mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-09-28 22:16:04 +00:00
Add support for google_service_account_key (#472)
* Initial support for google service account keys * Add vendor for vault and encryption * Add change for PR comment * Add doc and improvement fo public key management * adding waiter for compatibility with issue google/google-api-go-client#234 * improvement * Add test with pgp_key * Perform doc anf format * remove test if public_key exists * Add link on doc * correct pr
This commit is contained in:
parent
57f3ffc751
commit
94e0b746df
@ -133,6 +133,7 @@ func Provider() terraform.ResourceProvider {
|
|||||||
"google_runtimeconfig_config": resourceRuntimeconfigConfig(),
|
"google_runtimeconfig_config": resourceRuntimeconfigConfig(),
|
||||||
"google_runtimeconfig_variable": resourceRuntimeconfigVariable(),
|
"google_runtimeconfig_variable": resourceRuntimeconfigVariable(),
|
||||||
"google_service_account": resourceGoogleServiceAccount(),
|
"google_service_account": resourceGoogleServiceAccount(),
|
||||||
|
"google_service_account_key": resourceGoogleServiceAccountKey(),
|
||||||
"google_storage_bucket": resourceStorageBucket(),
|
"google_storage_bucket": resourceStorageBucket(),
|
||||||
"google_storage_bucket_acl": resourceStorageBucketAcl(),
|
"google_storage_bucket_acl": resourceStorageBucketAcl(),
|
||||||
"google_storage_bucket_object": resourceStorageBucketObject(),
|
"google_storage_bucket_object": resourceStorageBucketObject(),
|
||||||
|
157
google/resource_google_service_account_key.go
Normal file
157
google/resource_google_service_account_key.go
Normal file
@ -0,0 +1,157 @@
|
|||||||
|
package google
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/encryption"
|
||||||
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
|
"github.com/hashicorp/terraform/helper/validation"
|
||||||
|
"google.golang.org/api/iam/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
func resourceGoogleServiceAccountKey() *schema.Resource {
|
||||||
|
return &schema.Resource{
|
||||||
|
Create: resourceGoogleServiceAccountKeyCreate,
|
||||||
|
Read: resourceGoogleServiceAccountKeyRead,
|
||||||
|
Delete: resourceGoogleServiceAccountKeyDelete,
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
// Required
|
||||||
|
"service_account_id": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
// Optional
|
||||||
|
"key_algorithm": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Default: "KEY_ALG_RSA_2048",
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
ValidateFunc: validation.StringInSlice([]string{"KEY_ALG_UNSPECIFIED", "KEY_ALG_RSA_1024", "KEY_ALG_RSA_2048"}, false),
|
||||||
|
},
|
||||||
|
"pgp_key": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
"private_key_type": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Default: "TYPE_GOOGLE_CREDENTIALS_FILE",
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
ValidateFunc: validation.StringInSlice([]string{"TYPE_UNSPECIFIED", "TYPE_PKCS12_FILE", "TYPE_GOOGLE_CREDENTIALS_FILE"}, false),
|
||||||
|
},
|
||||||
|
"public_key_type": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Default: "X509_PEM",
|
||||||
|
Optional: true,
|
||||||
|
ForceNew: true,
|
||||||
|
ValidateFunc: validation.StringInSlice([]string{"TYPE_NONE", "TYPE_X509_PEM_FILE", "TYPE_RAW_PUBLIC_KEY"}, false),
|
||||||
|
},
|
||||||
|
// Computed
|
||||||
|
"name": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
"public_key": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
ForceNew: true,
|
||||||
|
},
|
||||||
|
"private_key": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
Sensitive: true,
|
||||||
|
},
|
||||||
|
"valid_after": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
|
"valid_before": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
|
"private_key_encrypted": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
|
"private_key_fingerprint": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Computed: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceGoogleServiceAccountKeyCreate(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
config := meta.(*Config)
|
||||||
|
|
||||||
|
serviceAccount := d.Get("service_account_id").(string)
|
||||||
|
|
||||||
|
r := &iam.CreateServiceAccountKeyRequest{
|
||||||
|
KeyAlgorithm: d.Get("key_algorithm").(string),
|
||||||
|
PrivateKeyType: d.Get("private_key_type").(string),
|
||||||
|
}
|
||||||
|
|
||||||
|
sak, err := config.clientIAM.Projects.ServiceAccounts.Keys.Create(serviceAccount, r).Do()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error creating service account key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
d.SetId(sak.Name)
|
||||||
|
// Data only available on create.
|
||||||
|
d.Set("valid_after", sak.ValidAfterTime)
|
||||||
|
d.Set("valid_before", sak.ValidBeforeTime)
|
||||||
|
if v, ok := d.GetOk("pgp_key"); ok {
|
||||||
|
encryptionKey, err := encryption.RetrieveGPGKey(v.(string))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
fingerprint, encrypted, err := encryption.EncryptValue(encryptionKey, sak.PrivateKeyData, "Google Service Account Key")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
d.Set("private_key_encrypted", encrypted)
|
||||||
|
d.Set("private_key_fingerprint", fingerprint)
|
||||||
|
} else {
|
||||||
|
d.Set("private_key", sak.PrivateKeyData)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = serviceAccountKeyWaitTime(config.clientIAM.Projects.ServiceAccounts.Keys, d.Id(), d.Get("public_key_type").(string), "Creating Service account key", 4)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return resourceGoogleServiceAccountKeyRead(d, meta)
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceGoogleServiceAccountKeyRead(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
config := meta.(*Config)
|
||||||
|
|
||||||
|
publicKeyType := d.Get("public_key_type").(string)
|
||||||
|
|
||||||
|
// Confirm the service account key exists
|
||||||
|
sak, err := config.clientIAM.Projects.ServiceAccounts.Keys.Get(d.Id()).PublicKeyType(publicKeyType).Do()
|
||||||
|
if err != nil {
|
||||||
|
return handleNotFoundError(err, d, fmt.Sprintf("Service Account Key %q", d.Id()))
|
||||||
|
}
|
||||||
|
|
||||||
|
d.Set("name", sak.Name)
|
||||||
|
d.Set("key_algorithm", sak.KeyAlgorithm)
|
||||||
|
d.Set("public_key", sak.PublicKeyData)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func resourceGoogleServiceAccountKeyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||||
|
config := meta.(*Config)
|
||||||
|
|
||||||
|
_, err := config.clientIAM.Projects.ServiceAccounts.Keys.Delete(d.Id()).Do()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
d.SetId("")
|
||||||
|
return nil
|
||||||
|
}
|
137
google/resource_google_service_account_key_test.go
Normal file
137
google/resource_google_service_account_key_test.go
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
package google
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/acctest"
|
||||||
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
|
"github.com/hashicorp/terraform/terraform"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Test that a service account key can be created and destroyed
|
||||||
|
func TestAccGoogleServiceAccountKey_basic(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
resourceName := "google_service_account_key.acceptance"
|
||||||
|
accountID := "a" + acctest.RandString(10)
|
||||||
|
displayName := "Terraform Test"
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccGoogleServiceAccountKey(accountID, displayName),
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckGoogleServiceAccountKeyExists(resourceName),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "public_key"),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "valid_after"),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "valid_before"),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "private_key"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAccGoogleServiceAccountKey_pgp(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
resourceName := "google_service_account_key.acceptance"
|
||||||
|
accountID := "a" + acctest.RandString(10)
|
||||||
|
displayName := "Terraform Test"
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
resource.TestStep{
|
||||||
|
Config: testAccGoogleServiceAccountKey_pgp(accountID, displayName, testKeyPairPubKey1),
|
||||||
|
Check: resource.ComposeTestCheckFunc(
|
||||||
|
testAccCheckGoogleServiceAccountKeyExists(resourceName),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "public_key"),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "private_key_encrypted"),
|
||||||
|
resource.TestCheckResourceAttrSet(resourceName, "private_key_fingerprint"),
|
||||||
|
),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccCheckGoogleServiceAccountKeyExists(r string) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
|
||||||
|
rs, ok := s.RootModule().Resources[r]
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("Not found: %s", r)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rs.Primary.ID == "" {
|
||||||
|
return fmt.Errorf("No ID is set")
|
||||||
|
}
|
||||||
|
config := testAccProvider.Meta().(*Config)
|
||||||
|
|
||||||
|
_, err := config.clientIAM.Projects.ServiceAccounts.Keys.Get(rs.Primary.ID).Do()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccGoogleServiceAccountKey(account, name string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_service_account" "acceptance" {
|
||||||
|
account_id = "%s"
|
||||||
|
display_name = "%s"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_key" "acceptance" {
|
||||||
|
service_account_id = "${google_service_account.acceptance.id}"
|
||||||
|
public_key_type = "TYPE_X509_PEM_FILE"
|
||||||
|
}
|
||||||
|
`, account, name)
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccGoogleServiceAccountKey_pgp(account, name string, key string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_service_account" "acceptance" {
|
||||||
|
account_id = "%s"
|
||||||
|
display_name = "%s"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_key" "acceptance" {
|
||||||
|
service_account_id = "${google_service_account.acceptance.id}"
|
||||||
|
public_key_type = "TYPE_X509_PEM_FILE"
|
||||||
|
pgp_key = <<EOF
|
||||||
|
%s
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
`, account, name, key)
|
||||||
|
}
|
||||||
|
|
||||||
|
const testKeyPairPubKey1 = `mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzzwiMwBS5cD0da
|
||||||
|
rGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7H+/mhfFvKmgr0Y5kDCF1j0T/
|
||||||
|
063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0f
|
||||||
|
sF5St9jhO7mbZU9EFkv9O3t3EaURfHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg
|
||||||
|
8hQssKeVGpuskTdz5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3Qg
|
||||||
|
S2V5IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOfLr44B
|
||||||
|
HbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRTJfjECi+AuTGeDwBy84TD
|
||||||
|
cRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3CEe8cMwIPqPT2kajJVdOyrvkyuFOdPFOE
|
||||||
|
A7bdCH0MqgIdM2SdF8t40k/ATfuD2K1ZmumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlB
|
||||||
|
C0yoArn+0QA3cf2B9T4zJ2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXa
|
||||||
|
QKfOt5x+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7oEDCn
|
||||||
|
aY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I1Ktm698UAZS9Jt8y
|
||||||
|
jak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okjh5o/3d4cBt1yZPUJJyLKY43Wvptb
|
||||||
|
6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTjOleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5N
|
||||||
|
ZLGnED3lq+hQNbe+8UI5tD2oP/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu
|
||||||
|
9p315E87DOleYwxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
|
||||||
|
AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVhEGipBmpDGRYu
|
||||||
|
lEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHkGRHG0/DGum0l4sKTta3OPGHN
|
||||||
|
C1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRdtPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0
|
||||||
|
YwKoz3h9+QEcZHvsjSZjgydKvfLYcm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJi
|
||||||
|
oPn2jVMnXCm4EKc7fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH
|
||||||
|
/AtY+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7moViAAcI
|
||||||
|
PXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWkojHqyob3cyLgy6z9Q557O
|
||||||
|
9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJiEBt8UZGypQ/E56/343epmYAe0a87sHx
|
||||||
|
8iDV+dNtDVKfPRENiLOOc19MmS+phmUyrbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKd
|
||||||
|
OIu60YPNE4+h7u2CfYyFPu3AlUaGNMBlvy6PEpU=`
|
61
google/service_account_waiter.go
Normal file
61
google/service_account_waiter.go
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
package google
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/terraform/helper/resource"
|
||||||
|
"google.golang.org/api/googleapi"
|
||||||
|
"google.golang.org/api/iam/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
type ServiceAccountKeyWaiter struct {
|
||||||
|
Service *iam.ProjectsServiceAccountsKeysService
|
||||||
|
PublicKeyType string
|
||||||
|
KeyName string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *ServiceAccountKeyWaiter) RefreshFunc() resource.StateRefreshFunc {
|
||||||
|
return func() (interface{}, string, error) {
|
||||||
|
var err error
|
||||||
|
var sak *iam.ServiceAccountKey
|
||||||
|
sak, err = w.Service.Get(w.KeyName).PublicKeyType(w.PublicKeyType).Do()
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
if err.(*googleapi.Error).Code == 404 {
|
||||||
|
return nil, "PENDING", nil
|
||||||
|
} else {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return sak, "DONE", nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *ServiceAccountKeyWaiter) Conf() *resource.StateChangeConf {
|
||||||
|
return &resource.StateChangeConf{
|
||||||
|
Pending: []string{"PENDING"},
|
||||||
|
Target: []string{"DONE"},
|
||||||
|
Refresh: w.RefreshFunc(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func serviceAccountKeyWaitTime(client *iam.ProjectsServiceAccountsKeysService, keyName, publicKeyType, activity string, timeoutMin int) error {
|
||||||
|
w := &ServiceAccountKeyWaiter{
|
||||||
|
Service: client,
|
||||||
|
PublicKeyType: publicKeyType,
|
||||||
|
KeyName: keyName,
|
||||||
|
}
|
||||||
|
|
||||||
|
state := w.Conf()
|
||||||
|
state.Delay = 10 * time.Second
|
||||||
|
state.Timeout = time.Duration(timeoutMin) * time.Minute
|
||||||
|
state.MinTimeout = 2 * time.Second
|
||||||
|
_, err := state.WaitForState()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Error waiting for %s: %s", activity, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
15
vendor/github.com/golang/snappy/AUTHORS
generated
vendored
Normal file
15
vendor/github.com/golang/snappy/AUTHORS
generated
vendored
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# This is the official list of Snappy-Go authors for copyright purposes.
|
||||||
|
# This file is distinct from the CONTRIBUTORS files.
|
||||||
|
# See the latter for an explanation.
|
||||||
|
|
||||||
|
# Names should be added to this file as
|
||||||
|
# Name or Organization <email address>
|
||||||
|
# The email address is not required for organizations.
|
||||||
|
|
||||||
|
# Please keep the list sorted.
|
||||||
|
|
||||||
|
Damian Gryski <dgryski@gmail.com>
|
||||||
|
Google Inc.
|
||||||
|
Jan Mercl <0xjnml@gmail.com>
|
||||||
|
Rodolfo Carvalho <rhcarvalho@gmail.com>
|
||||||
|
Sebastien Binet <seb.binet@gmail.com>
|
37
vendor/github.com/golang/snappy/CONTRIBUTORS
generated
vendored
Normal file
37
vendor/github.com/golang/snappy/CONTRIBUTORS
generated
vendored
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# This is the official list of people who can contribute
|
||||||
|
# (and typically have contributed) code to the Snappy-Go repository.
|
||||||
|
# The AUTHORS file lists the copyright holders; this file
|
||||||
|
# lists people. For example, Google employees are listed here
|
||||||
|
# but not in AUTHORS, because Google holds the copyright.
|
||||||
|
#
|
||||||
|
# The submission process automatically checks to make sure
|
||||||
|
# that people submitting code are listed in this file (by email address).
|
||||||
|
#
|
||||||
|
# Names should be added to this file only after verifying that
|
||||||
|
# the individual or the individual's organization has agreed to
|
||||||
|
# the appropriate Contributor License Agreement, found here:
|
||||||
|
#
|
||||||
|
# http://code.google.com/legal/individual-cla-v1.0.html
|
||||||
|
# http://code.google.com/legal/corporate-cla-v1.0.html
|
||||||
|
#
|
||||||
|
# The agreement for individuals can be filled out on the web.
|
||||||
|
#
|
||||||
|
# When adding J Random Contributor's name to this file,
|
||||||
|
# either J's name or J's organization's name should be
|
||||||
|
# added to the AUTHORS file, depending on whether the
|
||||||
|
# individual or corporate CLA was used.
|
||||||
|
|
||||||
|
# Names should be added to this file like so:
|
||||||
|
# Name <email address>
|
||||||
|
|
||||||
|
# Please keep the list sorted.
|
||||||
|
|
||||||
|
Damian Gryski <dgryski@gmail.com>
|
||||||
|
Jan Mercl <0xjnml@gmail.com>
|
||||||
|
Kai Backman <kaib@golang.org>
|
||||||
|
Marc-Antoine Ruel <maruel@chromium.org>
|
||||||
|
Nigel Tao <nigeltao@golang.org>
|
||||||
|
Rob Pike <r@golang.org>
|
||||||
|
Rodolfo Carvalho <rhcarvalho@gmail.com>
|
||||||
|
Russ Cox <rsc@golang.org>
|
||||||
|
Sebastien Binet <seb.binet@gmail.com>
|
27
vendor/github.com/golang/snappy/LICENSE
generated
vendored
Normal file
27
vendor/github.com/golang/snappy/LICENSE
generated
vendored
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
107
vendor/github.com/golang/snappy/README
generated
vendored
Normal file
107
vendor/github.com/golang/snappy/README
generated
vendored
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
The Snappy compression format in the Go programming language.
|
||||||
|
|
||||||
|
To download and install from source:
|
||||||
|
$ go get github.com/golang/snappy
|
||||||
|
|
||||||
|
Unless otherwise noted, the Snappy-Go source files are distributed
|
||||||
|
under the BSD-style license found in the LICENSE file.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Benchmarks.
|
||||||
|
|
||||||
|
The golang/snappy benchmarks include compressing (Z) and decompressing (U) ten
|
||||||
|
or so files, the same set used by the C++ Snappy code (github.com/google/snappy
|
||||||
|
and note the "google", not "golang"). On an "Intel(R) Core(TM) i7-3770 CPU @
|
||||||
|
3.40GHz", Go's GOARCH=amd64 numbers as of 2016-05-29:
|
||||||
|
|
||||||
|
"go test -test.bench=."
|
||||||
|
|
||||||
|
_UFlat0-8 2.19GB/s ± 0% html
|
||||||
|
_UFlat1-8 1.41GB/s ± 0% urls
|
||||||
|
_UFlat2-8 23.5GB/s ± 2% jpg
|
||||||
|
_UFlat3-8 1.91GB/s ± 0% jpg_200
|
||||||
|
_UFlat4-8 14.0GB/s ± 1% pdf
|
||||||
|
_UFlat5-8 1.97GB/s ± 0% html4
|
||||||
|
_UFlat6-8 814MB/s ± 0% txt1
|
||||||
|
_UFlat7-8 785MB/s ± 0% txt2
|
||||||
|
_UFlat8-8 857MB/s ± 0% txt3
|
||||||
|
_UFlat9-8 719MB/s ± 1% txt4
|
||||||
|
_UFlat10-8 2.84GB/s ± 0% pb
|
||||||
|
_UFlat11-8 1.05GB/s ± 0% gaviota
|
||||||
|
|
||||||
|
_ZFlat0-8 1.04GB/s ± 0% html
|
||||||
|
_ZFlat1-8 534MB/s ± 0% urls
|
||||||
|
_ZFlat2-8 15.7GB/s ± 1% jpg
|
||||||
|
_ZFlat3-8 740MB/s ± 3% jpg_200
|
||||||
|
_ZFlat4-8 9.20GB/s ± 1% pdf
|
||||||
|
_ZFlat5-8 991MB/s ± 0% html4
|
||||||
|
_ZFlat6-8 379MB/s ± 0% txt1
|
||||||
|
_ZFlat7-8 352MB/s ± 0% txt2
|
||||||
|
_ZFlat8-8 396MB/s ± 1% txt3
|
||||||
|
_ZFlat9-8 327MB/s ± 1% txt4
|
||||||
|
_ZFlat10-8 1.33GB/s ± 1% pb
|
||||||
|
_ZFlat11-8 605MB/s ± 1% gaviota
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
"go test -test.bench=. -tags=noasm"
|
||||||
|
|
||||||
|
_UFlat0-8 621MB/s ± 2% html
|
||||||
|
_UFlat1-8 494MB/s ± 1% urls
|
||||||
|
_UFlat2-8 23.2GB/s ± 1% jpg
|
||||||
|
_UFlat3-8 1.12GB/s ± 1% jpg_200
|
||||||
|
_UFlat4-8 4.35GB/s ± 1% pdf
|
||||||
|
_UFlat5-8 609MB/s ± 0% html4
|
||||||
|
_UFlat6-8 296MB/s ± 0% txt1
|
||||||
|
_UFlat7-8 288MB/s ± 0% txt2
|
||||||
|
_UFlat8-8 309MB/s ± 1% txt3
|
||||||
|
_UFlat9-8 280MB/s ± 1% txt4
|
||||||
|
_UFlat10-8 753MB/s ± 0% pb
|
||||||
|
_UFlat11-8 400MB/s ± 0% gaviota
|
||||||
|
|
||||||
|
_ZFlat0-8 409MB/s ± 1% html
|
||||||
|
_ZFlat1-8 250MB/s ± 1% urls
|
||||||
|
_ZFlat2-8 12.3GB/s ± 1% jpg
|
||||||
|
_ZFlat3-8 132MB/s ± 0% jpg_200
|
||||||
|
_ZFlat4-8 2.92GB/s ± 0% pdf
|
||||||
|
_ZFlat5-8 405MB/s ± 1% html4
|
||||||
|
_ZFlat6-8 179MB/s ± 1% txt1
|
||||||
|
_ZFlat7-8 170MB/s ± 1% txt2
|
||||||
|
_ZFlat8-8 189MB/s ± 1% txt3
|
||||||
|
_ZFlat9-8 164MB/s ± 1% txt4
|
||||||
|
_ZFlat10-8 479MB/s ± 1% pb
|
||||||
|
_ZFlat11-8 270MB/s ± 1% gaviota
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
For comparison (Go's encoded output is byte-for-byte identical to C++'s), here
|
||||||
|
are the numbers from C++ Snappy's
|
||||||
|
|
||||||
|
make CXXFLAGS="-O2 -DNDEBUG -g" clean snappy_unittest.log && cat snappy_unittest.log
|
||||||
|
|
||||||
|
BM_UFlat/0 2.4GB/s html
|
||||||
|
BM_UFlat/1 1.4GB/s urls
|
||||||
|
BM_UFlat/2 21.8GB/s jpg
|
||||||
|
BM_UFlat/3 1.5GB/s jpg_200
|
||||||
|
BM_UFlat/4 13.3GB/s pdf
|
||||||
|
BM_UFlat/5 2.1GB/s html4
|
||||||
|
BM_UFlat/6 1.0GB/s txt1
|
||||||
|
BM_UFlat/7 959.4MB/s txt2
|
||||||
|
BM_UFlat/8 1.0GB/s txt3
|
||||||
|
BM_UFlat/9 864.5MB/s txt4
|
||||||
|
BM_UFlat/10 2.9GB/s pb
|
||||||
|
BM_UFlat/11 1.2GB/s gaviota
|
||||||
|
|
||||||
|
BM_ZFlat/0 944.3MB/s html (22.31 %)
|
||||||
|
BM_ZFlat/1 501.6MB/s urls (47.78 %)
|
||||||
|
BM_ZFlat/2 14.3GB/s jpg (99.95 %)
|
||||||
|
BM_ZFlat/3 538.3MB/s jpg_200 (73.00 %)
|
||||||
|
BM_ZFlat/4 8.3GB/s pdf (83.30 %)
|
||||||
|
BM_ZFlat/5 903.5MB/s html4 (22.52 %)
|
||||||
|
BM_ZFlat/6 336.0MB/s txt1 (57.88 %)
|
||||||
|
BM_ZFlat/7 312.3MB/s txt2 (61.91 %)
|
||||||
|
BM_ZFlat/8 353.1MB/s txt3 (54.99 %)
|
||||||
|
BM_ZFlat/9 289.9MB/s txt4 (66.26 %)
|
||||||
|
BM_ZFlat/10 1.2GB/s pb (19.68 %)
|
||||||
|
BM_ZFlat/11 527.4MB/s gaviota (37.72 %)
|
237
vendor/github.com/golang/snappy/decode.go
generated
vendored
Normal file
237
vendor/github.com/golang/snappy/decode.go
generated
vendored
Normal file
@ -0,0 +1,237 @@
|
|||||||
|
// Copyright 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
// ErrCorrupt reports that the input is invalid.
