err != nil {

			return nil, err

		}

		os.Setenv("GPG_TTY", tty)

	}



	general := []string{"--homedir", homedir, "-q", "--no-auto-check-trustdb"}

	if gpgBatchYes && strutil.ListContains(args, "--batch") {

		general = append(general, "--yes")

	}

	allArgs := append(general, args...)



	path, err := findGPGCommand()

	if err != nil {

		return nil, err

	}

	cmd := exec.Command(path, allArgs...)

	var outBuf bytes.Buffer

	var errBuf bytes.Buffer



	if len(input) != 0 {

		cmd.Stdin = bytes.NewBuffer(input)

	}



	cmd.Stdout = &outBuf

	cmd.Stderr = &errBuf



	if err := cmd.Run(); err != nil {

		return nil, fmt.Errorf("%s %s failed: %v (%q)", path, strings.Join(args, " "), err, errBuf.Bytes())

	}



	return outBuf.Bytes(), nil

}



var runGPG = runGPGImpl



// A key pair manager backed by a local GnuPG setup.

type GPGKeypairManager struct{}



func (gkm *GPGKeypairManager) gpg(input []byte, args ...string) ([]byte, error) {

	return runGPG(input, args...)

}



// NewGPGKeypairManager creates a new key pair manager backed by a local GnuPG setup.

// Importing keys through the keypair manager interface is not

// suppored.

// Main purpose is allowing signing using keys from a GPG setup.

func NewGPGKeypairManager() *GPGKeypairManager {

	return &GPGKeypairManager{}

}



func (gkm *GPGKeypairManager) retrieve(fpr string) (PrivateKey, error) {

	out, err := gkm.gpg(nil, "--batch", "--export", "--export-options", "export-minimal,export-clean,no-export-attributes", "0x"+fpr)

	if err != nil {

		return nil, err

	}

	if len(out) == 0 {

		return nil, fmt.Errorf("cannot retrieve key with fingerprint %q in GPG keyring", fpr)

	}



	pubKeyBuf := bytes.NewBuffer(out)

	privKey, err := newExtPGPPrivateKey(pubKeyBuf, "GPG", func(content []byte) (*packet.Signature, error) {

		return gkm.sign(fpr, content)

	})

	if err != nil {

		return nil, fmt.Errorf("cannot load GPG public key with fingerprint %q: %v", fpr, err)

	}

	gotFingerprint := privKey.externalID

	if gotFingerprint != fpr {

		return nil, fmt.Errorf("got wrong public key from GPG, expected fingerprint %q: %s", fpr, gotFingerprint)

	}

	return privKey, nil

}



// Walk iterates over all the RSA private keys in the local GPG setup calling the provided callback until this returns an error

func (gkm *GPGKeypairManager) Walk(consider func(privk PrivateKey, fingerprint string, uid string) error) error {

	// see GPG source doc/DETAILS

	out, err := gkm.gpg(nil, "--batch", "--list-secret-keys", "--fingerprint", "--with-colons", "--fixed-list-mode")

	if err != nil {

		return err

	}

	lines := strings.Split(string(out), "\n")

	n := len(lines)

	if n > 0 && lines[n-1] == "" {

		n--

	}

	if n == 0 {

		return nil

	}

	lines = lines[:n]

	for j := 0; j < n; j++ {

		// sec: line

		line := lines[j]

		if !strings.HasPrefix(line, "sec:") {

			continue

		}

		secFields := strings.Split(line, ":")

		if len(secFields) < 5 {

			continue

		}

		if secFields[3] != "1" { // not RSA

			continue

		}

		keyID := secFields[4]

		uid := ""

		fpr := ""

		var privKey PrivateKey

		// look for fpr:, uid: lines, order may vary and gpg2.1

		// may springle additional lines in (like gpr:)

	Loop:

		for k := j + 1; k < n && !strings.HasPrefix(lines[k], "sec:"); k++ {

			switch {

			case strings.HasPrefix(lines[k], "fpr:"):

				fprFields := strings.Split(lines[k], ":")

				// extract "Field 10 - User-ID"

				// A FPR record stores the fingerprint here.

				if len(fprFields) < 10 {

					break Loop

				}

				fpr = fprFields[9]

				if !strings.HasSuffix(fpr, keyID) {

					break // strange, skip

				}

				privKey, err = gkm.retrieve(fpr)

				if err != nil {

					return err

				}

			case strings.HasPrefix(lines[k], "uid:"):

				uidFields := strings.Split(lines[k], ":")

				// extract "*** Field 10 - User-ID"

				if len(uidFields) < 10 {

					break Loop

				}

				uid = uidFields[9]

			}

		}

		// validity checking

		if privKey == nil || uid == "" {

			continue

		}

		// collected it all

		err = consider(privKey, fpr, uid)

		if err != nil {

			return err

		}

	}

	return nil

}



func (gkm *GPGKeypairManager) Put(privKey PrivateKey) error {

	// NOTE: we don't need this initially at least and this keypair mgr is not for general arbitrary usage

	return fmt.Errorf("cannot import private key into GPG keyring")

