/
saltpack_sign.go
110 lines (90 loc) · 2.97 KB
/
saltpack_sign.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
// Copyright 2015 Keybase, Inc. All rights reserved. Use of
// this source code is governed by the included BSD license.
package libkb
import (
"fmt"
"io"
"github.com/keybase/go-crypto/ed25519"
"github.com/keybase/client/go/kbcrypto"
keybase1 "github.com/keybase/client/go/protocol/keybase1"
"github.com/keybase/saltpack"
)
type streamfn func(io.Writer, saltpack.SigningSecretKey, string) (io.WriteCloser, error)
func SaltpackSign(g *GlobalContext, source io.ReadCloser, sink io.WriteCloser, key NaclSigningKeyPair, binary bool, saltpackVersion saltpack.Version) error {
var s streamfn
if binary {
s = func(w io.Writer, k saltpack.SigningSecretKey, _ string) (io.WriteCloser, error) {
return saltpack.NewSignStream(saltpackVersion, w, k)
}
} else {
s = func(w io.Writer, k saltpack.SigningSecretKey, brand string) (io.WriteCloser, error) {
return saltpack.NewSignArmor62Stream(saltpackVersion, w, k, brand)
}
}
return saltpackSign(g, source, sink, key, s)
}
func SaltpackSignDetached(g *GlobalContext, source io.ReadCloser, sink io.WriteCloser, key NaclSigningKeyPair, binary bool, saltpackVersion saltpack.Version) error {
var s streamfn
if binary {
s = func(w io.Writer, k saltpack.SigningSecretKey, _ string) (io.WriteCloser, error) {
return saltpack.NewSignDetachedStream(saltpackVersion, w, k)
}
} else {
s = func(w io.Writer, k saltpack.SigningSecretKey, brand string) (io.WriteCloser, error) {
return saltpack.NewSignDetachedArmor62Stream(saltpackVersion, w, k, brand)
}
}
return saltpackSign(g, source, sink, key, s)
}
func saltpackSign(g *GlobalContext, source io.ReadCloser, sink io.WriteCloser, key NaclSigningKeyPair, streamer streamfn) error {
defer func() {
if err := source.Close(); err != nil {
g.Log.Warning("error closing source: %s", err)
}
if err := sink.Close(); err != nil {
g.Log.Warning("error closing sink: %s", err)
}
}()
stream, err := streamer(sink, saltSigner{key}, KeybaseSaltpackBrand)
if err != nil {
return err
}
if _, err := io.Copy(stream, source); err != nil {
return err
}
return stream.Close()
}
type saltSigner struct {
NaclSigningKeyPair
}
func (s saltSigner) GetPublicKey() saltpack.SigningPublicKey {
return saltSignerPublic{key: s.Public}
}
func (s saltSigner) Sign(msg []byte) ([]byte, error) {
sig := s.Private.Sign(msg)
return sig[:], nil
}
type saltSignerPublic struct {
key kbcrypto.NaclSigningKeyPublic
}
func (s saltSignerPublic) ToKID() []byte {
return s.key[:]
}
func (s saltSignerPublic) Verify(msg, sig []byte) error {
if len(sig) != ed25519.SignatureSize {
return fmt.Errorf("signature size: %d, expected %d", len(sig), ed25519.SignatureSize)
}
var fixed kbcrypto.NaclSignature
copy(fixed[:], sig)
if !s.key.Verify(msg, fixed) {
return BadSigError{E: "bad signature"}
}
return nil
}
func SigningPublicKeyToKeybaseKID(k saltpack.SigningPublicKey) (ret keybase1.KID) {
if k == nil {
return ret
}
p := k.ToKID()
return keybase1.KIDFromRawKey(p, byte(kbcrypto.KIDNaclEddsa))
}