|
||||||
|
ErrCorrupt = errors.New("snappy: corrupt input")
|
||||||
|
// ErrTooLarge reports that the uncompressed length is too large.
|
||||||
|
ErrTooLarge = errors.New("snappy: decoded block is too large")
|
||||||
|
// ErrUnsupported reports that the input isn't supported.
|
||||||
|
ErrUnsupported = errors.New("snappy: unsupported input")
|
||||||
|
|
||||||
|
errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length")
|
||||||
|
)
|
||||||
|
|
||||||
|
// DecodedLen returns the length of the decoded block.
|
||||||
|
func DecodedLen(src []byte) (int, error) {
|
||||||
|
v, _, err := decodedLen(src)
|
||||||
|
return v, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// decodedLen returns the length of the decoded block and the number of bytes
|
||||||
|
// that the length header occupied.
|
||||||
|
func decodedLen(src []byte) (blockLen, headerLen int, err error) {
|
||||||
|
v, n := binary.Uvarint(src)
|
||||||
|
if n <= 0 || v > 0xffffffff {
|
||||||
|
return 0, 0, ErrCorrupt
|
||||||
|
}
|
||||||
|
|
||||||
|
const wordSize = 32 << (^uint(0) >> 32 & 1)
|
||||||
|
if wordSize == 32 && v > 0x7fffffff {
|
||||||
|
return 0, 0, ErrTooLarge
|
||||||
|
}
|
||||||
|
return int(v), n, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
decodeErrCodeCorrupt = 1
|
||||||
|
decodeErrCodeUnsupportedLiteralLength = 2
|
||||||
|
)
|
||||||
|
|
||||||
|
// Decode returns the decoded form of src. The returned slice may be a sub-
|
||||||
|
// slice of dst if dst was large enough to hold the entire decoded block.
|
||||||
|
// Otherwise, a newly allocated slice will be returned.
|
||||||
|
//
|
||||||
|
// The dst and src must not overlap. It is valid to pass a nil dst.
|
||||||
|
func Decode(dst, src []byte) ([]byte, error) {
|
||||||
|
dLen, s, err := decodedLen(src)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if dLen <= len(dst) {
|
||||||
|
dst = dst[:dLen]
|
||||||
|
} else {
|
||||||
|
dst = make([]byte, dLen)
|
||||||
|
}
|
||||||
|
switch decode(dst, src[s:]) {
|
||||||
|
case 0:
|
||||||
|
return dst, nil
|
||||||
|
case decodeErrCodeUnsupportedLiteralLength:
|
||||||
|
return nil, errUnsupportedLiteralLength
|
||||||
|
}
|
||||||
|
return nil, ErrCorrupt
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewReader returns a new Reader that decompresses from r, using the framing
|
||||||
|
// format described at
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
func NewReader(r io.Reader) *Reader {
|
||||||
|
return &Reader{
|
||||||
|
r: r,
|
||||||
|
decoded: make([]byte, maxBlockSize),
|
||||||
|
buf: make([]byte, maxEncodedLenOfMaxBlockSize+checksumSize),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reader is an io.Reader that can read Snappy-compressed bytes.
|
||||||
|
type Reader struct {
|
||||||
|
r io.Reader
|
||||||
|
err error
|
||||||
|
decoded []byte
|
||||||
|
buf []byte
|
||||||
|
// decoded[i:j] contains decoded bytes that have not yet been passed on.
|
||||||
|
i, j int
|
||||||
|
readHeader bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reset discards any buffered data, resets all state, and switches the Snappy
|
||||||
|
// reader to read from r. This permits reusing a Reader rather than allocating
|
||||||
|
// a new one.
|
||||||
|
func (r *Reader) Reset(reader io.Reader) {
|
||||||
|
r.r = reader
|
||||||
|
r.err = nil
|
||||||
|
r.i = 0
|
||||||
|
r.j = 0
|
||||||
|
r.readHeader = false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *Reader) readFull(p []byte, allowEOF bool) (ok bool) {
|
||||||
|
if _, r.err = io.ReadFull(r.r, p); r.err != nil {
|
||||||
|
if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read satisfies the io.Reader interface.
|
||||||
|
func (r *Reader) Read(p []byte) (int, error) {
|
||||||
|
if r.err != nil {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
for {
|
||||||
|
if r.i < r.j {
|
||||||
|
n := copy(p, r.decoded[r.i:r.j])
|
||||||
|
r.i += n
|
||||||
|
return n, nil
|
||||||
|
}
|
||||||
|
if !r.readFull(r.buf[:4], true) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
chunkType := r.buf[0]
|
||||||
|
if !r.readHeader {
|
||||||
|
if chunkType != chunkTypeStreamIdentifier {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.readHeader = true
|
||||||
|
}
|
||||||
|
chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16
|
||||||
|
if chunkLen > len(r.buf) {
|
||||||
|
r.err = ErrUnsupported
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
|
||||||
|
// The chunk types are specified at
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
switch chunkType {
|
||||||
|
case chunkTypeCompressedData:
|
||||||
|
// Section 4.2. Compressed data (chunk type 0x00).
|
||||||
|
if chunkLen < checksumSize {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
buf := r.buf[:chunkLen]
|
||||||
|
if !r.readFull(buf, false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
|
||||||
|
buf = buf[checksumSize:]
|
||||||
|
|
||||||
|
n, err := DecodedLen(buf)
|
||||||
|
if err != nil {
|
||||||
|
r.err = err
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if n > len(r.decoded) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if _, err := Decode(r.decoded, buf); err != nil {
|
||||||
|
r.err = err
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if crc(r.decoded[:n]) != checksum {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.i, r.j = 0, n
|
||||||
|
continue
|
||||||
|
|
||||||
|
case chunkTypeUncompressedData:
|
||||||
|
// Section 4.3. Uncompressed data (chunk type 0x01).
|
||||||
|
if chunkLen < checksumSize {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
buf := r.buf[:checksumSize]
|
||||||
|
if !r.readFull(buf, false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
|
||||||
|
// Read directly into r.decoded instead of via r.buf.
|
||||||
|
n := chunkLen - checksumSize
|
||||||
|
if n > len(r.decoded) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if !r.readFull(r.decoded[:n], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if crc(r.decoded[:n]) != checksum {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.i, r.j = 0, n
|
||||||
|
continue
|
||||||
|
|
||||||
|
case chunkTypeStreamIdentifier:
|
||||||
|
// Section 4.1. Stream identifier (chunk type 0xff).
|
||||||
|
if chunkLen != len(magicBody) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if !r.readFull(r.buf[:len(magicBody)], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
for i := 0; i < len(magicBody); i++ {
|
||||||
|
if r.buf[i] != magicBody[i] {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if chunkType <= 0x7f {
|
||||||
|
// Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f).
|
||||||
|
r.err = ErrUnsupported
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
// Section 4.4 Padding (chunk type 0xfe).
|
||||||
|
// Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd).
|
||||||
|
if !r.readFull(r.buf[:chunkLen], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
14
vendor/github.com/golang/snappy/decode_amd64.go
generated
vendored
Normal file
14
vendor/github.com/golang/snappy/decode_amd64.go
generated
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
// Copyright 2016 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !appengine
|
||||||
|
// +build gc
|
||||||
|
// +build !noasm
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
// decode has the same semantics as in decode_other.go.
|
||||||
|
//
|
||||||
|
//go:noescape
|
||||||
|
func decode(dst, src []byte) int
|
490
vendor/github.com/golang/snappy/decode_amd64.s
generated
vendored
Normal file
490
vendor/github.com/golang/snappy/decode_amd64.s
generated
vendored
Normal file
@ -0,0 +1,490 @@
|
|||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !appengine
|
||||||
|
// +build gc
|
||||||
|
// +build !noasm
|
||||||
|
|
||||||
|
#include "textflag.h"
|
||||||
|
|
||||||
|
// The asm code generally follows the pure Go code in decode_other.go, except
|
||||||
|
// where marked with a "!!!".
|
||||||
|
|
||||||
|
// func decode(dst, src []byte) int
|
||||||
|
//
|
||||||
|
// All local variables fit into registers. The non-zero stack size is only to
|
||||||
|
// spill registers and push args when issuing a CALL. The register allocation:
|
||||||
|
// - AX scratch
|
||||||
|
// - BX scratch
|
||||||
|
// - CX length or x
|
||||||
|
// - DX offset
|
||||||
|
// - SI &src[s]
|
||||||
|
// - DI &dst[d]
|
||||||
|
// + R8 dst_base
|
||||||
|
// + R9 dst_len
|
||||||
|
// + R10 dst_base + dst_len
|
||||||
|
// + R11 src_base
|
||||||
|
// + R12 src_len
|
||||||
|
// + R13 src_base + src_len
|
||||||
|
// - R14 used by doCopy
|
||||||
|
// - R15 used by doCopy
|
||||||
|
//
|
||||||
|
// The registers R8-R13 (marked with a "+") are set at the start of the
|
||||||
|
// function, and after a CALL returns, and are not otherwise modified.
|
||||||
|
//
|
||||||
|
// The d variable is implicitly DI - R8, and len(dst)-d is R10 - DI.
|
||||||
|
// The s variable is implicitly SI - R11, and len(src)-s is R13 - SI.
|
||||||
|
TEXT ·decode(SB), NOSPLIT, $48-56
|
||||||
|
// Initialize SI, DI and R8-R13.
|
||||||
|
MOVQ dst_base+0(FP), R8
|
||||||
|
MOVQ dst_len+8(FP), R9
|
||||||
|
MOVQ R8, DI
|
||||||
|
MOVQ R8, R10
|
||||||
|
ADDQ R9, R10
|
||||||
|
MOVQ src_base+24(FP), R11
|
||||||
|
MOVQ src_len+32(FP), R12
|
||||||
|
MOVQ R11, SI
|
||||||
|
MOVQ R11, R13
|
||||||
|
ADDQ R12, R13
|
||||||
|
|
||||||
|
loop:
|
||||||
|
// for s < len(src)
|
||||||
|
CMPQ SI, R13
|
||||||
|
JEQ end
|
||||||
|
|
||||||
|
// CX = uint32(src[s])
|
||||||
|
//
|
||||||
|
// switch src[s] & 0x03
|
||||||
|
MOVBLZX (SI), CX
|
||||||
|
MOVL CX, BX
|
||||||
|
ANDL $3, BX
|
||||||
|
CMPL BX, $1
|
||||||
|
JAE tagCopy
|
||||||
|
|
||||||
|
// ----------------------------------------
|
||||||
|
// The code below handles literal tags.
|
||||||
|
|
||||||
|
// case tagLiteral:
|
||||||
|
// x := uint32(src[s] >> 2)
|
||||||
|
// switch
|
||||||
|
SHRL $2, CX
|
||||||
|
CMPL CX, $60
|
||||||
|
JAE tagLit60Plus
|
||||||
|
|
||||||
|
// case x < 60:
|
||||||
|
// s++
|
||||||
|
INCQ SI
|
||||||
|
|
||||||
|
doLit:
|
||||||
|
// This is the end of the inner "switch", when we have a literal tag.
|
||||||
|
//
|
||||||
|
// We assume that CX == x and x fits in a uint32, where x is the variable
|
||||||
|
// used in the pure Go decode_other.go code.
|
||||||
|
|
||||||
|
// length = int(x) + 1
|
||||||
|
//
|
||||||
|
// Unlike the pure Go code, we don't need to check if length <= 0 because
|
||||||
|
// CX can hold 64 bits, so the increment cannot overflow.
|
||||||
|
INCQ CX
|
||||||
|
|
||||||
|
// Prepare to check if copying length bytes will run past the end of dst or
|
||||||
|
// src.
|
||||||
|
//
|
||||||
|
// AX = len(dst) - d
|
||||||
|
// BX = len(src) - s
|
||||||
|
MOVQ R10, AX
|
||||||
|
SUBQ DI, AX
|
||||||
|
MOVQ R13, BX
|
||||||
|
SUBQ SI, BX
|
||||||
|
|
||||||
|
// !!! Try a faster technique for short (16 or fewer bytes) copies.
|
||||||
|
//
|
||||||
|
// if length > 16 || len(dst)-d < 16 || len(src)-s < 16 {
|
||||||
|
// goto callMemmove // Fall back on calling runtime·memmove.
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// The C++ snappy code calls this TryFastAppend. It also checks len(src)-s
|
||||||
|
// against 21 instead of 16, because it cannot assume that all of its input
|
||||||
|
// is contiguous in memory and so it needs to leave enough source bytes to
|
||||||
|
// read the next tag without refilling buffers, but Go's Decode assumes
|
||||||
|
// contiguousness (the src argument is a []byte).
|
||||||
|
CMPQ CX, $16
|
||||||
|
JGT callMemmove
|
||||||
|
CMPQ AX, $16
|
||||||
|
JLT callMemmove
|
||||||
|
CMPQ BX, $16
|
||||||
|
JLT callMemmove
|
||||||
|
|
||||||
|
// !!! Implement the copy from src to dst as a 16-byte load and store.
|
||||||
|
// (Decode's documentation says that dst and src must not overlap.)
|
||||||
|
//
|
||||||
|
// This always copies 16 bytes, instead of only length bytes, but that's
|
||||||
|
// OK. If the input is a valid Snappy encoding then subsequent iterations
|
||||||
|
// will fix up the overrun. Otherwise, Decode returns a nil []byte (and a
|
||||||
|
// non-nil error), so the overrun will be ignored.
|
||||||
|
//
|
||||||
|
// Note that on amd64, it is legal and cheap to issue unaligned 8-byte or
|
||||||
|
// 16-byte loads and stores. This technique probably wouldn't be as
|
||||||
|
// effective on architectures that are fussier about alignment.
|
||||||
|
MOVOU 0(SI), X0
|
||||||
|
MOVOU X0, 0(DI)
|
||||||
|
|
||||||
|
// d += length
|
||||||
|
// s += length
|
||||||
|
ADDQ CX, DI
|
||||||
|
ADDQ CX, SI
|
||||||
|
JMP loop
|
||||||
|
|
||||||
|
callMemmove:
|
||||||
|
// if length > len(dst)-d || length > len(src)-s { etc }
|
||||||
|
CMPQ CX, AX
|
||||||
|
JGT errCorrupt
|
||||||
|
CMPQ CX, BX
|
||||||
|
JGT errCorrupt
|
||||||
|
|
||||||
|
// copy(dst[d:], src[s:s+length])
|
||||||
|
//
|
||||||
|
// This means calling runtime·memmove(&dst[d], &src[s], length), so we push
|
||||||
|
// DI, SI and CX as arguments. Coincidentally, we also need to spill those
|
||||||
|
// three registers to the stack, to save local variables across the CALL.
|
||||||
|
MOVQ DI, 0(SP)
|
||||||
|
MOVQ SI, 8(SP)
|
||||||
|
MOVQ CX, 16(SP)
|
||||||
|
MOVQ DI, 24(SP)
|
||||||
|
MOVQ SI, 32(SP)
|
||||||
|
MOVQ CX, 40(SP)
|
||||||
|
CALL runtime·memmove(SB)
|
||||||
|
|
||||||
|
// Restore local variables: unspill registers from the stack and
|
||||||
|
// re-calculate R8-R13.
|
||||||
|
MOVQ 24(SP), DI
|
||||||
|
MOVQ 32(SP), SI
|
||||||
|
MOVQ 40(SP), CX
|
||||||
|
MOVQ dst_base+0(FP), R8
|
||||||
|
MOVQ dst_len+8(FP), R9
|
||||||
|
MOVQ R8, R10
|
||||||
|
ADDQ R9, R10
|
||||||
|
MOVQ src_base+24(FP), R11
|
||||||
|
MOVQ src_len+32(FP), R12
|
||||||
|
MOVQ R11, R13
|
||||||
|
ADDQ R12, R13
|
||||||
|
|
||||||
|
// d += length
|
||||||
|
// s += length
|
||||||
|
ADDQ CX, DI
|
||||||
|
ADDQ CX, SI
|
||||||
|
JMP loop
|
||||||
|
|
||||||
|
tagLit60Plus:
|
||||||
|
// !!! This fragment does the
|
||||||
|
//
|
||||||
|
// s += x - 58; if uint(s) > uint(len(src)) { etc }
|
||||||
|
//
|
||||||
|
// checks. In the asm version, we code it once instead of once per switch case.
|
||||||
|
ADDQ CX, SI
|
||||||
|
SUBQ $58, SI
|
||||||
|
MOVQ SI, BX
|
||||||
|
SUBQ R11, BX
|
||||||
|
CMPQ BX, R12
|
||||||
|
JA errCorrupt
|
||||||
|
|
||||||
|
// case x == 60:
|
||||||
|
CMPL CX, $61
|
||||||
|
JEQ tagLit61
|
||||||
|
JA tagLit62Plus
|
||||||
|
|
||||||
|
// x = uint32(src[s-1])
|
||||||
|
MOVBLZX -1(SI), CX
|
||||||
|
JMP doLit
|
||||||
|
|
||||||
|
tagLit61:
|
||||||
|
// case x == 61:
|
||||||
|
// x = uint32(src[s-2]) | uint32(src[s-1])<<8
|
||||||
|
MOVWLZX -2(SI), CX
|
||||||
|
JMP doLit
|
||||||
|
|
||||||
|
tagLit62Plus:
|
||||||
|
CMPL CX, $62
|
||||||
|
JA tagLit63
|
||||||
|
|
||||||
|
// case x == 62:
|
||||||
|
// x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16
|
||||||
|
MOVWLZX -3(SI), CX
|
||||||
|
MOVBLZX -1(SI), BX
|
||||||
|
SHLL $16, BX
|
||||||
|
ORL BX, CX
|
||||||
|
JMP doLit
|
||||||
|
|
||||||
|
tagLit63:
|
||||||
|
// case x == 63:
|
||||||
|
// x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24
|
||||||
|
MOVL -4(SI), CX
|
||||||
|
JMP doLit
|
||||||
|
|
||||||
|
// The code above handles literal tags.
|
||||||
|
// ----------------------------------------
|
||||||
|
// The code below handles copy tags.
|
||||||
|
|
||||||
|
tagCopy4:
|
||||||
|
// case tagCopy4:
|
||||||
|
// s += 5
|
||||||
|
ADDQ $5, SI
|
||||||
|
|
||||||
|
// if uint(s) > uint(len(src)) { etc }
|
||||||
|
MOVQ SI, BX
|
||||||
|
SUBQ R11, BX
|
||||||
|
CMPQ BX, R12
|
||||||
|
JA errCorrupt
|
||||||
|
|
||||||
|
// length = 1 + int(src[s-5])>>2
|
||||||
|
SHRQ $2, CX
|
||||||
|
INCQ CX
|
||||||
|
|
||||||
|
// offset = int(uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24)
|
||||||
|
MOVLQZX -4(SI), DX
|
||||||
|
JMP doCopy
|
||||||
|
|
||||||
|
tagCopy2:
|
||||||
|
// case tagCopy2:
|
||||||
|
// s += 3
|
||||||
|
ADDQ $3, SI
|
||||||
|
|
||||||
|
// if uint(s) > uint(len(src)) { etc }
|
||||||
|
MOVQ SI, BX
|
||||||
|
SUBQ R11, BX
|
||||||
|
CMPQ BX, R12
|
||||||
|
JA errCorrupt
|
||||||
|
|
||||||
|
// length = 1 + int(src[s-3])>>2
|
||||||
|
SHRQ $2, CX
|
||||||
|
INCQ CX
|
||||||
|
|
||||||
|
// offset = int(uint32(src[s-2]) | uint32(src[s-1])<<8)
|
||||||
|
MOVWQZX -2(SI), DX
|
||||||
|
JMP doCopy
|
||||||
|
|
||||||
|
tagCopy:
|
||||||
|
// We have a copy tag. We assume that:
|
||||||
|
// - BX == src[s] & 0x03
|
||||||
|
// - CX == src[s]
|
||||||
|
CMPQ BX, $2
|
||||||
|
JEQ tagCopy2
|
||||||
|
JA tagCopy4
|
||||||
|
|
||||||
|
// case tagCopy1:
|
||||||
|
// s += 2
|
||||||
|
ADDQ $2, SI
|
||||||
|
|
||||||
|
// if uint(s) > uint(len(src)) { etc }
|
||||||
|
MOVQ SI, BX
|
||||||
|
SUBQ R11, BX
|
||||||
|
CMPQ BX, R12
|
||||||
|
JA errCorrupt
|
||||||
|
|
||||||
|
// offset = int(uint32(src[s-2])&0xe0<<3 | uint32(src[s-1]))
|
||||||
|
MOVQ CX, DX
|
||||||
|
ANDQ $0xe0, DX
|
||||||
|
SHLQ $3, DX
|
||||||
|
MOVBQZX -1(SI), BX
|
||||||
|
ORQ BX, DX
|
||||||
|
|
||||||
|
// length = 4 + int(src[s-2])>>2&0x7
|
||||||
|
SHRQ $2, CX
|
||||||
|
ANDQ $7, CX
|
||||||
|
ADDQ $4, CX
|
||||||
|
|
||||||
|
doCopy:
|
||||||
|
// This is the end of the outer "switch", when we have a copy tag.