}



type gpgKeypairInfo struct {

	privKey     PrivateKey

	fingerprint string

}



var errKeypairNotFoundInGPGKeyring = &keyNotFoundError{msg: "cannot find key pair in GPG keyring"}



func (gkm *GPGKeypairManager) findByID(keyID string) (*gpgKeypairInfo, error) {

	stop := errors.New("stop marker")

	var hit *gpgKeypairInfo

	match := func(privk PrivateKey, fpr string, uid string) error {

		if privk.PublicKey().ID() == keyID {

			hit = &gpgKeypairInfo{

				privKey:     privk,

				fingerprint: fpr,

			}

			return stop

		}

		return nil

	}

	err := gkm.Walk(match)

	if err == stop {

		return hit, nil

	}

	if err != nil {

		return nil, err

	}

	return nil, errKeypairNotFoundInGPGKeyring

}



func (gkm *GPGKeypairManager) Get(keyID string) (PrivateKey, error) {

	keyInfo, err := gkm.findByID(keyID)

	if err != nil {

		return nil, err

	}

	return keyInfo.privKey, nil

}



func (gkm *GPGKeypairManager) Delete(keyID string) error {

	keyInfo, err := gkm.findByID(keyID)

	if err != nil {

		return err

	}

	_, err = gkm.gpg(nil, "--batch", "--delete-secret-and-public-key", "0x"+keyInfo.fingerprint)

	if err != nil {

		return err

	}

	return nil

}



func (gkm *GPGKeypairManager) sign(fingerprint string, content []byte) (*packet.Signature, error) {

	out, err := gkm.gpg(content, "--personal-digest-preferences", "SHA512", "--default-key", "0x"+fingerprint, "--detach-sign")

	if err != nil {

		return nil, fmt.Errorf("cannot sign using GPG: %v", err)

	}



	const badSig = "bad GPG produced signature: "

	sigpkt, err := packet.Read(bytes.NewBuffer(out))

	if err != nil {

		return nil, fmt.Errorf(badSig+"%v", err)

	}



	sig, ok := sigpkt.(*packet.Signature)

	if !ok {

		return nil, fmt.Errorf(badSig+"got %T", sigpkt)

	}



	return sig, nil

}



func (gkm *GPGKeypairManager) findByName(name string) (*gpgKeypairInfo, error) {

	stop := errors.New("stop marker")

	var hit *gpgKeypairInfo

	match := func(privk PrivateKey, fpr string, uid string) error {

		if uid == name {

			hit = &gpgKeypairInfo{

				privKey:     privk,

				fingerprint: fpr,

			}

			return stop

		}

		return nil

	}

	err := gkm.Walk(match)

	if err == stop {

		return hit, nil

	}

	if err != nil {

		return nil, err

	}

	return nil, errKeypairNotFoundInGPGKeyring

}



// GetByName looks up a private key by name and returns it.

func (gkm *GPGKeypairManager) GetByName(name string) (PrivateKey, error) {

	keyInfo, err := gkm.findByName(name)

	if err != nil {

		return nil, err

	}

	return keyInfo.privKey, nil

}



var generateTemplate = `

Key-Type: RSA

Key-Length: 4096

Name-Real: %s

Creation-Date: seconds=%d

Preferences: SHA512

`



func (gkm *GPGKeypairManager) parametersForGenerate(passphrase string, name string) string {

	fixedCreationTime := v1FixedTimestamp.Unix()

	generateParams := fmt.Sprintf(generateTemplate, name, fixedCreationTime)

	if passphrase != "" {

		generateParams += "Passphrase: " + passphrase + "\n"

	}

	return generateParams

}



// Generate creates a new key with the given passphrase and name.

func (gkm *GPGKeypairManager) Generate(passphrase string, name string) error {

	_, err := gkm.findByName(name)

	if err == nil {

		return fmt.Errorf("key named %q already exists in GPG keyring", name)

	}

	generateParams := gkm.parametersForGenerate(passphrase, name)

	_, err = gkm.gpg([]byte(generateParams), "--batch", "--gen-key")

	if err != nil {

		return err

	}

	return nil

}



// Export returns the encoded text of the named public key.

func (gkm *GPGKeypairManager) Export(name string) ([]byte, error) {

	keyInfo, err := gkm.findByName(name)

	if err != nil {

		return nil, err

	}

	return EncodePublicKey(keyInfo.privKey.PublicKey())

}



// DeleteByName removes the named key pair from GnuPG's storage.

func (gkm *GPGKeypairManager) DeleteByName(name string) error {

	keyInfo, err := gkm.findByName(name)

	if err != nil {

		return err

	}

	_, err = gkm.gpg(nil, "--batch", "--delete-secret-and-public-key", "0x"+keyInfo.fingerprint)

	if err != nil {

		return err

	}

	return nil

}



func (gkm *GPGKeypairManager) List() (res []ExternalKeyInfo, err error) {

	collect := func(privk PrivateKey, fpr string, uid string) error {

		key := ExternalKeyInfo{

			Name: uid,

			ID:   privk.PublicKey().ID(),

		}

		res = append(res, key)

		return nil

	}

	if err := gkm.Walk(collect); err != nil {

		return nil, err

	}

	return res, nil

}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/mysnapcore/mysnapd.git
git@gitee.com:mysnapcore/mysnapd.git
mysnapcore
mysnapd
mysnapd
v0.1.0
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部