|
||||||
|
//
|
||||||
|
// We assume that:
|
||||||
|
// - CX == length && CX > 0
|
||||||
|
// - DX == offset
|
||||||
|
|
||||||
|
// if offset <= 0 { etc }
|
||||||
|
CMPQ DX, $0
|
||||||
|
JLE errCorrupt
|
||||||
|
|
||||||
|
// if d < offset { etc }
|
||||||
|
MOVQ DI, BX
|
||||||
|
SUBQ R8, BX
|
||||||
|
CMPQ BX, DX
|
||||||
|
JLT errCorrupt
|
||||||
|
|
||||||
|
// if length > len(dst)-d { etc }
|
||||||
|
MOVQ R10, BX
|
||||||
|
SUBQ DI, BX
|
||||||
|
CMPQ CX, BX
|
||||||
|
JGT errCorrupt
|
||||||
|
|
||||||
|
// forwardCopy(dst[d:d+length], dst[d-offset:]); d += length
|
||||||
|
//
|
||||||
|
// Set:
|
||||||
|
// - R14 = len(dst)-d
|
||||||
|
// - R15 = &dst[d-offset]
|
||||||
|
MOVQ R10, R14
|
||||||
|
SUBQ DI, R14
|
||||||
|
MOVQ DI, R15
|
||||||
|
SUBQ DX, R15
|
||||||
|
|
||||||
|
// !!! Try a faster technique for short (16 or fewer bytes) forward copies.
|
||||||
|
//
|
||||||
|
// First, try using two 8-byte load/stores, similar to the doLit technique
|
||||||
|
// above. Even if dst[d:d+length] and dst[d-offset:] can overlap, this is
|
||||||
|
// still OK if offset >= 8. Note that this has to be two 8-byte load/stores
|
||||||
|
// and not one 16-byte load/store, and the first store has to be before the
|
||||||
|
// second load, due to the overlap if offset is in the range [8, 16).
|
||||||
|
//
|
||||||
|
// if length > 16 || offset < 8 || len(dst)-d < 16 {
|
||||||
|
// goto slowForwardCopy
|
||||||
|
// }
|
||||||
|
// copy 16 bytes
|
||||||
|
// d += length
|
||||||
|
CMPQ CX, $16
|
||||||
|
JGT slowForwardCopy
|
||||||
|
CMPQ DX, $8
|
||||||
|
JLT slowForwardCopy
|
||||||
|
CMPQ R14, $16
|
||||||
|
JLT slowForwardCopy
|
||||||
|
MOVQ 0(R15), AX
|
||||||
|
MOVQ AX, 0(DI)
|
||||||
|
MOVQ 8(R15), BX
|
||||||
|
MOVQ BX, 8(DI)
|
||||||
|
ADDQ CX, DI
|
||||||
|
JMP loop
|
||||||
|
|
||||||
|
slowForwardCopy:
|
||||||
|
// !!! If the forward copy is longer than 16 bytes, or if offset < 8, we
|
||||||
|
// can still try 8-byte load stores, provided we can overrun up to 10 extra
|
||||||
|
// bytes. As above, the overrun will be fixed up by subsequent iterations
|
||||||
|
// of the outermost loop.
|
||||||
|
//
|
||||||
|
// The C++ snappy code calls this technique IncrementalCopyFastPath. Its
|
||||||
|
// commentary says:
|
||||||
|
//
|
||||||
|
// ----
|
||||||
|
//
|
||||||
|
// The main part of this loop is a simple copy of eight bytes at a time
|
||||||
|
// until we've copied (at least) the requested amount of bytes. However,
|
||||||
|
// if d and d-offset are less than eight bytes apart (indicating a
|
||||||
|
// repeating pattern of length < 8), we first need to expand the pattern in
|
||||||
|
// order to get the correct results. For instance, if the buffer looks like
|
||||||
|
// this, with the eight-byte <d-offset> and <d> patterns marked as
|
||||||
|
// intervals:
|
||||||
|
//
|
||||||
|
// abxxxxxxxxxxxx
|
||||||
|
// [------] d-offset
|
||||||
|
// [------] d
|
||||||
|
//
|
||||||
|
// a single eight-byte copy from <d-offset> to <d> will repeat the pattern
|
||||||
|
// once, after which we can move <d> two bytes without moving <d-offset>:
|
||||||
|
//
|
||||||
|
// ababxxxxxxxxxx
|
||||||
|
// [------] d-offset
|
||||||
|
// [------] d
|
||||||
|
//
|
||||||
|
// and repeat the exercise until the two no longer overlap.
|
||||||
|
//
|
||||||
|
// This allows us to do very well in the special case of one single byte
|
||||||
|
// repeated many times, without taking a big hit for more general cases.
|
||||||
|
//
|
||||||
|
// The worst case of extra writing past the end of the match occurs when
|
||||||
|
// offset == 1 and length == 1; the last copy will read from byte positions
|
||||||
|
// [0..7] and write to [4..11], whereas it was only supposed to write to
|
||||||
|
// position 1. Thus, ten excess bytes.
|
||||||
|
//
|
||||||
|
// ----
|
||||||
|
//
|
||||||
|
// That "10 byte overrun" worst case is confirmed by Go's
|
||||||
|
// TestSlowForwardCopyOverrun, which also tests the fixUpSlowForwardCopy
|
||||||
|
// and finishSlowForwardCopy algorithm.
|
||||||
|
//
|
||||||
|
// if length > len(dst)-d-10 {
|
||||||
|
// goto verySlowForwardCopy
|
||||||
|
// }
|
||||||
|
SUBQ $10, R14
|
||||||
|
CMPQ CX, R14
|
||||||
|
JGT verySlowForwardCopy
|
||||||
|
|
||||||
|
makeOffsetAtLeast8:
|
||||||
|
// !!! As above, expand the pattern so that offset >= 8 and we can use
|
||||||
|
// 8-byte load/stores.
|
||||||
|
//
|
||||||
|
// for offset < 8 {
|
||||||
|
// copy 8 bytes from dst[d-offset:] to dst[d:]
|
||||||
|
// length -= offset
|
||||||
|
// d += offset
|
||||||
|
// offset += offset
|
||||||
|
// // The two previous lines together means that d-offset, and therefore
|
||||||
|
// // R15, is unchanged.
|
||||||
|
// }
|
||||||
|
CMPQ DX, $8
|
||||||
|
JGE fixUpSlowForwardCopy
|
||||||
|
MOVQ (R15), BX
|
||||||
|
MOVQ BX, (DI)
|
||||||
|
SUBQ DX, CX
|
||||||
|
ADDQ DX, DI
|
||||||
|
ADDQ DX, DX
|
||||||
|
JMP makeOffsetAtLeast8
|
||||||
|
|
||||||
|
fixUpSlowForwardCopy:
|
||||||
|
// !!! Add length (which might be negative now) to d (implied by DI being
|
||||||
|
// &dst[d]) so that d ends up at the right place when we jump back to the
|
||||||
|
// top of the loop. Before we do that, though, we save DI to AX so that, if
|
||||||
|
// length is positive, copying the remaining length bytes will write to the
|
||||||
|
// right place.
|
||||||
|
MOVQ DI, AX
|
||||||
|
ADDQ CX, DI
|
||||||
|
|
||||||
|
finishSlowForwardCopy:
|
||||||
|
// !!! Repeat 8-byte load/stores until length <= 0. Ending with a negative
|
||||||
|
// length means that we overrun, but as above, that will be fixed up by
|
||||||
|
// subsequent iterations of the outermost loop.
|
||||||
|
CMPQ CX, $0
|
||||||
|
JLE loop
|
||||||
|
MOVQ (R15), BX
|
||||||
|
MOVQ BX, (AX)
|
||||||
|
ADDQ $8, R15
|
||||||
|
ADDQ $8, AX
|
||||||
|
SUBQ $8, CX
|
||||||
|
JMP finishSlowForwardCopy
|
||||||
|
|
||||||
|
verySlowForwardCopy:
|
||||||
|
// verySlowForwardCopy is a simple implementation of forward copy. In C
|
||||||
|
// parlance, this is a do/while loop instead of a while loop, since we know
|
||||||
|
// that length > 0. In Go syntax:
|
||||||
|
//
|
||||||
|
// for {
|
||||||
|
// dst[d] = dst[d - offset]
|
||||||
|
// d++
|
||||||
|
// length--
|
||||||
|
// if length == 0 {
|
||||||
|
// break
|
||||||
|
// }
|
||||||
|
// }
|
||||||
|
MOVB (R15), BX
|
||||||
|
MOVB BX, (DI)
|
||||||
|
INCQ R15
|
||||||
|
INCQ DI
|
||||||
|
DECQ CX
|
||||||
|
JNZ verySlowForwardCopy
|
||||||
|
JMP loop
|
||||||
|
|
||||||
|
// The code above handles copy tags.
|
||||||
|
// ----------------------------------------
|
||||||
|
|
||||||
|
end:
|
||||||
|
// This is the end of the "for s < len(src)".
|
||||||
|
//
|
||||||
|
// if d != len(dst) { etc }
|
||||||
|
CMPQ DI, R10
|
||||||
|
JNE errCorrupt
|
||||||
|
|
||||||
|
// return 0
|
||||||
|
MOVQ $0, ret+48(FP)
|
||||||
|
RET
|
||||||
|
|
||||||
|
errCorrupt:
|
||||||
|
// return decodeErrCodeCorrupt
|
||||||
|
MOVQ $1, ret+48(FP)
|
||||||
|
RET
|
101
vendor/github.com/golang/snappy/decode_other.go
generated
vendored
Normal file
101
vendor/github.com/golang/snappy/decode_other.go
generated
vendored
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
// Copyright 2016 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !amd64 appengine !gc noasm
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
// decode writes the decoding of src to dst. It assumes that the varint-encoded
|
||||||
|
// length of the decompressed bytes has already been read, and that len(dst)
|
||||||
|
// equals that length.
|
||||||
|
//
|
||||||
|
// It returns 0 on success or a decodeErrCodeXxx error code on failure.
|
||||||
|
func decode(dst, src []byte) int {
|
||||||
|
var d, s, offset, length int
|
||||||
|
for s < len(src) {
|
||||||
|
switch src[s] & 0x03 {
|
||||||
|
case tagLiteral:
|
||||||
|
x := uint32(src[s] >> 2)
|
||||||
|
switch {
|
||||||
|
case x < 60:
|
||||||
|
s++
|
||||||
|
case x == 60:
|
||||||
|
s += 2
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
x = uint32(src[s-1])
|
||||||
|
case x == 61:
|
||||||
|
s += 3
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
x = uint32(src[s-2]) | uint32(src[s-1])<<8
|
||||||
|
case x == 62:
|
||||||
|
s += 4
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16
|
||||||
|
case x == 63:
|
||||||
|
s += 5
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24
|
||||||
|
}
|
||||||
|
length = int(x) + 1
|
||||||
|
if length <= 0 {
|
||||||
|
return decodeErrCodeUnsupportedLiteralLength
|
||||||
|
}
|
||||||
|
if length > len(dst)-d || length > len(src)-s {
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
copy(dst[d:], src[s:s+length])
|
||||||
|
d += length
|
||||||
|
s += length
|
||||||
|
continue
|
||||||
|
|
||||||
|
case tagCopy1:
|
||||||
|
s += 2
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
length = 4 + int(src[s-2])>>2&0x7
|
||||||
|
offset = int(uint32(src[s-2])&0xe0<<3 | uint32(src[s-1]))
|
||||||
|
|
||||||
|
case tagCopy2:
|
||||||
|
s += 3
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
length = 1 + int(src[s-3])>>2
|
||||||
|
offset = int(uint32(src[s-2]) | uint32(src[s-1])<<8)
|
||||||
|
|
||||||
|
case tagCopy4:
|
||||||
|
s += 5
|
||||||
|
if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line.
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
length = 1 + int(src[s-5])>>2
|
||||||
|
offset = int(uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24)
|
||||||
|
}
|
||||||
|
|
||||||
|
if offset <= 0 || d < offset || length > len(dst)-d {
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
// Copy from an earlier sub-slice of dst to a later sub-slice. Unlike
|
||||||
|
// the built-in copy function, this byte-by-byte copy always runs
|
||||||
|
// forwards, even if the slices overlap. Conceptually, this is:
|
||||||
|
//
|
||||||
|
// d += forwardCopy(dst[d:d+length], dst[d-offset:])
|
||||||
|
for end := d + length; d != end; d++ {
|
||||||
|
dst[d] = dst[d-offset]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if d != len(dst) {
|
||||||
|
return decodeErrCodeCorrupt
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
285
vendor/github.com/golang/snappy/encode.go
generated
vendored
Normal file
285
vendor/github.com/golang/snappy/encode.go
generated
vendored
Normal file
@ -0,0 +1,285 @@
|
|||||||
|
// Copyright 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Encode returns the encoded form of src. The returned slice may be a sub-
|
||||||
|
// slice of dst if dst was large enough to hold the entire encoded block.
|
||||||
|
// Otherwise, a newly allocated slice will be returned.
|
||||||
|
//
|
||||||
|
// The dst and src must not overlap. It is valid to pass a nil dst.
|
||||||
|
func Encode(dst, src []byte) []byte {
|
||||||
|
if n := MaxEncodedLen(len(src)); n < 0 {
|
||||||
|
panic(ErrTooLarge)
|
||||||
|
} else if len(dst) < n {
|
||||||
|
dst = make([]byte, n)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The block starts with the varint-encoded length of the decompressed bytes.
|
||||||
|
d := binary.PutUvarint(dst, uint64(len(src)))
|
||||||
|
|
||||||
|
for len(src) > 0 {
|
||||||
|
p := src
|
||||||
|
src = nil
|
||||||
|
if len(p) > maxBlockSize {
|
||||||
|
p, src = p[:maxBlockSize], p[maxBlockSize:]
|
||||||
|
}
|
||||||
|
if len(p) < minNonLiteralBlockSize {
|
||||||
|
d += emitLiteral(dst[d:], p)
|
||||||
|
} else {
|
||||||
|
d += encodeBlock(dst[d:], p)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return dst[:d]
|
||||||
|
}
|
||||||
|
|
||||||
|
// inputMargin is the minimum number of extra input bytes to keep, inside
|
||||||
|
// encodeBlock's inner loop. On some architectures, this margin lets us
|
||||||
|
// implement a fast path for emitLiteral, where the copy of short (<= 16 byte)
|
||||||
|
// literals can be implemented as a single load to and store from a 16-byte
|
||||||
|
// register. That literal's actual length can be as short as 1 byte, so this
|
||||||
|
// can copy up to 15 bytes too much, but that's OK as subsequent iterations of
|
||||||
|
// the encoding loop will fix up the copy overrun, and this inputMargin ensures
|
||||||
|
// that we don't overrun the dst and src buffers.
|
||||||
|
const inputMargin = 16 - 1
|
||||||
|
|
||||||
|
// minNonLiteralBlockSize is the minimum size of the input to encodeBlock that
|
||||||
|
// could be encoded with a copy tag. This is the minimum with respect to the
|
||||||
|
// algorithm used by encodeBlock, not a minimum enforced by the file format.
|
||||||
|
//
|
||||||
|
// The encoded output must start with at least a 1 byte literal, as there are
|
||||||
|
// no previous bytes to copy. A minimal (1 byte) copy after that, generated
|
||||||
|
// from an emitCopy call in encodeBlock's main loop, would require at least
|
||||||
|
// another inputMargin bytes, for the reason above: we want any emitLiteral
|
||||||
|
// calls inside encodeBlock's main loop to use the fast path if possible, which
|
||||||
|
// requires being able to overrun by inputMargin bytes. Thus,
|
||||||
|
// minNonLiteralBlockSize equals 1 + 1 + inputMargin.
|
||||||
|
//
|
||||||
|
// The C++ code doesn't use this exact threshold, but it could, as discussed at
|
||||||
|
// https://groups.google.com/d/topic/snappy-compression/oGbhsdIJSJ8/discussion
|
||||||
|
// The difference between Go (2+inputMargin) and C++ (inputMargin) is purely an
|
||||||
|
// optimization. It should not affect the encoded form. This is tested by
|
||||||
|
// TestSameEncodingAsCppShortCopies.
|
||||||
|
const minNonLiteralBlockSize = 1 + 1 + inputMargin
|
||||||
|
|
||||||
|
// MaxEncodedLen returns the maximum length of a snappy block, given its
|
||||||
|
// uncompressed length.
|
||||||
|
//
|
||||||
|
// It will return a negative value if srcLen is too large to encode.
|
||||||
|
func MaxEncodedLen(srcLen int) int {
|
||||||
|
n := uint64(srcLen)
|
||||||
|
if n > 0xffffffff {
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
// Compressed data can be defined as:
|
||||||
|
// compressed := item* literal*
|
||||||
|
// item := literal* copy
|
||||||
|
//
|
||||||
|
// The trailing literal sequence has a space blowup of at most 62/60
|
||||||
|
// since a literal of length 60 needs one tag byte + one extra byte
|
||||||
|
// for length information.
|
||||||
|
//
|
||||||
|
// Item blowup is trickier to measure. Suppose the "copy" op copies
|
||||||
|
// 4 bytes of data. Because of a special check in the encoding code,
|
||||||
|
// we produce a 4-byte copy only if the offset is < 65536. Therefore
|
||||||
|
// the copy op takes 3 bytes to encode, and this type of item leads
|
||||||
|
// to at most the 62/60 blowup for representing literals.
|
||||||
|
//
|
||||||
|
// Suppose the "copy" op copies 5 bytes of data. If the offset is big
|
||||||
|
// enough, it will take 5 bytes to encode the copy op. Therefore the
|
||||||
|
// worst case here is a one-byte literal followed by a five-byte copy.
|
||||||
|
// That is, 6 bytes of input turn into 7 bytes of "compressed" data.
|
||||||
|
//
|
||||||
|
// This last factor dominates the blowup, so the final estimate is:
|
||||||
|
n = 32 + n + n/6
|
||||||
|
if n > 0xffffffff {
|
||||||
|
return -1
|
||||||
|
}
|
||||||
|
return int(n)
|
||||||
|
}
|
||||||
|
|
||||||
|
var errClosed = errors.New("snappy: Writer is closed")
|
||||||
|
|
||||||
|
// NewWriter returns a new Writer that compresses to w.
|
||||||
|
//
|
||||||
|
// The Writer returned does not buffer writes. There is no need to Flush or
|
||||||
|
// Close such a Writer.
|
||||||
|
//
|
||||||
|
// Deprecated: the Writer returned is not suitable for many small writes, only
|
||||||
|
// for few large writes. Use NewBufferedWriter instead, which is efficient
|
||||||
|
// regardless of the frequency and shape of the writes, and remember to Close
|
||||||
|
// that Writer when done.
|
||||||
|
func NewWriter(w io.Writer) *Writer {
|
||||||
|
return &Writer{
|
||||||
|
w: w,
|
||||||
|
obuf: make([]byte, obufLen),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewBufferedWriter returns a new Writer that compresses to w, using the
|
||||||
|
// framing format described at
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
//
|
||||||
|
// The Writer returned buffers writes. Users must call Close to guarantee all
|
||||||
|
// data has been forwarded to the underlying io.Writer. They may also call
|
||||||
|
// Flush zero or more times before calling Close.
|
||||||
|
func NewBufferedWriter(w io.Writer) *Writer {
|
||||||
|
return &Writer{
|
||||||
|
w: w,
|
||||||
|
ibuf: make([]byte, 0, maxBlockSize),
|
||||||
|
obuf: make([]byte, obufLen),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Writer is an io.Writer that can write Snappy-compressed bytes.
|
||||||
|
type Writer struct {
|
||||||
|
w io.Writer
|
||||||
|
err error
|
||||||
|
|
||||||
|
// ibuf is a buffer for the incoming (uncompressed) bytes.
|
||||||
|
//
|
||||||
|
// Its use is optional. For backwards compatibility, Writers created by the
|
||||||
|
// NewWriter function have ibuf == nil, do not buffer incoming bytes, and
|
||||||
|
// therefore do not need to be Flush'ed or Close'd.
|
||||||
|
ibuf []byte
|
||||||
|
|
||||||
|
// obuf is a buffer for the outgoing (compressed) bytes.
|
||||||
|
obuf []byte
|
||||||
|
|
||||||
|
// wroteStreamHeader is whether we have written the stream header.
|
||||||
|
wroteStreamHeader bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reset discards the writer's state and switches the Snappy writer to write to
|
||||||
|
// w. This permits reusing a Writer rather than allocating a new one.
|
||||||
|
func (w *Writer) Reset(writer io.Writer) {
|
||||||
|
w.w = writer
|
||||||
|
w.err = nil
|
||||||
|
if w.ibuf != nil {
|
||||||
|
w.ibuf = w.ibuf[:0]
|
||||||
|
}
|
||||||
|
w.wroteStreamHeader = false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write satisfies the io.Writer interface.
|
||||||
|
func (w *Writer) Write(p []byte) (nRet int, errRet error) {
|
||||||
|
if w.ibuf == nil {
|
||||||
|
// Do not buffer incoming bytes. This does not perform or compress well
|
||||||
|
// if the caller of Writer.Write writes many small slices. This
|
||||||
|
// behavior is therefore deprecated, but still supported for backwards
|
||||||
|
// compatibility with code that doesn't explicitly Flush or Close.
|
||||||
|
return w.write(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The remainder of this method is based on bufio.Writer.Write from the
|
||||||
|
// standard library.
|
||||||
|
|
||||||
|
for len(p) > (cap(w.ibuf)-len(w.ibuf)) && w.err == nil {
|
||||||
|
var n int
|
||||||
|
if len(w.ibuf) == 0 {
|
||||||
|
// Large write, empty buffer.
|
||||||
|
// Write directly from p to avoid copy.
|
||||||
|
n, _ = w.write(p)
|
||||||
|
} else {
|
||||||
|
n = copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p)
|
||||||
|
w.ibuf = w.ibuf[:len(w.ibuf)+n]
|
||||||
|
w.Flush()
|
||||||
|
}
|
||||||
|
nRet += n
|
||||||
|
p = p[n:]
|
||||||
|
}
|
||||||
|
if w.err != nil {
|
||||||
|
return nRet, w.err
|
||||||
|
}
|
||||||
|
n := copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p)
|
||||||
|
w.ibuf = w.ibuf[:len(w.ibuf)+n]
|
||||||
|
nRet += n
|
||||||
|
return nRet, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *Writer) write(p []byte) (nRet int, errRet error) {
|
||||||
|
if w.err != nil {
|
||||||
|
return 0, w.err
|
||||||
|
}
|
||||||
|
for len(p) > 0 {
|
||||||
|
obufStart := len(magicChunk)
|
||||||
|
if !w.wroteStreamHeader {
|
||||||
|
w.wroteStreamHeader = true
|
||||||
|
copy(w.obuf, magicChunk)
|
||||||
|
obufStart = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
var uncompressed []byte
|
||||||
|
if len(p) > maxBlockSize {
|
||||||
|
uncompressed, p = p[:maxBlockSize], p[maxBlockSize:]
|
||||||
|
} else {
|
||||||
|
uncompressed, p = p, nil
|
||||||
|
}
|
||||||
|
checksum := crc(uncompressed)
|
||||||
|
|
||||||
|
// Compress the buffer, discarding the result if the improvement
|
||||||
|
// isn't at least 12.5%.
|
||||||
|
compressed := Encode(w.obuf[obufHeaderLen:], uncompressed)
|
||||||
|
chunkType := uint8(chunkTypeCompressedData)
|
||||||
|
chunkLen := 4 + len(compressed)
|
||||||
|
obufEnd := obufHeaderLen + len(compressed)
|
||||||
|
if len(compressed) >= len(uncompressed)-len(uncompressed)/8 {
|
||||||
|
chunkType = chunkTypeUncompressedData
|
||||||
|
chunkLen = 4 + len(uncompressed)
|
||||||
|
obufEnd = obufHeaderLen
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fill in the per-chunk header that comes before the body.
|
||||||
|
w.obuf[len(magicChunk)+0] = chunkType
|
||||||
|
w.obuf[len(magicChunk)+1] = uint8(chunkLen >> 0)
|
||||||
|
w.obuf[len(magicChunk)+2] = uint8(chunkLen >> 8)
|
||||||
|
w.obuf[len(magicChunk)+3] = uint8(chunkLen >> 16)
|
||||||
|
w.obuf[len(magicChunk)+4] = uint8(checksum >> 0)
|
||||||
|
w.obuf[len(magicChunk)+5] = uint8(checksum >> 8)
|
||||||
|
w.obuf[len(magicChunk)+6] = uint8(checksum >> 16)
|
||||||
|
w.obuf[len(magicChunk)+7] = uint8(checksum >> 24)
|
||||||
|
|
||||||
|
if _, err := w.w.Write(w.obuf[obufStart:obufEnd]); err != nil {
|
||||||
|
w.err = err
|
||||||
|
return nRet, err
|
||||||
|
}
|
||||||
|
if chunkType == chunkTypeUncompressedData {
|
||||||
|
if _, err := w.w.Write(uncompressed); err != nil {
|
||||||
|
w.err = err
|
||||||
|
return nRet, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
nRet += len(uncompressed)
|
||||||
|
}
|
||||||
|
return nRet, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Flush flushes the Writer to its underlying io.Writer.
|
||||||
|
func (w *Writer) Flush() error {
|
||||||
|
if w.err != nil {
|
||||||
|
return w.err
|
||||||
|
}
|
||||||
|
if len(w.ibuf) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
w.write(w.ibuf)
|
||||||
|
w.ibuf = w.ibuf[:0]
|
||||||
|
return w.err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close calls Flush and then closes the Writer.
|
||||||
|
func (w *Writer) Close() error {
|
||||||
|
w.Flush()
|
||||||
|
ret := w.err
|
||||||
|
if w.err == nil {
|
||||||
|
w.err = errClosed
|
||||||
|
}
|
||||||
|
return ret
|
||||||
|
}
|
29
vendor/github.com/golang/snappy/encode_amd64.go
generated
vendored
Normal file
29
vendor/github.com/golang/snappy/encode_amd64.go
generated
vendored
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
// Copyright 2016 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !appengine
|
||||||
|
// +build gc
|
||||||
|
// +build !noasm
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
// emitLiteral has the same semantics as in encode_other.go.
|
||||||
|
//
|
||||||
|
//go:noescape
|
||||||
|
func emitLiteral(dst, lit []byte) int
|
||||||
|
|
||||||
|
// emitCopy has the same semantics as in encode_other.go.
|
||||||
|
//
|
||||||
|
//go:noescape
|
||||||
|
func emitCopy(dst []byte, offset, length int) int
|
||||||
|
|
||||||
|
// extendMatch has the same semantics as in encode_other.go.
|
||||||
|
//
|
||||||
|
//go:noescape
|
||||||
|
func extendMatch(src []byte, i, j int) int
|
||||||
|
|
||||||
|
// encodeBlock has the same semantics as in encode_other.go.
|
||||||
|
//
|
||||||
|
//go:noescape
|
||||||
|
func encodeBlock(dst, src []byte) (d int)
|
730
vendor/github.com/golang/snappy/encode_amd64.s
generated
vendored
Normal file
730
vendor/github.com/golang/snappy/encode_amd64.s
generated
vendored
Normal file
@ -0,0 +1,730 @@
|
|||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !appengine
|
||||||
|
// +build gc
|
||||||
|
// +build !noasm
|
||||||
|
|
||||||
|
#include "textflag.h"
|
||||||
|
|
||||||
|
// The XXX lines assemble on Go 1.4, 1.5 and 1.7, but not 1.6, due to a
|
||||||
|
// Go toolchain regression. See https://github.com/golang/go/issues/15426 and
|
||||||
|
// https://github.com/golang/snappy/issues/29
|
||||||
|
//
|
||||||
|
// As a workaround, the package was built with a known good assembler, and
|
||||||
|
// those instructions were disassembled by "objdump -d" to yield the
|
||||||
|
// 4e 0f b7 7c 5c 78 movzwq 0x78(%rsp,%r11,2),%r15
|
||||||
|
// style comments, in AT&T asm syntax. Note that rsp here is a physical
|
||||||
|
// register, not Go/asm's SP pseudo-register (see https://golang.org/doc/asm).
|
||||||
|
// The instructions were then encoded as "BYTE $0x.." sequences, which assemble
|
||||||
|
// fine on Go 1.6.
|
||||||
|
|
||||||
|
// The asm code generally follows the pure Go code in encode_other.go, except
|
||||||
|
// where marked with a "!!!".
|
||||||
|
|
||||||
|
// ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// func emitLiteral(dst, lit []byte) int
|
||||||
|
//
|
||||||
|
// All local variables fit into registers. The register allocation:
|
||||||
|
// - AX len(lit)
|
||||||
|
// - BX n
|
||||||
|
// - DX return value
|
||||||
|
// - DI &dst[i]
|
||||||
|
// - R10 &lit[0]
|
||||||
|
//
|
||||||
|
// The 24 bytes of stack space is to call runtime·memmove.
|
||||||
|
//
|
||||||
|
// The unusual register allocation of local variables, such as R10 for the
|
||||||
|
// source pointer, matches the allocation used at the call site in encodeBlock,
|
||||||
|
// which makes it easier to manually inline this function.
|
||||||
|
TEXT ·emitLiteral(SB), NOSPLIT, $24-56
|
||||||
|
MOVQ dst_base+0(FP), DI
|
||||||
|
MOVQ lit_base+24(FP), R10
|
||||||
|
MOVQ lit_len+32(FP), AX
|
||||||
|
MOVQ AX, DX
|
||||||
|
MOVL AX, BX
|
||||||
|
SUBL $1, BX
|
||||||
|
|
||||||
|
CMPL BX, $60
|
||||||
|
JLT oneByte
|
||||||
|
CMPL BX, $256
|
||||||
|
JLT twoBytes
|
||||||
|
|
||||||
|
threeBytes:
|
||||||
|
MOVB $0xf4, 0(DI)
|
||||||
|
MOVW BX, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
ADDQ $3, DX
|
||||||
|
JMP memmove
|
||||||
|
|
||||||
|
twoBytes:
|
||||||
|
MOVB $0xf0, 0(DI)
|
||||||
|
MOVB BX, 1(DI)
|
||||||
|
ADDQ $2, DI
|
||||||
|
ADDQ $2, DX
|
||||||
|
JMP memmove
|
||||||
|
|
||||||
|
oneByte:
|
||||||
|
SHLB $2, BX
|
||||||
|
MOVB BX, 0(DI)
|
||||||
|
ADDQ $1, DI
|
||||||
|
ADDQ $1, DX
|
||||||
|
|
||||||
|
memmove:
|
||||||
|
MOVQ DX, ret+48(FP)
|
||||||
|
|
||||||
|
// copy(dst[i:], lit)
|
||||||
|
//
|
||||||
|
// This means calling runtime·memmove(&dst[i], &lit[0], len(lit)), so we push
|
||||||
|
// DI, R10 and AX as arguments.
|
||||||
|
MOVQ DI, 0(SP)
|
||||||
|
MOVQ R10, 8(SP)
|
||||||
|
MOVQ AX, 16(SP)
|
||||||
|
CALL runtime·memmove(SB)
|
||||||
|
RET
|
||||||
|
|
||||||
|
// ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// func emitCopy(dst []byte, offset, length int) int
|
||||||
|
//
|
||||||
|
// All local variables fit into registers. The register allocation:
|
||||||
|
// - AX length
|
||||||
|
// - SI &dst[0]
|
||||||
|
// - DI &dst[i]
|
||||||
|
// - R11 offset
|
||||||
|
//
|
||||||
|
// The unusual register allocation of local variables, such as R11 for the
|
||||||
|
// offset, matches the allocation used at the call site in encodeBlock, which
|
||||||
|
// makes it easier to manually inline this function.
|
||||||
|
TEXT ·emitCopy(SB), NOSPLIT, $0-48
|
||||||
|
MOVQ dst_base+0(FP), DI
|
||||||
|
MOVQ DI, SI
|
||||||
|
MOVQ offset+24(FP), R11
|
||||||
|
MOVQ length+32(FP), AX
|
||||||
|
|
||||||
|
loop0:
|
||||||
|
// for length >= 68 { etc }
|
||||||
|
CMPL AX, $68
|
||||||
|
JLT step1
|
||||||
|
|
||||||
|
// Emit a length 64 copy, encoded as 3 bytes.
|
||||||
|
MOVB $0xfe, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
SUBL $64, AX
|
||||||
|
JMP loop0
|
||||||
|
|
||||||
|
step1:
|
||||||
|
// if length > 64 { etc }
|
||||||
|
CMPL AX, $64
|
||||||
|
JLE step2
|
||||||
|
|
||||||
|
// Emit a length 60 copy, encoded as 3 bytes.
|
||||||
|
MOVB $0xee, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
SUBL $60, AX
|
||||||
|
|
||||||
|
step2:
|
||||||
|
// if length >= 12 || offset >= 2048 { goto step3 }
|
||||||
|
CMPL AX, $12
|
||||||
|
JGE step3
|
||||||
|
CMPL R11, $2048
|
||||||
|
JGE step3
|
||||||
|
|
||||||
|
// Emit the remaining copy, encoded as 2 bytes.
|
||||||
|
MOVB R11, 1(DI)
|
||||||
|
SHRL $8, R11
|
||||||
|
SHLB $5, R11
|
||||||
|
SUBB $4, AX
|
||||||
|
SHLB $2, AX
|
||||||
|
ORB AX, R11
|
||||||
|
ORB $1, R11
|
||||||
|
MOVB R11, 0(DI)
|
||||||
|
ADDQ $2, DI
|
||||||
|
|
||||||
|
// Return the number of bytes written.
|
||||||
|
SUBQ SI, DI
|
||||||
|
MOVQ DI, ret+40(FP)
|
||||||
|
RET
|
||||||
|
|
||||||
|
step3:
|
||||||
|
// Emit the remaining copy, encoded as 3 bytes.
|
||||||
|
SUBL $1, AX
|
||||||
|
SHLB $2, AX
|
||||||
|
ORB $2, AX
|
||||||
|
MOVB AX, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
|
||||||
|
// Return the number of bytes written.
|
||||||
|
SUBQ SI, DI
|
||||||
|
MOVQ DI, ret+40(FP)
|
||||||
|
RET
|
||||||
|
|
||||||
|
// ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// func extendMatch(src []byte, i, j int) int
|
||||||
|
//
|
||||||
|
// All local variables fit into registers. The register allocation:
|
||||||
|
// - DX &src[0]
|
||||||
|
// - SI &src[j]
|
||||||
|
// - R13 &src[len(src) - 8]
|
||||||
|
// - R14 &src[len(src)]
|
||||||
|
// - R15 &src[i]
|
||||||
|
//
|
||||||
|
// The unusual register allocation of local variables, such as R15 for a source
|
||||||
|
// pointer, matches the allocation used at the call site in encodeBlock, which
|
||||||
|
// makes it easier to manually inline this function.
|
||||||
|
TEXT ·extendMatch(SB), NOSPLIT, $0-48
|
||||||
|
MOVQ src_base+0(FP), DX
|
||||||
|
MOVQ src_len+8(FP), R14
|
||||||
|
MOVQ i+24(FP), R15
|
||||||
|
MOVQ j+32(FP), SI
|
||||||
|
ADDQ DX, R14
|
||||||
|
ADDQ DX, R15
|
||||||
|
ADDQ DX, SI
|
||||||
|
MOVQ R14, R13
|
||||||
|
SUBQ $8, R13
|
||||||
|
|
||||||
|
cmp8:
|
||||||
|
// As long as we are 8 or more bytes before the end of src, we can load and
|
||||||
|
// compare 8 bytes at a time. If those 8 bytes are equal, repeat.
|
||||||
|
CMPQ SI, R13
|
||||||
|
JA cmp1
|
||||||
|
MOVQ (R15), AX
|
||||||
|
MOVQ (SI), BX
|
||||||
|
CMPQ AX, BX
|
||||||
|
JNE bsf
|
||||||
|
ADDQ $8, R15
|
||||||
|
ADDQ $8, SI
|
||||||
|
JMP cmp8
|
||||||
|
|
||||||
|
bsf:
|
||||||
|
// If those 8 bytes were not equal, XOR the two 8 byte values, and return
|
||||||
|
// the index of the first byte that differs. The BSF instruction finds the
|
||||||
|
// least significant 1 bit, the amd64 architecture is little-endian, and
|
||||||
|
// the shift by 3 converts a bit index to a byte index.
|
||||||
|
XORQ AX, BX
|
||||||
|
BSFQ BX, BX
|
||||||
|
SHRQ $3, BX
|
||||||
|
ADDQ BX, SI
|
||||||
|
|
||||||
|
// Convert from &src[ret] to ret.
|
||||||
|
SUBQ DX, SI
|
||||||
|
MOVQ SI, ret+40(FP)
|
||||||
|
RET
|
||||||
|
|
||||||
|
cmp1:
|
||||||
|
// In src's tail, compare 1 byte at a time.
|
||||||
|
CMPQ SI, R14
|
||||||
|
JAE extendMatchEnd
|
||||||
|
MOVB (R15), AX
|
||||||
|
MOVB (SI), BX
|
||||||
|
CMPB AX, BX
|
||||||
|
JNE extendMatchEnd
|
||||||
|
ADDQ $1, R15
|
||||||
|
ADDQ $1, SI
|
||||||
|
JMP cmp1
|
||||||
|
|
||||||
|
extendMatchEnd:
|
||||||
|
// Convert from &src[ret] to ret.
|
||||||
|
SUBQ DX, SI
|
||||||
|
MOVQ SI, ret+40(FP)
|
||||||
|
RET
|
||||||
|
|
||||||
|
// ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
// func encodeBlock(dst, src []byte) (d int)
|
||||||
|
//
|
||||||
|
// All local variables fit into registers, other than "var table". The register
|
||||||
|
// allocation:
|
||||||
|
// - AX . .
|
||||||
|
// - BX . .
|
||||||
|
// - CX 56 shift (note that amd64 shifts by non-immediates must use CX).
|
||||||
|
// - DX 64 &src[0], tableSize
|
||||||
|
// - SI 72 &src[s]
|
||||||
|
// - DI 80 &dst[d]
|
||||||
|
// - R9 88 sLimit
|
||||||
|
// - R10 . &src[nextEmit]
|
||||||
|
// - R11 96 prevHash, currHash, nextHash, offset
|
||||||
|
// - R12 104 &src[base], skip
|
||||||
|
// - R13 . &src[nextS], &src[len(src) - 8]
|
||||||
|
// - R14 . len(src), bytesBetweenHashLookups, &src[len(src)], x
|
||||||
|
// - R15 112 candidate
|
||||||
|
//
|
||||||
|
// The second column (56, 64, etc) is the stack offset to spill the registers
|
||||||
|
// when calling other functions. We could pack this slightly tighter, but it's
|
||||||
|
// simpler to have a dedicated spill map independent of the function called.
|
||||||
|
//
|
||||||
|
// "var table [maxTableSize]uint16" takes up 32768 bytes of stack space. An
|
||||||
|
// extra 56 bytes, to call other functions, and an extra 64 bytes, to spill
|
||||||
|
// local variables (registers) during calls gives 32768 + 56 + 64 = 32888.
|
||||||
|
TEXT ·encodeBlock(SB), 0, $32888-56
|
||||||
|
MOVQ dst_base+0(FP), DI
|
||||||
|
MOVQ src_base+24(FP), SI
|
||||||
|
MOVQ src_len+32(FP), R14
|
||||||
|
|
||||||
|
// shift, tableSize := uint32(32-8), 1<<8
|
||||||
|
MOVQ $24, CX
|
||||||
|
MOVQ $256, DX
|
||||||
|
|
||||||
|
calcShift:
|
||||||
|
// for ; tableSize < maxTableSize && tableSize < len(src); tableSize *= 2 {
|
||||||
|
// shift--
|
||||||
|
// }
|
||||||
|
CMPQ DX, $16384
|
||||||
|
JGE varTable
|
||||||
|
CMPQ DX, R14
|
||||||
|
JGE varTable
|
||||||
|
SUBQ $1, CX
|
||||||
|
SHLQ $1, DX
|
||||||
|
JMP calcShift
|
||||||
|
|
||||||
|
varTable:
|
||||||
|
// var table [maxTableSize]uint16
|
||||||
|
//
|
||||||
|
// In the asm code, unlike the Go code, we can zero-initialize only the
|
||||||
|
// first tableSize elements. Each uint16 element is 2 bytes and each MOVOU
|
||||||
|
// writes 16 bytes, so we can do only tableSize/8 writes instead of the
|
||||||
|
// 2048 writes that would zero-initialize all of table's 32768 bytes.
|
||||||
|
SHRQ $3, DX
|
||||||
|
LEAQ table-32768(SP), BX
|
||||||
|
PXOR X0, X0
|
||||||
|
|
||||||
|
memclr:
|
||||||
|
MOVOU X0, 0(BX)
|
||||||
|
ADDQ $16, BX
|
||||||
|
SUBQ $1, DX
|
||||||
|
JNZ memclr
|
||||||
|
|
||||||
|
// !!! DX = &src[0]
|
||||||
|
MOVQ SI, DX
|
||||||
|
|
||||||
|
// sLimit := len(src) - inputMargin
|
||||||
|
MOVQ R14, R9
|
||||||
|
SUBQ $15, R9
|
||||||
|
|
||||||
|
// !!! Pre-emptively spill CX, DX and R9 to the stack. Their values don't
|
||||||
|
// change for the rest of the function.
|
||||||
|
MOVQ CX, 56(SP)
|
||||||
|
MOVQ DX, 64(SP)
|
||||||
|
MOVQ R9, 88(SP)
|
||||||
|
|
||||||
|
// nextEmit := 0
|
||||||
|
MOVQ DX, R10
|
||||||
|
|
||||||
|
// s := 1
|
||||||
|
ADDQ $1, SI
|
||||||
|
|
||||||
|
// nextHash := hash(load32(src, s), shift)
|
||||||
|
MOVL 0(SI), R11
|
||||||
|
IMULL $0x1e35a7bd, R11
|
||||||
|
SHRL CX, R11
|
||||||
|
|
||||||
|
outer:
|
||||||
|
// for { etc }
|
||||||
|
|
||||||
|
// skip := 32
|
||||||
|
MOVQ $32, R12
|
||||||
|
|
||||||
|
// nextS := s
|
||||||
|
MOVQ SI, R13
|
||||||
|
|
||||||
|
// candidate := 0
|
||||||
|
MOVQ $0, R15
|
||||||
|
|
||||||
|
inner0:
|
||||||
|
// for { etc }
|
||||||
|
|
||||||
|
// s := nextS
|
||||||
|
MOVQ R13, SI
|
||||||
|
|
||||||
|
// bytesBetweenHashLookups := skip >> 5
|
||||||
|
MOVQ R12, R14
|
||||||
|
SHRQ $5, R14
|
||||||
|
|
||||||
|
// nextS = s + bytesBetweenHashLookups
|
||||||
|
ADDQ R14, R13
|
||||||
|
|
||||||
|
// skip += bytesBetweenHashLookups
|
||||||
|
ADDQ R14, R12
|
||||||
|
|
||||||
|
// if nextS > sLimit { goto emitRemainder }
|
||||||
|
MOVQ R13, AX
|
||||||
|
SUBQ DX, AX
|
||||||
|
CMPQ AX, R9
|
||||||
|
JA emitRemainder
|
||||||
|
|
||||||
|
// candidate = int(table[nextHash])
|
||||||
|
// XXX: MOVWQZX table-32768(SP)(R11*2), R15
|
||||||
|
// XXX: 4e 0f b7 7c 5c 78 movzwq 0x78(%rsp,%r11,2),%r15
|
||||||
|
BYTE $0x4e
|
||||||
|
BYTE $0x0f
|
||||||
|
BYTE $0xb7
|
||||||
|
BYTE $0x7c
|
||||||
|
BYTE $0x5c
|
||||||
|
BYTE $0x78
|
||||||
|
|
||||||
|
// table[nextHash] = uint16(s)
|
||||||
|
MOVQ SI, AX
|
||||||
|
SUBQ DX, AX
|
||||||
|
|
||||||
|
// XXX: MOVW AX, table-32768(SP)(R11*2)
|
||||||
|
// XXX: 66 42 89 44 5c 78 mov %ax,0x78(%rsp,%r11,2)
|
||||||
|
BYTE $0x66
|
||||||
|
BYTE $0x42
|
||||||
|
BYTE $0x89
|
||||||
|
BYTE $0x44
|
||||||
|
BYTE $0x5c
|
||||||
|
BYTE $0x78
|
||||||
|
|
||||||
|
// nextHash = hash(load32(src, nextS), shift)
|
||||||
|
MOVL 0(R13), R11
|
||||||
|
IMULL $0x1e35a7bd, R11
|
||||||
|
SHRL CX, R11
|
||||||
|
|
||||||
|
// if load32(src, s) != load32(src, candidate) { continue } break
|
||||||
|
MOVL 0(SI), AX
|
||||||
|
MOVL (DX)(R15*1), BX
|
||||||
|
CMPL AX, BX
|
||||||
|
JNE inner0
|
||||||
|
|
||||||
|
fourByteMatch:
|
||||||
|
// As per the encode_other.go code:
|
||||||
|
//
|
||||||
|
// A 4-byte match has been found. We'll later see etc.
|
||||||
|
|
||||||
|
// !!! Jump to a fast path for short (<= 16 byte) literals. See the comment
|
||||||
|
// on inputMargin in encode.go.
|
||||||
|
MOVQ SI, AX
|
||||||
|
SUBQ R10, AX
|
||||||
|
CMPQ AX, $16
|
||||||
|
JLE emitLiteralFastPath
|
||||||
|
|
||||||
|
// ----------------------------------------
|
||||||
|
// Begin inline of the emitLiteral call.
|
||||||
|
//
|
||||||
|
// d += emitLiteral(dst[d:], src[nextEmit:s])
|
||||||
|
|
||||||
|
MOVL AX, BX
|
||||||
|
SUBL $1, BX
|
||||||
|
|
||||||
|
CMPL BX, $60
|
||||||
|
JLT inlineEmitLiteralOneByte
|
||||||
|
CMPL BX, $256
|
||||||
|
JLT inlineEmitLiteralTwoBytes
|
||||||
|
|
||||||
|
inlineEmitLiteralThreeBytes:
|
||||||
|
MOVB $0xf4, 0(DI)
|
||||||
|
MOVW BX, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
JMP inlineEmitLiteralMemmove
|
||||||
|
|
||||||
|
inlineEmitLiteralTwoBytes:
|
||||||
|
MOVB $0xf0, 0(DI)
|
||||||
|
MOVB BX, 1(DI)
|
||||||
|
ADDQ $2, DI
|
||||||
|
JMP inlineEmitLiteralMemmove
|
||||||
|
|
||||||
|
inlineEmitLiteralOneByte:
|
||||||
|
SHLB $2, BX
|
||||||
|
MOVB BX, 0(DI)
|
||||||
|
ADDQ $1, DI
|
||||||
|
|
||||||
|
inlineEmitLiteralMemmove:
|
||||||
|
// Spill local variables (registers) onto the stack; call; unspill.
|
||||||
|
//
|
||||||
|
// copy(dst[i:], lit)
|
||||||
|
//
|
||||||
|
// This means calling runtime·memmove(&dst[i], &lit[0], len(lit)), so we push
|
||||||
|
// DI, R10 and AX as arguments.
|
||||||
|
MOVQ DI, 0(SP)
|
||||||
|
MOVQ R10, 8(SP)
|
||||||
|
MOVQ AX, 16(SP)
|
||||||
|
ADDQ AX, DI // Finish the "d +=" part of "d += emitLiteral(etc)".
|
||||||
|
MOVQ SI, 72(SP)
|
||||||
|
MOVQ DI, 80(SP)
|
||||||
|
MOVQ R15, 112(SP)
|
||||||
|
CALL runtime·memmove(SB)
|
||||||
|
MOVQ 56(SP), CX
|
||||||
|
MOVQ 64(SP), DX
|
||||||
|
MOVQ 72(SP), SI
|
||||||
|
MOVQ 80(SP), DI
|
||||||
|
MOVQ 88(SP), R9
|
||||||
|
MOVQ 112(SP), R15
|
||||||
|
JMP inner1
|
||||||
|
|
||||||
|
inlineEmitLiteralEnd:
|
||||||
|
// End inline of the emitLiteral call.
|
||||||
|
// ----------------------------------------
|
||||||
|
|
||||||
|
emitLiteralFastPath:
|
||||||
|
// !!! Emit the 1-byte encoding "uint8(len(lit)-1)<<2".
|
||||||
|
MOVB AX, BX
|
||||||
|
SUBB $1, BX
|
||||||
|
SHLB $2, BX
|
||||||
|
MOVB BX, (DI)
|
||||||
|
ADDQ $1, DI
|
||||||
|
|
||||||
|
// !!! Implement the copy from lit to dst as a 16-byte load and store.
|
||||||
|
// (Encode's documentation says that dst and src must not overlap.)
|
||||||
|
//
|
||||||
|
// This always copies 16 bytes, instead of only len(lit) bytes, but that's
|
||||||
|
// OK. Subsequent iterations will fix up the overrun.
|
||||||
|
//
|
||||||
|
// Note that on amd64, it is legal and cheap to issue unaligned 8-byte or
|
||||||
|
// 16-byte loads and stores. This technique probably wouldn't be as
|
||||||
|
// effective on architectures that are fussier about alignment.
|
||||||
|
MOVOU 0(R10), X0
|
||||||
|
MOVOU X0, 0(DI)
|
||||||
|
ADDQ AX, DI
|
||||||
|
|
||||||
|
inner1:
|
||||||
|
// for { etc }
|
||||||
|
|
||||||
|
// base := s
|
||||||
|
MOVQ SI, R12
|
||||||
|
|
||||||
|
// !!! offset := base - candidate
|
||||||
|
MOVQ R12, R11
|
||||||
|
SUBQ R15, R11
|
||||||
|
SUBQ DX, R11
|
||||||
|
|
||||||
|
// ----------------------------------------
|
||||||
|
// Begin inline of the extendMatch call.
|
||||||
|
//
|
||||||
|
// s = extendMatch(src, candidate+4, s+4)
|
||||||
|
|
||||||
|
// !!! R14 = &src[len(src)]
|
||||||
|
MOVQ src_len+32(FP), R14
|
||||||
|
ADDQ DX, R14
|
||||||
|
|
||||||
|
// !!! R13 = &src[len(src) - 8]
|
||||||
|
MOVQ R14, R13
|
||||||
|
SUBQ $8, R13
|
||||||
|
|
||||||
|
// !!! R15 = &src[candidate + 4]
|
||||||
|
ADDQ $4, R15
|
||||||
|
ADDQ DX, R15
|
||||||
|
|
||||||
|
// !!! s += 4
|
||||||
|
ADDQ $4, SI
|
||||||
|
|
||||||
|
inlineExtendMatchCmp8:
|
||||||
|
// As long as we are 8 or more bytes before the end of src, we can load and
|
||||||
|
// compare 8 bytes at a time. If those 8 bytes are equal, repeat.
|
||||||
|
CMPQ SI, R13
|
||||||
|
JA inlineExtendMatchCmp1
|
||||||
|
MOVQ (R15), AX
|
||||||
|
MOVQ (SI), BX
|
||||||
|
CMPQ AX, BX
|
||||||
|
JNE inlineExtendMatchBSF
|
||||||
|
ADDQ $8, R15
|
||||||
|
ADDQ $8, SI
|
||||||
|
JMP inlineExtendMatchCmp8
|
||||||
|
|
||||||
|
inlineExtendMatchBSF:
|
||||||
|
// If those 8 bytes were not equal, XOR the two 8 byte values, and return
|
||||||
|
// the index of the first byte that differs. The BSF instruction finds the
|
||||||
|
// least significant 1 bit, the amd64 architecture is little-endian, and
|
||||||
|
// the shift by 3 converts a bit index to a byte index.
|
||||||
|
XORQ AX, BX
|
||||||
|
BSFQ BX, BX
|
||||||
|
SHRQ $3, BX
|
||||||
|
ADDQ BX, SI
|
||||||
|
JMP inlineExtendMatchEnd
|
||||||
|
|
||||||
|
inlineExtendMatchCmp1:
|
||||||
|
// In src's tail, compare 1 byte at a time.
|
||||||
|
CMPQ SI, R14
|
||||||
|
JAE inlineExtendMatchEnd
|
||||||
|
MOVB (R15), AX
|
||||||
|
MOVB (SI), BX
|
||||||
|
CMPB AX, BX
|
||||||
|
JNE inlineExtendMatchEnd
|
||||||
|
ADDQ $1, R15
|
||||||
|
ADDQ $1, SI
|
||||||
|
JMP inlineExtendMatchCmp1
|
||||||
|
|
||||||
|
inlineExtendMatchEnd:
|
||||||
|
// End inline of the extendMatch call.
|
||||||
|
// ----------------------------------------
|
||||||
|
|
||||||
|
// ----------------------------------------
|
||||||
|
// Begin inline of the emitCopy call.
|
||||||
|
//
|
||||||
|
// d += emitCopy(dst[d:], base-candidate, s-base)
|
||||||
|
|
||||||
|
// !!! length := s - base
|
||||||
|
MOVQ SI, AX
|
||||||
|
SUBQ R12, AX
|
||||||
|
|
||||||
|
inlineEmitCopyLoop0:
|
||||||
|
// for length >= 68 { etc }
|
||||||
|
CMPL AX, $68
|
||||||
|
JLT inlineEmitCopyStep1
|
||||||
|
|
||||||
|
// Emit a length 64 copy, encoded as 3 bytes.
|
||||||
|
MOVB $0xfe, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
SUBL $64, AX
|
||||||
|
JMP inlineEmitCopyLoop0
|
||||||
|
|
||||||
|
inlineEmitCopyStep1:
|
||||||
|
// if length > 64 { etc }
|
||||||
|
CMPL AX, $64
|
||||||
|
JLE inlineEmitCopyStep2
|
||||||
|
|
||||||
|
// Emit a length 60 copy, encoded as 3 bytes.
|
||||||
|
MOVB $0xee, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
SUBL $60, AX
|
||||||
|
|
||||||
|
inlineEmitCopyStep2:
|
||||||
|
// if length >= 12 || offset >= 2048 { goto inlineEmitCopyStep3 }
|
||||||
|
CMPL AX, $12
|
||||||
|
JGE inlineEmitCopyStep3
|
||||||
|
CMPL R11, $2048
|
||||||
|
JGE inlineEmitCopyStep3
|
||||||
|
|
||||||
|
// Emit the remaining copy, encoded as 2 bytes.
|
||||||
|
MOVB R11, 1(DI)
|
||||||
|
SHRL $8, R11
|
||||||
|
SHLB $5, R11
|
||||||
|
SUBB $4, AX
|
||||||
|
SHLB $2, AX
|
||||||
|
ORB AX, R11
|
||||||
|
ORB $1, R11
|
||||||
|
MOVB R11, 0(DI)
|
||||||
|
ADDQ $2, DI
|
||||||
|
JMP inlineEmitCopyEnd
|
||||||
|
|
||||||
|
inlineEmitCopyStep3:
|
||||||
|
// Emit the remaining copy, encoded as 3 bytes.
|
||||||
|
SUBL $1, AX
|
||||||
|
SHLB $2, AX
|
||||||
|
ORB $2, AX
|
||||||
|
MOVB AX, 0(DI)
|
||||||
|
MOVW R11, 1(DI)
|
||||||
|
ADDQ $3, DI
|
||||||
|
|
||||||
|
inlineEmitCopyEnd:
|
||||||
|
// End inline of the emitCopy call.
|
||||||
|
// ----------------------------------------
|
||||||
|
|
||||||
|
// nextEmit = s
|
||||||
|
MOVQ SI, R10
|
||||||
|
|
||||||
|
// if s >= sLimit { goto emitRemainder }
|
||||||
|
MOVQ SI, AX
|
||||||
|
SUBQ DX, AX
|
||||||
|
CMPQ AX, R9
|
||||||
|
JAE emitRemainder
|
||||||
|
|
||||||
|
// As per the encode_other.go code:
|
||||||
|
//
|
||||||
|
// We could immediately etc.
|
||||||
|
|
||||||
|
// x := load64(src, s-1)
|
||||||
|
MOVQ -1(SI), R14
|
||||||
|
|
||||||
|
// prevHash := hash(uint32(x>>0), shift)
|
||||||
|
MOVL R14, R11
|
||||||
|
IMULL $0x1e35a7bd, R11
|
||||||
|
SHRL CX, R11
|
||||||
|
|
||||||
|
// table[prevHash] = uint16(s-1)
|
||||||
|
MOVQ SI, AX
|
||||||
|
SUBQ DX, AX
|
||||||
|
SUBQ $1, AX
|
||||||
|
|
||||||
|
// XXX: MOVW AX, table-32768(SP)(R11*2)
|
||||||
|
// XXX: 66 42 89 44 5c 78 mov %ax,0x78(%rsp,%r11,2)
|
||||||
|
BYTE $0x66
|
||||||
|
BYTE $0x42
|
||||||
|
BYTE $0x89
|
||||||
|
BYTE $0x44
|
||||||
|
BYTE $0x5c
|
||||||
|
BYTE $0x78
|
||||||
|
|
||||||
|
// currHash := hash(uint32(x>>8), shift)
|
||||||
|
SHRQ $8, R14
|
||||||
|
MOVL R14, R11
|
||||||
|
IMULL $0x1e35a7bd, R11
|
||||||
|
SHRL CX, R11
|
||||||
|
|
||||||
|
// candidate = int(table[currHash])
|
||||||
|
// XXX: MOVWQZX table-32768(SP)(R11*2), R15
|
||||||
|
// XXX: 4e 0f b7 7c 5c 78 movzwq 0x78(%rsp,%r11,2),%r15
|
||||||
|
BYTE $0x4e
|
||||||
|
BYTE $0x0f
|
||||||
|
BYTE $0xb7
|
||||||
|
BYTE $0x7c
|
||||||
|
BYTE $0x5c
|
||||||
|
BYTE $0x78
|
||||||
|
|
||||||
|
// table[currHash] = uint16(s)
|
||||||
|
ADDQ $1, AX
|
||||||
|
|
||||||
|
// XXX: MOVW AX, table-32768(SP)(R11*2)
|
||||||
|
// XXX: 66 42 89 44 5c 78 mov %ax,0x78(%rsp,%r11,2)
|
||||||
|
BYTE $0x66
|
||||||
|
BYTE $0x42
|
||||||
|
BYTE $0x89
|
||||||
|
BYTE $0x44
|
||||||
|
BYTE $0x5c
|
||||||
|
BYTE $0x78
|
||||||
|
|
||||||
|
// if uint32(x>>8) == load32(src, candidate) { continue }
|
||||||
|
MOVL (DX)(R15*1), BX
|
||||||
|
CMPL R14, BX
|
||||||
|
JEQ inner1
|
||||||
|
|
||||||
|
// nextHash = hash(uint32(x>>16), shift)
|
||||||
|
SHRQ $8, R14
|
||||||
|
MOVL R14, R11
|
||||||
|
IMULL $0x1e35a7bd, R11
|
||||||
|
SHRL CX, R11
|
||||||
|
|
||||||
|
// s++
|
||||||
|
ADDQ $1, SI
|
||||||
|
|
||||||
|
// break out of the inner1 for loop, i.e. continue the outer loop.
|
||||||
|
JMP outer
|
||||||
|
|
||||||
|
emitRemainder:
|
||||||
|
// if nextEmit < len(src) { etc }
|
||||||
|
MOVQ src_len+32(FP), AX
|
||||||
|
ADDQ DX, AX
|
||||||
|
CMPQ R10, AX
|
||||||
|
JEQ encodeBlockEnd
|
||||||
|
|
||||||
|
// d += emitLiteral(dst[d:], src[nextEmit:])
|
||||||
|
//
|
||||||
|
// Push args.
|
||||||
|
MOVQ DI, 0(SP)
|
||||||
|
MOVQ $0, 8(SP) // Unnecessary, as the callee ignores it, but conservative.
|
||||||
|
MOVQ $0, 16(SP) // Unnecessary, as the callee ignores it, but conservative.
|
||||||
|
MOVQ R10, 24(SP)
|
||||||
|
SUBQ R10, AX
|
||||||
|
MOVQ AX, 32(SP)
|
||||||
|
MOVQ AX, 40(SP) // Unnecessary, as the callee ignores it, but conservative.
|
||||||
|
|
||||||
|
// Spill local variables (registers) onto the stack; call; unspill.
|
||||||
|
MOVQ DI, 80(SP)
|
||||||
|
CALL ·emitLiteral(SB)
|
||||||
|
MOVQ 80(SP), DI
|
||||||
|
|
||||||
|
// Finish the "d +=" part of "d += emitLiteral(etc)".
|
||||||
|
ADDQ 48(SP), DI
|
||||||
|
|
||||||
|
encodeBlockEnd:
|
||||||
|
MOVQ dst_base+0(FP), AX
|
||||||
|
SUBQ AX, DI
|
||||||
|
MOVQ DI, d+48(FP)
|
||||||
|
RET
|
238
vendor/github.com/golang/snappy/encode_other.go
generated
vendored
Normal file
238
vendor/github.com/golang/snappy/encode_other.go
generated
vendored
Normal file
@ -0,0 +1,238 @@
|
|||||||
|
// Copyright 2016 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build !amd64 appengine !gc noasm
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
func load32(b []byte, i int) uint32 {
|
||||||
|
b = b[i : i+4 : len(b)] // Help the compiler eliminate bounds checks on the next line.
|
||||||
|
return uint32(b[0]) | uint32(b[1])<<8 | uint32(b[2])<<16 | uint32(b[3])<<24
|
||||||
|
}
|
||||||
|
|
||||||
|
func load64(b []byte, i int) uint64 {
|
||||||
|
b = b[i : i+8 : len(b)] // Help the compiler eliminate bounds checks on the next line.
|
||||||
|
return uint64(b[0]) | uint64(b[1])<<8 | uint64(b[2])<<16 | uint64(b[3])<<24 |
|
||||||
|
uint64(b[4])<<32 | uint64(b[5])<<40 | uint64(b[6])<<48 | uint64(b[7])<<56
|
||||||
|
}
|
||||||
|
|
||||||
|
// emitLiteral writes a literal chunk and returns the number of bytes written.
|
||||||
|
//
|
||||||
|
// It assumes that:
|
||||||
|
// dst is long enough to hold the encoded bytes
|
||||||
|
// 1 <= len(lit) && len(lit) <= 65536
|
||||||
|
func emitLiteral(dst, lit []byte) int {
|
||||||
|
i, n := 0, uint(len(lit)-1)
|
||||||
|
switch {
|
||||||
|
case n < 60:
|
||||||
|
dst[0] = uint8(n)<<2 | tagLiteral
|
||||||
|
i = 1
|
||||||
|
case n < 1<<8:
|
||||||
|
dst[0] = 60<<2 | tagLiteral
|
||||||
|
dst[1] = uint8(n)
|
||||||
|
i = 2
|
||||||
|
default:
|
||||||
|
dst[0] = 61<<2 | tagLiteral
|
||||||
|
dst[1] = uint8(n)
|
||||||
|
dst[2] = uint8(n >> 8)
|
||||||
|
i = 3
|
||||||
|
}
|
||||||
|
return i + copy(dst[i:], lit)
|
||||||
|
}
|
||||||
|
|
||||||
|
// emitCopy writes a copy chunk and returns the number of bytes written.
|
||||||
|
//
|
||||||
|
// It assumes that:
|
||||||
|
// dst is long enough to hold the encoded bytes
|
||||||
|
// 1 <= offset && offset <= 65535
|
||||||
|
// 4 <= length && length <= 65535
|
||||||
|
func emitCopy(dst []byte, offset, length int) int {
|
||||||
|
i := 0
|
||||||
|
// The maximum length for a single tagCopy1 or tagCopy2 op is 64 bytes. The
|
||||||
|
// threshold for this loop is a little higher (at 68 = 64 + 4), and the
|
||||||
|
// length emitted down below is is a little lower (at 60 = 64 - 4), because
|
||||||
|
// it's shorter to encode a length 67 copy as a length 60 tagCopy2 followed
|
||||||
|
// by a length 7 tagCopy1 (which encodes as 3+2 bytes) than to encode it as
|
||||||
|
// a length 64 tagCopy2 followed by a length 3 tagCopy2 (which encodes as
|
||||||
|
// 3+3 bytes). The magic 4 in the 64±4 is because the minimum length for a
|
||||||
|
// tagCopy1 op is 4 bytes, which is why a length 3 copy has to be an
|
||||||
|
// encodes-as-3-bytes tagCopy2 instead of an encodes-as-2-bytes tagCopy1.
|
||||||
|
for length >= 68 {
|
||||||
|
// Emit a length 64 copy, encoded as 3 bytes.
|
||||||
|
dst[i+0] = 63<<2 | tagCopy2
|
||||||
|
dst[i+1] = uint8(offset)
|
||||||
|
dst[i+2] = uint8(offset >> 8)
|
||||||
|
i += 3
|
||||||
|
length -= 64
|
||||||
|
}
|
||||||
|
if length > 64 {
|
||||||
|
// Emit a length 60 copy, encoded as 3 bytes.
|
||||||
|
dst[i+0] = 59<<2 | tagCopy2
|
||||||
|
dst[i+1] = uint8(offset)
|
||||||
|
dst[i+2] = uint8(offset >> 8)
|
||||||
|
i += 3
|
||||||
|
length -= 60
|
||||||
|
}
|
||||||
|
if length >= 12 || offset >= 2048 {
|
||||||
|
// Emit the remaining copy, encoded as 3 bytes.
|
||||||
|
dst[i+0] = uint8(length-1)<<2 | tagCopy2
|
||||||
|
dst[i+1] = uint8(offset)
|
||||||
|
dst[i+2] = uint8(offset >> 8)
|
||||||
|
return i + 3
|
||||||
|
}
|
||||||
|
// Emit the remaining copy, encoded as 2 bytes.
|
||||||
|
dst[i+0] = uint8(offset>>8)<<5 | uint8(length-4)<<2 | tagCopy1
|
||||||
|
dst[i+1] = uint8(offset)
|
||||||
|
return i + 2
|
||||||
|
}
|
||||||
|
|
||||||
|
// extendMatch returns the largest k such that k <= len(src) and that
|
||||||
|
// src[i:i+k-j] and src[j:k] have the same contents.
|
||||||
|
//
|
||||||
|
// It assumes that:
|
||||||
|
// 0 <= i && i < j && j <= len(src)
|
||||||
|
func extendMatch(src []byte, i, j int) int {
|
||||||
|
for ; j < len(src) && src[i] == src[j]; i, j = i+1, j+1 {
|
||||||
|
}
|
||||||
|
return j
|
||||||
|
}
|
||||||
|
|
||||||
|
func hash(u, shift uint32) uint32 {
|
||||||
|
return (u * 0x1e35a7bd) >> shift
|
||||||
|
}
|
||||||
|
|
||||||
|
// encodeBlock encodes a non-empty src to a guaranteed-large-enough dst. It
|
||||||
|
// assumes that the varint-encoded length of the decompressed bytes has already
|
||||||
|
// been written.
|
||||||
|
//
|
||||||
|
// It also assumes that:
|
||||||
|
// len(dst) >= MaxEncodedLen(len(src)) &&
|
||||||
|
// minNonLiteralBlockSize <= len(src) && len(src) <= maxBlockSize
|
||||||
|
func encodeBlock(dst, src []byte) (d int) {
|
||||||
|
// Initialize the hash table. Its size ranges from 1<<8 to 1<<14 inclusive.
|
||||||
|
// The table element type is uint16, as s < sLimit and sLimit < len(src)
|
||||||
|
// and len(src) <= maxBlockSize and maxBlockSize == 65536.
|
||||||
|
const (
|
||||||
|
maxTableSize = 1 << 14
|
||||||
|
// tableMask is redundant, but helps the compiler eliminate bounds
|
||||||
|
// checks.
|
||||||
|
tableMask = maxTableSize - 1
|
||||||
|
)
|
||||||
|
shift := uint32(32 - 8)
|
||||||
|
for tableSize := 1 << 8; tableSize < maxTableSize && tableSize < len(src); tableSize *= 2 {
|
||||||
|
shift--
|
||||||
|
}
|
||||||
|
// In Go, all array elements are zero-initialized, so there is no advantage
|
||||||
|
// to a smaller tableSize per se. However, it matches the C++ algorithm,
|
||||||
|
// and in the asm versions of this code, we can get away with zeroing only
|
||||||
|
// the first tableSize elements.
|
||||||
|
var table [maxTableSize]uint16
|
||||||
|
|
||||||
|
// sLimit is when to stop looking for offset/length copies. The inputMargin
|
||||||
|
// lets us use a fast path for emitLiteral in the main loop, while we are
|
||||||
|
// looking for copies.
|
||||||
|
sLimit := len(src) - inputMargin
|
||||||
|
|
||||||
|
// nextEmit is where in src the next emitLiteral should start from.
|
||||||
|
nextEmit := 0
|
||||||
|
|
||||||
|
// The encoded form must start with a literal, as there are no previous
|
||||||
|
// bytes to copy, so we start looking for hash matches at s == 1.
|
||||||
|
s := 1
|
||||||
|
nextHash := hash(load32(src, s), shift)
|
||||||
|
|
||||||
|
for {
|
||||||
|
// Copied from the C++ snappy implementation:
|
||||||
|
//
|
||||||
|
// Heuristic match skipping: If 32 bytes are scanned with no matches
|
||||||
|
// found, start looking only at every other byte. If 32 more bytes are
|
||||||
|
// scanned (or skipped), look at every third byte, etc.. When a match
|
||||||
|
// is found, immediately go back to looking at every byte. This is a
|
||||||
|
// small loss (~5% performance, ~0.1% density) for compressible data
|
||||||
|
// due to more bookkeeping, but for non-compressible data (such as
|
||||||
|
// JPEG) it's a huge win since the compressor quickly "realizes" the
|
||||||
|
// data is incompressible and doesn't bother looking for matches
|
||||||
|
// everywhere.
|
||||||
|
//
|
||||||
|
// The "skip" variable keeps track of how many bytes there are since
|
||||||
|
// the last match; dividing it by 32 (ie. right-shifting by five) gives
|
||||||
|
// the number of bytes to move ahead for each iteration.
|
||||||
|
skip := 32
|
||||||
|
|
||||||
|
nextS := s
|
||||||
|
candidate := 0
|
||||||
|
for {
|
||||||
|
s = nextS
|
||||||
|
bytesBetweenHashLookups := skip >> 5
|
||||||
|
nextS = s + bytesBetweenHashLookups
|
||||||
|
skip += bytesBetweenHashLookups
|
||||||
|
if nextS > sLimit {
|
||||||
|
goto emitRemainder
|
||||||
|
}
|
||||||
|
candidate = int(table[nextHash&tableMask])
|
||||||
|
table[nextHash&tableMask] = uint16(s)
|
||||||
|
nextHash = hash(load32(src, nextS), shift)
|
||||||
|
if load32(src, s) == load32(src, candidate) {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// A 4-byte match has been found. We'll later see if more than 4 bytes
|
||||||
|
// match. But, prior to the match, src[nextEmit:s] are unmatched. Emit
|
||||||
|
// them as literal bytes.
|
||||||
|
d += emitLiteral(dst[d:], src[nextEmit:s])
|
||||||
|
|
||||||
|
// Call emitCopy, and then see if another emitCopy could be our next
|
||||||
|
// move. Repeat until we find no match for the input immediately after
|
||||||
|
// what was consumed by the last emitCopy call.
|
||||||
|
//
|
||||||
|
// If we exit this loop normally then we need to call emitLiteral next,
|
||||||
|
// though we don't yet know how big the literal will be. We handle that
|
||||||
|
// by proceeding to the next iteration of the main loop. We also can
|
||||||
|
// exit this loop via goto if we get close to exhausting the input.
|
||||||
|
for {
|
||||||
|
// Invariant: we have a 4-byte match at s, and no need to emit any
|
||||||
|
// literal bytes prior to s.
|
||||||
|
base := s
|
||||||
|
|
||||||
|
// Extend the 4-byte match as long as possible.
|
||||||
|
//
|
||||||
|
// This is an inlined version of:
|
||||||
|
// s = extendMatch(src, candidate+4, s+4)
|
||||||
|
s += 4
|
||||||
|
for i := candidate + 4; s < len(src) && src[i] == src[s]; i, s = i+1, s+1 {
|
||||||
|
}
|
||||||
|
|
||||||
|
d += emitCopy(dst[d:], base-candidate, s-base)
|
||||||
|
nextEmit = s
|
||||||
|
if s >= sLimit {
|
||||||
|
goto emitRemainder
|
||||||
|
}
|
||||||
|
|
||||||
|
// We could immediately start working at s now, but to improve
|
||||||
|
// compression we first update the hash table at s-1 and at s. If
|
||||||
|
// another emitCopy is not our next move, also calculate nextHash
|
||||||
|
// at s+1. At least on GOARCH=amd64, these three hash calculations
|
||||||
|
// are faster as one load64 call (with some shifts) instead of
|
||||||
|
// three load32 calls.
|
||||||
|
x := load64(src, s-1)
|
||||||
|
prevHash := hash(uint32(x>>0), shift)
|
||||||
|
table[prevHash&tableMask] = uint16(s - 1)
|
||||||
|
currHash := hash(uint32(x>>8), shift)
|
||||||
|
candidate = int(table[currHash&tableMask])
|
||||||
|
table[currHash&tableMask] = uint16(s)
|
||||||
|
if uint32(x>>8) != load32(src, candidate) {
|
||||||
|
nextHash = hash(uint32(x>>16), shift)
|
||||||
|
s++
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
emitRemainder:
|
||||||
|
if nextEmit < len(src) {
|
||||||
|
d += emitLiteral(dst[d:], src[nextEmit:])
|
||||||
|
}
|
||||||
|
return d
|
||||||
|
}
|
87
vendor/github.com/golang/snappy/snappy.go
generated
vendored
Normal file
87
vendor/github.com/golang/snappy/snappy.go
generated
vendored
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
// Copyright 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package snappy implements the snappy block-based compression format.
|
||||||
|
// It aims for very high speeds and reasonable compression.
|
||||||
|
//
|
||||||
|
// The C++ snappy implementation is at https://github.com/google/snappy
|
||||||
|
package snappy // import "github.com/golang/snappy"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"hash/crc32"
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
Each encoded block begins with the varint-encoded length of the decoded data,
|
||||||
|
followed by a sequence of chunks. Chunks begin and end on byte boundaries. The
|
||||||
|
first byte of each chunk is broken into its 2 least and 6 most significant bits
|
||||||
|
called l and m: l ranges in [0, 4) and m ranges in [0, 64). l is the chunk tag.
|
||||||
|
Zero means a literal tag. All other values mean a copy tag.
|
||||||
|
|
||||||
|
For literal tags:
|
||||||
|
- If m < 60, the next 1 + m bytes are literal bytes.
|
||||||
|
- Otherwise, let n be the little-endian unsigned integer denoted by the next
|
||||||
|
m - 59 bytes. The next 1 + n bytes after that are literal bytes.
|
||||||
|
|
||||||
|
For copy tags, length bytes are copied from offset bytes ago, in the style of
|
||||||
|
Lempel-Ziv compression algorithms. In particular:
|
||||||
|
- For l == 1, the offset ranges in [0, 1<<11) and the length in [4, 12).
|
||||||
|
The length is 4 + the low 3 bits of m. The high 3 bits of m form bits 8-10
|
||||||
|
of the offset. The next byte is bits 0-7 of the offset.
|
||||||
|
- For l == 2, the offset ranges in [0, 1<<16) and the length in [1, 65).
|
||||||
|
The length is 1 + m. The offset is the little-endian unsigned integer
|
||||||
|
denoted by the next 2 bytes.
|
||||||
|
- For l == 3, this tag is a legacy format that is no longer issued by most
|
||||||
|
encoders. Nonetheless, the offset ranges in [0, 1<<32) and the length in
|
||||||
|
[1, 65). The length is 1 + m. The offset is the little-endian unsigned
|
||||||
|
integer denoted by the next 4 bytes.
|
||||||
|
*/
|
||||||
|
const (
|
||||||
|
tagLiteral = 0x00
|
||||||
|
tagCopy1 = 0x01
|
||||||
|
tagCopy2 = 0x02
|
||||||
|
tagCopy4 = 0x03
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
checksumSize = 4
|
||||||
|
chunkHeaderSize = 4
|
||||||
|
magicChunk = "\xff\x06\x00\x00" + magicBody
|
||||||
|
magicBody = "sNaPpY"
|
||||||
|
|
||||||
|
// maxBlockSize is the maximum size of the input to encodeBlock. It is not
|
||||||
|
// part of the wire format per se, but some parts of the encoder assume
|
||||||
|
// that an offset fits into a uint16.
|
||||||
|
//
|
||||||
|
// Also, for the framing format (Writer type instead of Encode function),
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt says
|
||||||
|
// that "the uncompressed data in a chunk must be no longer than 65536
|
||||||
|
// bytes".
|
||||||
|
maxBlockSize = 65536
|
||||||
|
|
||||||
|
// maxEncodedLenOfMaxBlockSize equals MaxEncodedLen(maxBlockSize), but is
|
||||||
|
// hard coded to be a const instead of a variable, so that obufLen can also
|
||||||
|
// be a const. Their equivalence is confirmed by
|
||||||
|
// TestMaxEncodedLenOfMaxBlockSize.
|
||||||
|
maxEncodedLenOfMaxBlockSize = 76490
|
||||||
|
|
||||||
|
obufHeaderLen = len(magicChunk) + checksumSize + chunkHeaderSize
|
||||||
|
obufLen = obufHeaderLen + maxEncodedLenOfMaxBlockSize
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
chunkTypeCompressedData = 0x00
|
||||||
|
chunkTypeUncompressedData = 0x01
|
||||||
|
chunkTypePadding = 0xfe
|
||||||
|
chunkTypeStreamIdentifier = 0xff
|
||||||
|
)
|
||||||
|
|
||||||
|
var crcTable = crc32.MakeTable(crc32.Castagnoli)
|
||||||
|
|
||||||
|
// crc implements the checksum specified in section 3 of
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
func crc(b []byte) uint32 {
|
||||||
|
c := crc32.Update(0, crcTable, b)
|
||||||
|
return uint32(c>>15|c<<17) + 0xa282ead8
|
||||||
|
}
|
40
vendor/github.com/hashicorp/terraform/helper/encryption/encryption.go
generated
vendored
Normal file
40
vendor/github.com/hashicorp/terraform/helper/encryption/encryption.go
generated
vendored
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
package encryption
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/hashicorp/errwrap"
|
||||||
|
"github.com/hashicorp/vault/helper/pgpkeys"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RetrieveGPGKey returns the PGP key specified as the pgpKey parameter, or queries
|
||||||
|
// the public key from the keybase service if the parameter is a keybase username
|
||||||
|
// prefixed with the phrase "keybase:"
|
||||||
|
func RetrieveGPGKey(pgpKey string) (string, error) {
|
||||||
|
const keybasePrefix = "keybase:"
|
||||||
|
|
||||||
|
encryptionKey := pgpKey
|
||||||
|
if strings.HasPrefix(pgpKey, keybasePrefix) {
|
||||||
|
publicKeys, err := pgpkeys.FetchKeybasePubkeys([]string{pgpKey})
|
||||||
|
if err != nil {
|
||||||
|
return "", errwrap.Wrapf(fmt.Sprintf("Error retrieving Public Key for %s: {{err}}", pgpKey), err)
|
||||||
|
}
|
||||||
|
encryptionKey = publicKeys[pgpKey]
|
||||||
|
}
|
||||||
|
|
||||||
|
return encryptionKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptValue encrypts the given value with the given encryption key. Description
|
||||||
|
// should be set such that errors return a meaningful user-facing response.
|
||||||
|
func EncryptValue(encryptionKey, value, description string) (string, string, error) {
|
||||||
|
fingerprints, encryptedValue, err :=
|
||||||
|
pgpkeys.EncryptShares([][]byte{[]byte(value)}, []string{encryptionKey})
|
||||||
|
if err != nil {
|
||||||
|
return "", "", errwrap.Wrapf(fmt.Sprintf("Error encrypting %s: {{err}}", description), err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return fingerprints[0], base64.StdEncoding.EncodeToString(encryptedValue[0]), nil
|
||||||
|
}
|
363
vendor/github.com/hashicorp/vault/LICENSE
generated
vendored
Normal file
363
vendor/github.com/hashicorp/vault/LICENSE
generated
vendored
Normal file
@ -0,0 +1,363 @@
|
|||||||
|
Mozilla Public License, version 2.0
|
||||||
|
|
||||||
|
1. Definitions
|
||||||
|
|
||||||
|
1.1. "Contributor"
|
||||||
|
|
||||||
|
means each individual or legal entity that creates, contributes to the
|
||||||
|
creation of, or owns Covered Software.
|
||||||
|
|
||||||
|
1.2. "Contributor Version"
|
||||||
|
|
||||||
|
means the combination of the Contributions of others (if any) used by a
|
||||||
|
Contributor and that particular Contributor's Contribution.
|
||||||
|
|
||||||
|
1.3. "Contribution"
|
||||||
|
|
||||||
|
means Covered Software of a particular Contributor.
|
||||||
|
|
||||||
|
1.4. "Covered Software"
|
||||||
|
|
||||||
|
means Source Code Form to which the initial Contributor has attached the
|
||||||
|
notice in Exhibit A, the Executable Form of such Source Code Form, and
|
||||||
|
Modifications of such Source Code Form, in each case including portions
|
||||||
|
thereof.
|
||||||
|
|
||||||
|
1.5. "Incompatible With Secondary Licenses"
|
||||||
|
means
|
||||||
|
|
||||||
|
a. that the initial Contributor has attached the notice described in
|
||||||
|
Exhibit B to the Covered Software; or
|
||||||
|
|
||||||
|
b. that the Covered Software was made available under the terms of
|
||||||
|
version 1.1 or earlier of the License, but not also under the terms of
|
||||||
|
a Secondary License.
|
||||||
|
|
||||||
|
1.6. "Executable Form"
|
||||||
|
|
||||||
|
means any form of the work other than Source Code Form.
|
||||||
|
|
||||||
|
1.7. "Larger Work"
|
||||||
|
|
||||||
|
means a work that combines Covered Software with other material, in a
|
||||||
|
separate file or files, that is not Covered Software.
|
||||||
|
|
||||||
|
1.8. "License"
|
||||||
|
|
||||||
|
means this document.
|
||||||
|
|
||||||
|
1.9. "Licensable"
|
||||||
|
|
||||||
|
means having the right to grant, to the maximum extent possible, whether
|
||||||
|
at the time of the initial grant or subsequently, any and all of the
|
||||||
|
rights conveyed by this License.
|
||||||
|
|
||||||
|
1.10. "Modifications"
|
||||||
|
|
||||||
|
means any of the following:
|
||||||
|
|
||||||
|
a. any file in Source Code Form that results from an addition to,
|
||||||
|
deletion from, or modification of the contents of Covered Software; or
|
||||||
|
|
||||||
|
b. any new file in Source Code Form that contains any Covered Software.
|
||||||
|
|
||||||
|
1.11. "Patent Claims" of a Contributor
|
||||||
|
|
||||||
|
means any patent claim(s), including without limitation, method,
|
||||||
|
process, and apparatus claims, in any patent Licensable by such
|
||||||
|
Contributor that would be infringed, but for the grant of the License,
|
||||||
|
by the making, using, selling, offering for sale, having made, import,
|
||||||
|
or transfer of either its Contributions or its Contributor Version.
|
||||||
|
|
||||||
|
1.12. "Secondary License"
|
||||||
|
|
||||||
|
means either the GNU General Public License, Version 2.0, the GNU Lesser
|
||||||
|
General Public License, Version 2.1, the GNU Affero General Public
|
||||||
|
License, Version 3.0, or any later versions of those licenses.
|
||||||
|
|
||||||
|
1.13. "Source Code Form"
|
||||||
|
|
||||||
|
means the form of the work preferred for making modifications.
|
||||||
|
|
||||||
|
1.14. "You" (or "Your")
|
||||||
|
|
||||||
|
means an individual or a legal entity exercising rights under this
|
||||||
|
License. For legal entities, "You" includes any entity that controls, is
|
||||||
|
controlled by, or is under common control with You. For purposes of this
|
||||||
|
definition, "control" means (a) the power, direct or indirect, to cause
|
||||||
|
the direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (b) ownership of more than fifty percent (50%) of the
|
||||||
|
outstanding shares or beneficial ownership of such entity.
|
||||||
|
|
||||||
|
|
||||||
|
2. License Grants and Conditions
|
||||||
|
|
||||||
|
2.1. Grants
|
||||||
|
|
||||||
|
Each Contributor hereby grants You a world-wide, royalty-free,
|
||||||
|
non-exclusive license:
|
||||||
|
|
||||||
|
a. under intellectual property rights (other than patent or trademark)
|
||||||
|
Licensable by such Contributor to use, reproduce, make available,
|
||||||
|
modify, display, perform, distribute, and otherwise exploit its
|
||||||
|
Contributions, either on an unmodified basis, with Modifications, or
|
||||||
|
as part of a Larger Work; and
|
||||||
|
|
||||||
|
b. under Patent Claims of such Contributor to make, use, sell, offer for
|
||||||
|
sale, have made, import, and otherwise transfer either its
|
||||||
|
Contributions or its Contributor Version.
|
||||||
|
|
||||||
|
2.2. Effective Date
|
||||||
|
|
||||||
|
The licenses granted in Section 2.1 with respect to any Contribution
|
||||||
|
become effective for each Contribution on the date the Contributor first
|
||||||
|
distributes such Contribution.
|
||||||
|
|
||||||
|
2.3. Limitations on Grant Scope
|
||||||
|
|
||||||
|
The licenses granted in this Section 2 are the only rights granted under
|
||||||
|
this License. No additional rights or licenses will be implied from the
|
||||||
|
distribution or licensing of Covered Software under this License.
|
||||||
|
Notwithstanding Section 2.1(b) above, no patent license is granted by a
|
||||||
|
Contributor:
|
||||||
|
|
||||||
|
a. for any code that a Contributor has removed from Covered Software; or
|
||||||
|
|
||||||
|
b. for infringements caused by: (i) Your and any other third party's
|
||||||
|
modifications of Covered Software, or (ii) the combination of its
|
||||||
|
Contributions with other software (except as part of its Contributor
|
||||||
|
Version); or
|
||||||
|
|
||||||
|
c. under Patent Claims infringed by Covered Software in the absence of
|
||||||
|
its Contributions.
|
||||||
|
|
||||||
|
This License does not grant any rights in the trademarks, service marks,
|
||||||
|
or logos of any Contributor (except as may be necessary to comply with
|
||||||
|
the notice requirements in Section 3.4).
|
||||||
|
|
||||||
|
2.4. Subsequent Licenses
|
||||||
|
|
||||||
|
No Contributor makes additional grants as a result of Your choice to
|
||||||
|
distribute the Covered Software under a subsequent version of this
|
||||||
|
License (see Section 10.2) or under the terms of a Secondary License (if
|
||||||
|
permitted under the terms of Section 3.3).
|
||||||
|
|
||||||
|
2.5. Representation
|
||||||
|
|
||||||
|
Each Contributor represents that the Contributor believes its
|
||||||
|
Contributions are its original creation(s) or it has sufficient rights to
|
||||||
|
grant the rights to its Contributions conveyed by this License.
|
||||||
|
|
||||||
|
2.6. Fair Use
|
||||||
|
|
||||||
|
This License is not intended to limit any rights You have under
|
||||||
|
applicable copyright doctrines of fair use, fair dealing, or other
|
||||||
|
equivalents.
|
||||||
|
|
||||||
|
2.7. Conditions
|
||||||
|
|
||||||
|
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
|
||||||
|
Section 2.1.
|
||||||
|
|
||||||
|
|
||||||
|
3. Responsibilities
|
||||||
|
|
||||||
|
3.1. Distribution of Source Form
|
||||||
|
|
||||||
|
All distribution of Covered Software in Source Code Form, including any
|
||||||
|
Modifications that You create or to which You contribute, must be under
|
||||||
|
the terms of this License. You must inform recipients that the Source
|
||||||
|
Code Form of the Covered Software is governed by the terms of this
|
||||||
|
License, and how they can obtain a copy of this License. You may not
|
||||||
|
attempt to alter or restrict the recipients' rights in the Source Code
|
||||||
|
Form.
|
||||||
|
|
||||||
|
3.2. Distribution of Executable Form
|
||||||
|
|
||||||
|
If You distribute Covered Software in Executable Form then:
|
||||||
|
|
||||||
|
a. such Covered Software must also be made available in Source Code Form,
|
||||||
|
as described in Section 3.1, and You must inform recipients of the
|
||||||
|
Executable Form how they can obtain a copy of such Source Code Form by
|
||||||
|
reasonable means in a timely manner, at a charge no more than the cost
|
||||||
|
of distribution to the recipient; and
|
||||||
|
|
||||||
|
b. You may distribute such Executable Form under the terms of this
|
||||||
|
License, or sublicense it under different terms, provided that the
|
||||||
|
license for the Executable Form does not attempt to limit or alter the
|
||||||
|
recipients' rights in the Source Code Form under this License.
|
||||||
|
|
||||||
|
3.3. Distribution of a Larger Work
|
||||||
|
|
||||||
|
You may create and distribute a Larger Work under terms of Your choice,
|
||||||
|
provided that You also comply with the requirements of this License for
|
||||||
|
the Covered Software. If the Larger Work is a combination of Covered
|
||||||
|
Software with a work governed by one or more Secondary Licenses, and the
|
||||||
|
Covered Software is not Incompatible With Secondary Licenses, this
|
||||||
|
License permits You to additionally distribute such Covered Software
|
||||||
|
under the terms of such Secondary License(s), so that the recipient of
|
||||||
|
the Larger Work may, at their option, further distribute the Covered
|
||||||
|
Software under the terms of either this License or such Secondary
|
||||||
|
License(s).
|
||||||
|
|
||||||
|
3.4. Notices
|
||||||
|
|
||||||
|
You may not remove or alter the substance of any license notices
|
||||||
|
(including copyright notices, patent notices, disclaimers of warranty, or
|
||||||
|
limitations of liability) contained within the Source Code Form of the
|
||||||
|
Covered Software, except that You may alter any license notices to the
|
||||||
|
extent required to remedy known factual inaccuracies.
|
||||||
|
|
||||||
|
3.5. Application of Additional Terms
|
||||||
|
|
||||||
|
You may choose to offer, and to charge a fee for, warranty, support,
|
||||||
|
indemnity or liability obligations to one or more recipients of Covered
|
||||||
|
Software. However, You may do so only on Your own behalf, and not on
|
||||||
|
behalf of any Contributor. You must make it absolutely clear that any
|
||||||
|
such warranty, support, indemnity, or liability obligation is offered by
|
||||||
|
You alone, and You hereby agree to indemnify every Contributor for any
|
||||||
|
liability incurred by such Contributor as a result of warranty, support,
|
||||||
|
indemnity or liability terms You offer. You may include additional
|
||||||
|
disclaimers of warranty and limitations of liability specific to any
|
||||||
|
jurisdiction.
|
||||||
|
|
||||||
|
4. Inability to Comply Due to Statute or Regulation
|
||||||
|
|
||||||
|
If it is impossible for You to comply with any of the terms of this License
|
||||||
|
with respect to some or all of the Covered Software due to statute,
|
||||||
|
judicial order, or regulation then You must: (a) comply with the terms of
|
||||||
|
this License to the maximum extent possible; and (b) describe the
|
||||||
|
limitations and the code they affect. Such description must be placed in a
|
||||||
|
text file included with all distributions of the Covered Software under
|
||||||
|
this License. Except to the extent prohibited by statute or regulation,
|
||||||
|
such description must be sufficiently detailed for a recipient of ordinary
|
||||||
|
skill to be able to understand it.
|
||||||
|
|
||||||
|
5. Termination
|
||||||
|
|
||||||
|
5.1. The rights granted under this License will terminate automatically if You
|
||||||
|
fail to comply with any of its terms. However, if You become compliant,
|
||||||
|
then the rights granted under this License from a particular Contributor
|
||||||
|
are reinstated (a) provisionally, unless and until such Contributor
|
||||||
|
explicitly and finally terminates Your grants, and (b) on an ongoing
|
||||||
|
basis, if such Contributor fails to notify You of the non-compliance by
|
||||||
|
some reasonable means prior to 60 days after You have come back into
|
||||||
|
compliance. Moreover, Your grants from a particular Contributor are
|
||||||
|
reinstated on an ongoing basis if such Contributor notifies You of the
|
||||||
|
non-compliance by some reasonable means, this is the first time You have
|
||||||
|
received notice of non-compliance with this License from such
|
||||||
|
Contributor, and You become compliant prior to 30 days after Your receipt
|
||||||
|
of the notice.
|
||||||
|
|
||||||
|
5.2. If You initiate litigation against any entity by asserting a patent
|
||||||
|
infringement claim (excluding declaratory judgment actions,
|
||||||
|
counter-claims, and cross-claims) alleging that a Contributor Version
|
||||||
|
directly or indirectly infringes any patent, then the rights granted to
|
||||||
|
You by any and all Contributors for the Covered Software under Section
|
||||||
|
2.1 of this License shall terminate.
|
||||||
|
|
||||||
|
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
|
||||||
|
license agreements (excluding distributors and resellers) which have been
|
||||||
|
validly granted by You or Your distributors under this License prior to
|
||||||
|
termination shall survive termination.
|
||||||
|
|
||||||
|
6. Disclaimer of Warranty
|
||||||
|
|
||||||
|
Covered Software is provided under this License on an "as is" basis,
|
||||||
|
without warranty of any kind, either expressed, implied, or statutory,
|
||||||
|
including, without limitation, warranties that the Covered Software is free
|
||||||
|
of defects, merchantable, fit for a particular purpose or non-infringing.
|
||||||
|
The entire risk as to the quality and performance of the Covered Software
|
||||||
|
is with You. Should any Covered Software prove defective in any respect,
|
||||||
|
You (not any Contributor) assume the cost of any necessary servicing,
|
||||||
|
repair, or correction. This disclaimer of warranty constitutes an essential
|
||||||
|
part of this License. No use of any Covered Software is authorized under
|
||||||
|
this License except under this disclaimer.
|
||||||
|
|
||||||
|
7. Limitation of Liability
|
||||||
|
|
||||||
|
Under no circumstances and under no legal theory, whether tort (including
|
||||||
|
negligence), contract, or otherwise, shall any Contributor, or anyone who
|
||||||
|
distributes Covered Software as permitted above, be liable to You for any
|
||||||
|
direct, indirect, special, incidental, or consequential damages of any
|
||||||
|
character including, without limitation, damages for lost profits, loss of
|
||||||
|
goodwill, work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses, even if such party shall have been
|
||||||
|
informed of the possibility of such damages. This limitation of liability
|
||||||
|
shall not apply to liability for death or personal injury resulting from
|
||||||
|
such party's negligence to the extent applicable law prohibits such
|
||||||
|
limitation. Some jurisdictions do not allow the exclusion or limitation of
|
||||||
|
incidental or consequential damages, so this exclusion and limitation may
|
||||||
|
not apply to You.
|
||||||
|
|
||||||
|
8. Litigation
|
||||||
|
|
||||||
|
Any litigation relating to this License may be brought only in the courts
|
||||||
|
of a jurisdiction where the defendant maintains its principal place of
|
||||||
|
business and such litigation shall be governed by laws of that
|
||||||
|
jurisdiction, without reference to its conflict-of-law provisions. Nothing
|
||||||
|
in this Section shall prevent a party's ability to bring cross-claims or
|
||||||
|
counter-claims.
|
||||||
|
|
||||||
|
9. Miscellaneous
|
||||||
|
|
||||||
|
This License represents the complete agreement concerning the subject
|
||||||
|
matter hereof. If any provision of this License is held to be
|
||||||
|
unenforceable, such provision shall be reformed only to the extent
|
||||||
|
necessary to make it enforceable. Any law or regulation which provides that
|
||||||
|
the language of a contract shall be construed against the drafter shall not
|
||||||
|
be used to construe this License against a Contributor.
|
||||||
|
|
||||||
|
|
||||||
|
10. Versions of the License
|
||||||
|
|
||||||
|
10.1. New Versions
|
||||||
|
|
||||||
|
Mozilla Foundation is the license steward. Except as provided in Section
|
||||||
|
10.3, no one other than the license steward has the right to modify or
|
||||||
|
publish new versions of this License. Each version will be given a
|
||||||
|
distinguishing version number.
|
||||||
|
|
||||||
|
10.2. Effect of New Versions
|
||||||
|
|
||||||
|
You may distribute the Covered Software under the terms of the version
|
||||||
|
of the License under which You originally received the Covered Software,
|
||||||
|
or under the terms of any subsequent version published by the license
|
||||||
|
steward.
|
||||||
|
|
||||||
|
10.3. Modified Versions
|
||||||
|
|
||||||
|
If you create software not governed by this License, and you want to
|
||||||
|
create a new license for such software, you may create and use a
|
||||||
|
modified version of this License if you rename the license and remove
|
||||||
|
any references to the name of the license steward (except to note that
|
||||||
|
such modified license differs from this License).
|
||||||
|
|
||||||
|
10.4. Distributing Source Code Form that is Incompatible With Secondary
|
||||||
|
Licenses If You choose to distribute Source Code Form that is
|
||||||
|
Incompatible With Secondary Licenses under the terms of this version of
|
||||||
|
the License, the notice described in Exhibit B of this License must be
|
||||||
|
attached.
|
||||||
|
|
||||||
|
Exhibit A - Source Code Form License Notice
|
||||||
|
|
||||||
|
This Source Code Form is subject to the
|
||||||
|
terms of the Mozilla Public License, v.
|
||||||
|
2.0. If a copy of the MPL was not
|
||||||
|
distributed with this file, You can
|
||||||
|
obtain one at
|
||||||
|
http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
If it is not possible or desirable to put the notice in a particular file,
|
||||||
|
then You may include the notice in a location (such as a LICENSE file in a
|
||||||
|
relevant directory) where a recipient would be likely to look for such a
|
||||||
|
notice.
|
||||||
|
|
||||||
|
You may add additional accurate notices of copyright ownership.
|
||||||
|
|
||||||
|
Exhibit B - "Incompatible With Secondary Licenses" Notice
|
||||||
|
|
||||||
|
This Source Code Form is "Incompatible
|
||||||
|
With Secondary Licenses", as defined by
|
||||||
|
the Mozilla Public License, v. 2.0.
|
||||||
|
|
191
vendor/github.com/hashicorp/vault/helper/compressutil/compress.go
generated
vendored
Normal file
191
vendor/github.com/hashicorp/vault/helper/compressutil/compress.go
generated
vendored
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
package compressutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"compress/gzip"
|
||||||
|
"compress/lzw"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
|
||||||
|
"github.com/golang/snappy"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// A byte value used as a canary prefix for the compressed information
|
||||||
|
// which is used to distinguish if a JSON input is compressed or not.
|
||||||
|
// The value of this constant should not be a first character of any
|
||||||
|
// valid JSON string.
|
||||||
|
|
||||||
|
// Byte value used as canary when using Gzip format
|
||||||
|
CompressionCanaryGzip byte = 'G'
|
||||||
|
|
||||||
|
// Byte value used as canary when using Lzw format
|
||||||
|
CompressionCanaryLzw byte = 'L'
|
||||||
|
|
||||||
|
// Byte value used as canary when using Snappy format
|
||||||
|
CompressionCanarySnappy byte = 'S'
|
||||||
|
|
||||||
|
CompressionTypeLzw = "lzw"
|
||||||
|
|
||||||
|
CompressionTypeGzip = "gzip"
|
||||||
|
|
||||||
|
CompressionTypeSnappy = "snappy"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SnappyReadCloser embeds the snappy reader which implements the io.Reader
|
||||||
|
// interface. The decompress procedure in this utility expectes an
|
||||||
|
// io.ReadCloser. This type implements the io.Closer interface to retain the
|
||||||
|
// generic way of decompression.
|
||||||
|
type SnappyReadCloser struct {
|
||||||
|
*snappy.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close is a noop method implemented only to satisfy the io.Closer interface
|
||||||
|
func (s *SnappyReadCloser) Close() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CompressionConfig is used to select a compression type to be performed by
|
||||||
|
// Compress and Decompress utilities.
|
||||||
|
// Supported types are:
|
||||||
|
// * CompressionTypeLzw
|
||||||
|
// * CompressionTypeGzip
|
||||||
|
// * CompressionTypeSnappy
|
||||||
|
//
|
||||||
|
// When using CompressionTypeGzip, the compression levels can also be chosen:
|
||||||
|
// * gzip.DefaultCompression
|
||||||
|
// * gzip.BestSpeed
|
||||||
|
// * gzip.BestCompression
|
||||||
|
type CompressionConfig struct {
|
||||||
|
// Type of the compression algorithm to be used
|
||||||
|
Type string
|
||||||
|
|
||||||
|
// When using Gzip format, the compression level to employ
|
||||||
|
GzipCompressionLevel int
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compress places the canary byte in a buffer and uses the same buffer to fill
|
||||||
|
// in the compressed information of the given input. The configuration supports
|
||||||
|
// two type of compression: LZW and Gzip. When using Gzip compression format,
|
||||||
|
// if GzipCompressionLevel is not specified, the 'gzip.DefaultCompression' will
|
||||||
|
// be assumed.
|
||||||
|
func Compress(data []byte, config *CompressionConfig) ([]byte, error) {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
var writer io.WriteCloser
|
||||||
|
var err error
|
||||||
|
|
||||||
|
if config == nil {
|
||||||
|
return nil, fmt.Errorf("config is nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write the canary into the buffer and create writer to compress the
|
||||||
|
// input data based on the configured type
|
||||||
|
switch config.Type {
|
||||||
|
case CompressionTypeLzw:
|
||||||
|
buf.Write([]byte{CompressionCanaryLzw})
|
||||||
|
|
||||||
|
writer = lzw.NewWriter(&buf, lzw.LSB, 8)
|
||||||
|
case CompressionTypeGzip:
|
||||||
|
buf.Write([]byte{CompressionCanaryGzip})
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case config.GzipCompressionLevel == gzip.BestCompression,
|
||||||
|
config.GzipCompressionLevel == gzip.BestSpeed,
|
||||||
|
config.GzipCompressionLevel == gzip.DefaultCompression:
|
||||||
|
// These are valid compression levels
|
||||||
|
default:
|
||||||
|
// If compression level is set to NoCompression or to
|
||||||
|
// any invalid value, fallback to Defaultcompression
|
||||||
|
config.GzipCompressionLevel = gzip.DefaultCompression
|
||||||
|
}
|
||||||
|
writer, err = gzip.NewWriterLevel(&buf, config.GzipCompressionLevel)
|
||||||
|
case CompressionTypeSnappy:
|
||||||
|
buf.Write([]byte{CompressionCanarySnappy})
|
||||||
|
writer = snappy.NewBufferedWriter(&buf)
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("unsupported compression type")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create a compression writer; err: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if writer == nil {
|
||||||
|
return nil, fmt.Errorf("failed to create a compression writer")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compress the input and place it in the same buffer containing the
|
||||||
|
// canary byte.
|
||||||
|
if _, err = writer.Write(data); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to compress input data; err: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close the io.WriteCloser
|
||||||
|
if err = writer.Close(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return the compressed bytes with canary byte at the start
|
||||||
|
return buf.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decompress checks if the first byte in the input matches the canary byte.
|
||||||
|
// If the first byte is a canary byte, then the input past the canary byte
|
||||||
|
// will be decompressed using the method specified in the given configuration.
|
||||||
|
// If the first byte isn't a canary byte, then the utility returns a boolean
|
||||||
|
// value indicating that the input was not compressed.
|
||||||
|
func Decompress(data []byte) ([]byte, bool, error) {
|
||||||
|
var err error
|
||||||
|
var reader io.ReadCloser
|
||||||
|
if data == nil || len(data) == 0 {
|
||||||
|
return nil, false, fmt.Errorf("'data' being decompressed is empty")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch {
|
||||||
|
// If the first byte matches the canary byte, remove the canary
|
||||||
|
// byte and try to decompress the data that is after the canary.
|
||||||
|
case data[0] == CompressionCanaryGzip:
|
||||||
|
if len(data) < 2 {
|
||||||
|
return nil, false, fmt.Errorf("invalid 'data' after the canary")
|
||||||
|
}
|
||||||
|
data = data[1:]
|
||||||
|
reader, err = gzip.NewReader(bytes.NewReader(data))
|
||||||
|
case data[0] == CompressionCanaryLzw:
|
||||||
|
if len(data) < 2 {
|
||||||
|
return nil, false, fmt.Errorf("invalid 'data' after the canary")
|
||||||
|
}
|
||||||
|
data = data[1:]
|
||||||
|
reader = lzw.NewReader(bytes.NewReader(data), lzw.LSB, 8)
|
||||||
|
|
||||||
|
case data[0] == CompressionCanarySnappy:
|
||||||
|
if len(data) < 2 {
|
||||||
|
return nil, false, fmt.Errorf("invalid 'data' after the canary")
|
||||||
|
}
|
||||||
|
data = data[1:]
|
||||||
|
reader = &SnappyReadCloser{
|
||||||
|
Reader: snappy.NewReader(bytes.NewReader(data)),
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
// If the first byte doesn't match the canary byte, it means
|
||||||
|
// that the content was not compressed at all. Indicate the
|
||||||
|
// caller that the input was not compressed.
|
||||||
|
return nil, true, nil
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, false, fmt.Errorf("failed to create a compression reader; err: %v", err)
|
||||||
|
}
|
||||||
|
if reader == nil {
|
||||||
|
return nil, false, fmt.Errorf("failed to create a compression reader")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close the io.ReadCloser
|
||||||
|
defer reader.Close()
|
||||||
|
|
||||||
|
// Read all the compressed data into a buffer
|
||||||
|
var buf bytes.Buffer
|
||||||
|
if _, err = io.Copy(&buf, reader); err != nil {
|
||||||
|
return nil, false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf.Bytes(), false, nil
|
||||||
|
}
|
99
vendor/github.com/hashicorp/vault/helper/jsonutil/json.go
generated
vendored
Normal file
99
vendor/github.com/hashicorp/vault/helper/jsonutil/json.go
generated
vendored
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
package jsonutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"compress/gzip"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
|
||||||
|
"github.com/hashicorp/vault/helper/compressutil"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Encodes/Marshals the given object into JSON
|
||||||
|
func EncodeJSON(in interface{}) ([]byte, error) {
|
||||||
|
if in == nil {
|
||||||
|
return nil, fmt.Errorf("input for encoding is nil")
|
||||||
|
}
|
||||||
|
var buf bytes.Buffer
|
||||||
|
enc := json.NewEncoder(&buf)
|
||||||
|
if err := enc.Encode(in); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return buf.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncodeJSONAndCompress encodes the given input into JSON and compresses the
|
||||||
|
// encoded value (using Gzip format BestCompression level, by default). A
|
||||||
|
// canary byte is placed at the beginning of the returned bytes for the logic
|
||||||
|
// in decompression method to identify compressed input.
|
||||||
|
func EncodeJSONAndCompress(in interface{}, config *compressutil.CompressionConfig) ([]byte, error) {
|
||||||
|
if in == nil {
|
||||||
|
return nil, fmt.Errorf("input for encoding is nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
// First JSON encode the given input
|
||||||
|
encodedBytes, err := EncodeJSON(in)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if config == nil {
|
||||||
|
config = &compressutil.CompressionConfig{
|
||||||
|
Type: compressutil.CompressionTypeGzip,
|
||||||
|
GzipCompressionLevel: gzip.BestCompression,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return compressutil.Compress(encodedBytes, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecodeJSON tries to decompress the given data. The call to decompress, fails
|
||||||
|
// if the content was not compressed in the first place, which is identified by
|
||||||
|
// a canary byte before the compressed data. If the data is not compressed, it
|
||||||
|
// is JSON decoded directly. Otherwise the decompressed data will be JSON
|
||||||
|
// decoded.
|
||||||
|
func DecodeJSON(data []byte, out interface{}) error {
|
||||||
|
if data == nil || len(data) == 0 {
|
||||||
|
return fmt.Errorf("'data' being decoded is nil")
|
||||||
|
}
|
||||||
|
if out == nil {
|
||||||
|
return fmt.Errorf("output parameter 'out' is nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decompress the data if it was compressed in the first place
|
||||||
|
decompressedBytes, uncompressed, err := compressutil.Decompress(data)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to decompress JSON: err: %v", err)
|
||||||
|
}
|
||||||
|
if !uncompressed && (decompressedBytes == nil || len(decompressedBytes) == 0) {
|
||||||
|
return fmt.Errorf("decompressed data being decoded is invalid")
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the input supplied failed to contain the compression canary, it
|
||||||
|
// will be notified by the compression utility. Decode the decompressed
|
||||||
|
// input.
|
||||||
|
if !uncompressed {
|
||||||
|
data = decompressedBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
return DecodeJSONFromReader(bytes.NewReader(data), out)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decodes/Unmarshals the given io.Reader pointing to a JSON, into a desired object
|
||||||
|
func DecodeJSONFromReader(r io.Reader, out interface{}) error {
|
||||||
|
if r == nil {
|
||||||
|
return fmt.Errorf("'io.Reader' being decoded is nil")
|
||||||
|
}
|
||||||
|
if out == nil {
|
||||||
|
return fmt.Errorf("output parameter 'out' is nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
dec := json.NewDecoder(r)
|
||||||
|
|
||||||
|
// While decoding JSON values, intepret the integer values as `json.Number`s instead of `float64`.
|
||||||
|
dec.UseNumber()
|
||||||
|
|
||||||
|
// Since 'out' is an interface representing a pointer, pass it to the decoder without an '&'
|
||||||
|
return dec.Decode(out)
|
||||||
|
}
|
117
vendor/github.com/hashicorp/vault/helper/pgpkeys/encrypt_decrypt.go
generated
vendored
Normal file
117
vendor/github.com/hashicorp/vault/helper/pgpkeys/encrypt_decrypt.go
generated
vendored
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
package pgpkeys
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
)
|
||||||
|
|
||||||
|
// EncryptShares takes an ordered set of byte slices to encrypt and the
|
||||||
|
// corresponding base64-encoded public keys to encrypt them with, encrypts each
|
||||||
|
// byte slice with the corresponding public key.
|
||||||
|
//
|
||||||
|
// Note: There is no corresponding test function; this functionality is
|
||||||
|
// thoroughly tested in the init and rekey command unit tests
|
||||||
|
func EncryptShares(input [][]byte, pgpKeys []string) ([]string, [][]byte, error) {
|
||||||
|
if len(input) != len(pgpKeys) {
|
||||||
|
return nil, nil, fmt.Errorf("Mismatch between number items to encrypt and number of PGP keys")
|
||||||
|
}
|
||||||
|
encryptedShares := make([][]byte, 0, len(pgpKeys))
|
||||||
|
entities, err := GetEntities(pgpKeys)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
for i, entity := range entities {
|
||||||
|
ctBuf := bytes.NewBuffer(nil)
|
||||||
|
pt, err := openpgp.Encrypt(ctBuf, []*openpgp.Entity{entity}, nil, nil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("Error setting up encryption for PGP message: %s", err)
|
||||||
|
}
|
||||||
|
_, err = pt.Write(input[i])
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("Error encrypting PGP message: %s", err)
|
||||||
|
}
|
||||||
|
pt.Close()
|
||||||
|
encryptedShares = append(encryptedShares, ctBuf.Bytes())
|
||||||
|
}
|
||||||
|
|
||||||
|
fingerprints, err := GetFingerprints(nil, entities)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return fingerprints, encryptedShares, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetFingerprints takes in a list of openpgp Entities and returns the
|
||||||
|
// fingerprints. If entities is nil, it will instead parse both entities and
|
||||||
|
// fingerprints from the pgpKeys string slice.
|
||||||
|
func GetFingerprints(pgpKeys []string, entities []*openpgp.Entity) ([]string, error) {
|
||||||
|
if entities == nil {
|
||||||
|
var err error
|
||||||
|
entities, err = GetEntities(pgpKeys)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ret := make([]string, 0, len(entities))
|
||||||
|
for _, entity := range entities {
|
||||||
|
ret = append(ret, fmt.Sprintf("%x", entity.PrimaryKey.Fingerprint))
|
||||||
|
}
|
||||||
|
return ret, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEntities takes in a string array of base64-encoded PGP keys and returns
|
||||||
|
// the openpgp Entities
|
||||||
|
func GetEntities(pgpKeys []string) ([]*openpgp.Entity, error) {
|
||||||
|
ret := make([]*openpgp.Entity, 0, len(pgpKeys))
|
||||||
|
for _, keystring := range pgpKeys {
|
||||||
|
data, err := base64.StdEncoding.DecodeString(keystring)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error decoding given PGP key: %s", err)
|
||||||
|
}
|
||||||
|
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(data)))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error parsing given PGP key: %s", err)
|
||||||
|
}
|
||||||
|
ret = append(ret, entity)
|
||||||
|
}
|
||||||
|
return ret, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptBytes takes in base64-encoded encrypted bytes and the base64-encoded
|
||||||
|
// private key and decrypts it. A bytes.Buffer is returned to allow the caller
|
||||||
|
// to do useful thing with it (get it as a []byte, get it as a string, use it
|
||||||
|
// as an io.Reader, etc), and also because this function doesn't know if what
|
||||||
|
// comes out is binary data or a string, so let the caller decide.
|
||||||
|
func DecryptBytes(encodedCrypt, privKey string) (*bytes.Buffer, error) {
|
||||||
|
privKeyBytes, err := base64.StdEncoding.DecodeString(privKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error decoding base64 private key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
cryptBytes, err := base64.StdEncoding.DecodeString(encodedCrypt)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error decoding base64 crypted bytes: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(privKeyBytes)))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error parsing private key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
entityList := &openpgp.EntityList{entity}
|
||||||
|
md, err := openpgp.ReadMessage(bytes.NewBuffer(cryptBytes), entityList, nil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error decrypting the messages: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ptBuf := bytes.NewBuffer(nil)
|
||||||
|
ptBuf.ReadFrom(md.UnverifiedBody)
|
||||||
|
|
||||||
|
return ptBuf, nil
|
||||||
|
}
|
97
vendor/github.com/hashicorp/vault/helper/pgpkeys/flag.go
generated
vendored
Normal file
97
vendor/github.com/hashicorp/vault/helper/pgpkeys/flag.go
generated
vendored
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
package pgpkeys
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PGPPubKeyFiles implements the flag.Value interface and allows
|
||||||
|
// parsing and reading a list of pgp public key files
|
||||||
|
type PubKeyFilesFlag []string
|
||||||
|
|
||||||
|
func (p *PubKeyFilesFlag) String() string {
|
||||||
|
return fmt.Sprint(*p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *PubKeyFilesFlag) Set(value string) error {
|
||||||
|
if len(*p) > 0 {
|
||||||
|
return errors.New("pgp-keys can only be specified once")
|
||||||
|
}
|
||||||
|
|
||||||
|
splitValues := strings.Split(value, ",")
|
||||||
|
|
||||||
|
keybaseMap, err := FetchKeybasePubkeys(splitValues)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now go through the actual flag, and substitute in resolved keybase
|
||||||
|
// entries where appropriate
|
||||||
|
for _, keyfile := range splitValues {
|
||||||
|
if strings.HasPrefix(keyfile, kbPrefix) {
|
||||||
|
key := keybaseMap[keyfile]
|
||||||
|
if key == "" {
|
||||||
|
return fmt.Errorf("key for keybase user %s was not found in the map", strings.TrimPrefix(keyfile, kbPrefix))
|
||||||
|
}
|
||||||
|
*p = append(*p, key)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
pgpStr, err := ReadPGPFile(keyfile)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
*p = append(*p, pgpStr)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func ReadPGPFile(path string) (string, error) {
|
||||||
|
if path[0] == '@' {
|
||||||
|
path = path[1:]
|
||||||
|
}
|
||||||
|
f, err := os.Open(path)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
buf := bytes.NewBuffer(nil)
|
||||||
|
_, err = buf.ReadFrom(f)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// First parse as an armored keyring file, if that doesn't work, treat it as a straight binary/b64 string
|
||||||
|
keyReader := bytes.NewReader(buf.Bytes())
|
||||||
|
entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
|
||||||
|
if err == nil {
|
||||||
|
if len(entityList) != 1 {
|
||||||
|
return "", fmt.Errorf("more than one key found in file %s", path)
|
||||||
|
}
|
||||||
|
if entityList[0] == nil {
|
||||||
|
return "", fmt.Errorf("primary key was nil for file %s", path)
|
||||||
|
}
|
||||||
|
|
||||||
|
serializedEntity := bytes.NewBuffer(nil)
|
||||||
|
err = entityList[0].Serialize(serializedEntity)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("error serializing entity for file %s: %s", path, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return base64.StdEncoding.EncodeToString(serializedEntity.Bytes()), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = base64.StdEncoding.DecodeString(buf.String())
|
||||||
|
if err == nil {
|
||||||
|
return buf.String(), nil
|
||||||
|
}
|
||||||
|
return base64.StdEncoding.EncodeToString(buf.Bytes()), nil
|
||||||
|
|
||||||
|
}
|
116
vendor/github.com/hashicorp/vault/helper/pgpkeys/keybase.go
generated
vendored
Normal file
116
vendor/github.com/hashicorp/vault/helper/pgpkeys/keybase.go
generated
vendored
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
package pgpkeys
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-cleanhttp"
|
||||||
|
"github.com/hashicorp/vault/helper/jsonutil"
|
||||||
|
"github.com/keybase/go-crypto/openpgp"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
kbPrefix = "keybase:"
|
||||||
|
)
|
||||||
|
|
||||||
|
// FetchKeybasePubkeys fetches public keys from Keybase given a set of
|
||||||
|
// usernames, which are derived from correctly formatted input entries. It
|
||||||
|
// doesn't use their client code due to both the API and the fact that it is
|
||||||
|
// considered alpha and probably best not to rely on it. The keys are returned
|
||||||
|
// as base64-encoded strings.
|
||||||
|
func FetchKeybasePubkeys(input []string) (map[string]string, error) {
|
||||||
|
client := cleanhttp.DefaultClient()
|
||||||
|
if client == nil {
|
||||||
|
return nil, fmt.Errorf("unable to create an http client")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(input) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
usernames := make([]string, 0, len(input))
|
||||||
|
for _, v := range input {
|
||||||
|
if strings.HasPrefix(v, kbPrefix) {
|
||||||
|
usernames = append(usernames, strings.TrimPrefix(v, kbPrefix))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(usernames) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ret := make(map[string]string, len(usernames))
|
||||||
|
url := fmt.Sprintf("https://keybase.io/_/api/1.0/user/lookup.json?usernames=%s&fields=public_keys", strings.Join(usernames, ","))
|
||||||
|
resp, err := client.Get(url)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
type publicKeys struct {
|
||||||
|
Primary struct {
|
||||||
|
Bundle string
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type them struct {
|
||||||
|
publicKeys `json:"public_keys"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type kbResp struct {
|
||||||
|
Status struct {
|
||||||
|
Name string
|
||||||
|
}
|
||||||
|
Them []them
|
||||||
|
}
|
||||||
|
|
||||||
|
out := &kbResp{
|
||||||
|
Them: []them{},
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := jsonutil.DecodeJSONFromReader(resp.Body, out); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if out.Status.Name != "OK" {
|
||||||
|
return nil, fmt.Errorf("got non-OK response: %s", out.Status.Name)
|
||||||
|
}
|
||||||
|
|
||||||
|
missingNames := make([]string, 0, len(usernames))
|
||||||
|
var keyReader *bytes.Reader
|
||||||
|
serializedEntity := bytes.NewBuffer(nil)
|
||||||
|
for i, themVal := range out.Them {
|
||||||
|
if themVal.Primary.Bundle == "" {
|
||||||
|
missingNames = append(missingNames, usernames[i])
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
keyReader = bytes.NewReader([]byte(themVal.Primary.Bundle))
|
||||||
|
entityList, err := openpgp.ReadArmoredKeyRing(keyReader)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if len(entityList) != 1 {
|
||||||
|
return nil, fmt.Errorf("primary key could not be parsed for user %s", usernames[i])
|
||||||
|
}
|
||||||
|
if entityList[0] == nil {
|
||||||
|
return nil, fmt.Errorf("primary key was nil for user %s", usernames[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
serializedEntity.Reset()
|
||||||
|
err = entityList[0].Serialize(serializedEntity)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error serializing entity for user %s: %s", usernames[i], err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The API returns values in the same ordering requested, so this should properly match
|
||||||
|
ret[kbPrefix+usernames[i]] = base64.StdEncoding.EncodeToString(serializedEntity.Bytes())
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(missingNames) > 0 {
|
||||||
|
return nil, fmt.Errorf("unable to fetch keys for user(s) %s from keybase", strings.Join(missingNames, ","))
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret, nil
|
||||||
|
}
|
271
vendor/github.com/hashicorp/vault/helper/pgpkeys/test_keys.go
generated
vendored
Normal file
271
vendor/github.com/hashicorp/vault/helper/pgpkeys/test_keys.go
generated
vendored
Normal file
@ -0,0 +1,271 @@
|
|||||||
|
package pgpkeys
|
||||||
|
|
||||||
|
const (
|
||||||
|
TestPrivKey1 = `lQOYBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzzwiMwBS5cD0da
|
||||||
|
rGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7H+/mhfFvKmgr0Y5kDCF1j0T/
|
||||||
|
063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0f
|
||||||
|
sF5St9jhO7mbZU9EFkv9O3t3EaURfHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg
|
||||||
|
8hQssKeVGpuskTdz5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAEAB/wL+KX0mdeISEpX
|
||||||
|
oDgt766Key1Kthe8nbEs5dOXIsP7OR7ZPcnE2hy6gftgVFnBGEZnWVN70vmJd6Z5y9d1mI+GecXj
|
||||||
|
UL0EpI0EmohyYDJsHUnght/5ecRNFA+VeNmGPYNQGCeHJyZOiFunGGENpHU7BbubAht8delz37Mx
|
||||||
|
JQgvMyR6AKvg8HKBoQeqV1uMWNJE/vKwV/z1dh1sjK/GFxu05Qaq0GTfAjVLuFOyJTS95yq6gblD
|
||||||
|
jUdbHLp7tBeqIKo9voWCJF5mGOlq3973vVoWETy9b0YYPCE/M7fXmK9dJITHqkROLMW6TgcFeIw4
|
||||||
|
yL5KOBCHk+QGPSvyQN7R7Fd5BADwuT1HZmvg7Y9GjarKXDjxdNemUiHtba2rUzfH6uNmKNQvwQek
|
||||||
|
nma5palNUJ4/dz1aPB21FUBXJF5yWwXEdApl+lIDU0J5m4UD26rqEVRq9Kx3GsX+yfcwObkrSzW6
|
||||||
|
kmnQSB5KI0fIuegMTM+Jxo3pB/mIRwDTMmk+vfzIGyW+7QQA8aFwFLMdKdfLgSGbl5Z6etmOAVQ2
|
||||||
|
Oe2ebegU9z/ewi/Rdt2s9yQiAdGVM8+q15Saz8a+kyS/l1CjNPzr3VpYx1OdZ3gb7i2xoy9GdMYR
|
||||||
|
ZpTq3TuST95kx/9DqA97JrP23G47U0vwF/cg8ixCYF8Fz5dG4DEsxgMwKqhGdW58wMMD/iytkfMk
|
||||||
|
Vk6Z958Rpy7lhlC6L3zpO38767bSeZ8gRRi/NMFVOSGYepKFarnfxcTiNa+EoSVA6hUo1N64nALE
|
||||||
|
sJBpyOoTfKIpz7WwTF1+WogkiYrfM6lHon1+3qlziAcRW0IohM3g2C1i3GWdON4Cl8/PDO3R0E52
|
||||||
|
N6iG/ctNNeMiPe60EFZhdWx0IFRlc3QgS2V5IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUI
|
||||||
|
AgkKCwQWAgMBAh4BAheAAAoJEOfLr44BHbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d
|
||||||
|
4hIHsG7kmJRTJfjECi+AuTGeDwBy84TDcRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3C
|
||||||
|
Ee8cMwIPqPT2kajJVdOyrvkyuFOdPFOEA7bdCH0MqgIdM2SdF8t40k/ATfuD2K1ZmumJ508I3gF3
|
||||||
|
9jgTnPzD4C8quswrMQ3bzfvKC3klXRlBC0yoArn+0QA3cf2B9T4zJ2qnvgotVbeK/b1OJRNj6Poe
|
||||||
|
o+SsWNc/A5mw7lGScnDgL3yfwCm1gQXaQKfOt5x+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeUR
|
||||||
|
BRWdA5gEVduM9QEIAL53hJ5bZJ7oEDCnaY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkf
|
||||||
|
Rqnv981fFwGnh2+I1Ktm698UAZS9Jt8yjak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a
|
||||||
|
9okjh5o/3d4cBt1yZPUJJyLKY43Wvptb6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTjOleRFQbu
|
||||||
|
9ij386Do6jzK69mJU56TfdcydkxkWF5NZLGnED3lq+hQNbe+8UI5tD2oP/3r5tXKgMy1R/XPvR/z
|
||||||
|
bfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu9p315E87DOleYwxk+FoTqXEAEQEAAQAH+wVyQXaNwnjQ
|
||||||
|
xfW+M8SJNo0C7e+0d7HsuBTA/d/eP4bj6+X8RaRFVwiMvSAoxsqBNCLJP00qzzKfRQWJseD1H35z
|
||||||
|
UjM7rNVUEL2k1yppyp61S0qj0TdhVUfJDYZqRYonVgRMvzfDTB1ryKrefKenQYL/jGd9VYMnKmWZ
|
||||||
|
6GVk4WWXXx61iOt2HNcmSXKetMM1Mg67woPZkA3fJaXZ+zW0zMu4lTSB7yl3+vLGIFYILkCFnREr
|
||||||
|
drQ+pmIMwozUAt+pBq8dylnkHh6g/FtRfWmLIMDqM1NlyuHRp3dyLDFdTA93osLG0QJblfX54W34
|
||||||
|
byX7a4HASelGi3nPjjOAsTFDkuEEANV2viaWk1CV4ryDrXGmy4Xo32Md+laGPRcVfbJ0mjZjhQsO
|
||||||
|
gWC1tjMs1qZMPhcrKIBCjjdAcAIrGV9h3CXc0uGuez4XxLO+TPBKaS0B8rKhnKph1YZuf+HrOhzS
|
||||||
|
astDnOjNIT+qucCL/qSbdYpj9of3yY61S59WphPOBjoVM3BFBADka6ZCk81gx8jA2E1e9UqQDmdM
|
||||||
|
FZaVA1E7++kqVSFRDJGnq+5GrBTwCJ+sevi+Rvf8Nx4AXvpCdtMBPX9RogsUFcR0pMrKBrgRo/Vg
|
||||||
|
EpuodY2Ef1VtqXR24OxtRf1UwvHKydIsU05rzMAy5uGgQvTzRTXxZFLGUY31wjWqmo9VPQP+PnwA
|
||||||
|
K83EV2kk2bsXwZ9MXg05iXqGQYR4bEc/12v04BtaNaDS53hBDO4JIa3Bnz+5oUoYhb8FgezUKA9I
|
||||||
|
n6RdKTTP1BLAu8titeozpNF07V++dPiSE2wrIVsaNHL1pUwW0ql50titVwe+EglWiCKPtJBcCPUA
|
||||||
|
3oepSPchiDjPqrNCYIkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZAQIABgUCVduM
|
||||||
|
9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVhEGipBmpDGRYulEimOPzLUX/Z
|
||||||
|
XZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHkGRHG0/DGum0l4sKTta3OPGHNC1z1dAcQ1RCr
|
||||||
|
9bTD3PxjLBczdGqhzw71trkQRBRdtPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0YwKoz3h9+QEc
|
||||||
|
ZHvsjSZjgydKvfLYcm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJioPn2jVMnXCm4
|
||||||
|
EKc7fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH/AtY+XsKVYRf
|
||||||
|
NIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7moViAAcIPXFv3m3WfUln
|
||||||
|
G/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWkojHqyob3cyLgy6z9Q557O9uK3lQozbw2g
|
||||||
|
H9zC0RqnePl+rsWIUU/ga16fH6pWc1uJiEBt8UZGypQ/E56/343epmYAe0a87sHx8iDV+dNtDVKf
|
||||||
|
PRENiLOOc19MmS+phmUyrbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKdOIu60YPNE4+h
|
||||||
|
7u2CfYyFPu3AlUaGNMBlvy6PEpU=`
|
||||||
|
|
||||||
|
TestPrivKey2 = `lQOYBFXbkJEBCADKb1ZvlT14XrJa2rTOe5924LQr2PTZlRv+651TXy33yEhelZ+V4sMrELN8fKEG
|
||||||
|
Zy1kNixmbq3MCF/671k3LigHA7VrOaH9iiQgr6IIq2MeIkUYKZ27C992vQkYLjbYUG8+zl5h69S4
|
||||||
|
0Ixm0yL0M54XOJ0gm+maEK1ZESKTUlDNkIS7l0jLZSYwfUeGXSEt6FWs8OgbyRTaHw4PDHrDEE9e
|
||||||
|
Q67K6IZ3YMhPOL4fVk4Jwrp5R/RwiklT+lNozWEyFVwPFH4MeQMs9nMbt+fWlTzEA7tI4acI9yDk
|
||||||
|
Cm1yN2R9rmY0UjODRiJw6z6sLV2T+Pf32n3MNSUOYczOjZa4VBwjABEBAAEAB/oCBqTIsxlUgLtz
|
||||||
|
HRpWW5MJ+93xvmVV0JHhRK/ygKghq+zpC6S+cn7dwrEj1JTPh+17lyemYQK+RMeiBEduoWNKuHUd
|
||||||
|
WX353w2411rrc/VuGTglzhd8Ir2BdJlPesCzw4JQnrWqcBqN52W+iwhnE7PWVhnvItWnx6APK5Se
|
||||||
|
q7dzFWy8Z8tNIHm0pBQbeyo6x2rHHSWkr2fs7V02qFQhii1ayFRMcgdOWSNX6CaZJuYhk/DyjApN
|
||||||
|
9pVhi3P1pNMpFeV0Pt8Gl1f/9o6/HpAYYEt/6vtVRhFUGgtNi95oc0oyzIJxliRvd6+Z236osigQ
|
||||||
|
QEBwj1ImRK8TKyWPlykiJWc5BADfldgOCA55o3Qz/z/oVE1mm+a3FmPPTQlHBXotNEsrWV2wmJHe
|
||||||
|
lNQPI6ZwMtLrBSg8PUpG2Rvao6XJ4ZBl/VcDwfcLgCnALPCcL0L0Z3vH3Sc9Ta/bQWJODG7uSaI1
|
||||||
|
iVJ7ArKNtVzTqRQWK967mol9CCqh4A0jRrH0aVEFbrqQ/QQA58iEJaFhzFZjufjC9N8Isn3Ky7xu
|
||||||
|
h+dk001RNCb1GnNZcx4Ld2IB+uXyYjtg7dNaUhGgGuCBo9nax89bMsBzzUukx3SHq1pxopMg6Dm8
|
||||||
|
ImBoIAicuQWgEkaP2T0rlwCozUalJZaG1gyrzkPhkeY7CglpJycHLHfY2MIb46c8+58D/iJ83Q5j
|
||||||
|
Y4x+sqW2QeUYFwqCcOW8Urg64UxEkgXZXiNMwTAJCaxp/Pz7cgeUDwgv+6CXEdnT1910+byzK9ha
|
||||||
|
V1Q/65+/JYuCeyHxcoAb4Wtpdl7GALGd/1G0UAmq47yrefEr/b00uS35i1qUUhOzo1NmEZch/bvF
|
||||||
|
kmJ+WtAHunZcOCu0EFZhdWx0IFRlc3QgS2V5IDKJATgEEwECACIFAlXbkJECGy8GCwkIBwMCBhUI
|
||||||
|
AgkKCwQWAgMBAh4BAheAAAoJEOuDLGfrXolXqz4H/28IuoRxGKoJ064YHjPkkpoddW6zdzzNfHip
|
||||||
|
ZnNfEUiTEls4qF1IB81M2xqfiXIFRIdO2kaLkRPFhO0hRxbtI6VuZYLgG3QCaXhxW6GyFa5zKABq
|
||||||
|
hb5ojexdnAYRswaHV201ZCclj9rnJN1PAg0Rz6MdX/w1euEWktQxWKo42oZKyx8oT9p6lrv5KRmG
|
||||||
|
kdrg8K8ARmRILjmwuBAgJM0eXBZHNGWXelk4YmOgnAAcZA6ZAo1G+8Pg6pKKP61ETewuCg3/u7N0
|
||||||
|
vDttB+ZXqF88W9jAYlvdgbTtajNF5IDYDjTzWfeCaIB18F9gOzXq15SwWeDDI+CU9Nmq358IzXlx
|
||||||
|
k4edA5gEVduQkQEIAOjZV5tbpfIh5QefpIp2dpGMVfpgPj4RNc15CyFnb8y6dhCrdybkY9GveXJe
|
||||||
|
4F3GNYnSfB42cgxrfhizX3LakmZQ/SAg+YO5KxfCIN7Q9LPNeTgPsZZT6h8lVuXUxOFKXfRaR3/t
|
||||||
|
GF5xE3e5CoZRsHV/c92h3t1LdJNOnC5mUKIPO4zDxiw/C2T2q3rP1kmIMaOH724kEH5A+xcp1cBH
|
||||||
|
yt0tdHtIWuQv6joTJzujqViRhlCwQYzQSKpSBxwhBsorPvyinZI/ZXA4XXZc5RoMqV9rikedrb1r
|
||||||
|
ENO8JOuPu6tMS+znFu67skq2gFFZwCQWIjdHm+2ukE+PE580WAWudyMAEQEAAQAH/i7ndRPI+t0T
|
||||||
|
AdEu0dTIdyrrg3g7gd471kQtIVZZwTYSy2yhNY/Ciu72s3ab8QNCxY8dNL5bRk8FKjHslAoNSFdO
|
||||||
|
8iZSLiDgIHOZOcjYe6pqdgQaeTHodm1Otrn2SbB+K/3oX6W/y1xe18aSojGba/nHMj5PeJbIN9Pi
|
||||||
|
jmh0WMLD/0rmkTTxR7qQ5+kMV4O29xY4qjdYRD5O0adeZX0mNncmlmQ+rX9yxrtSgFROu1jwVtfP
|
||||||
|
hcNetifTTshJnTwND8hux5ECEadlIVBHypW28Hth9TRBXmddTmv7L7mdtUO6DybgkpWpw4k4LPsk
|
||||||
|
uZ6aY4wcGRp7EVfWGr9NHbq/n+0EAOlhDXIGdylkQsndjBMyhPsXZa5fFBmOyHjXj733195Jgr1v
|
||||||
|
ZjaIomrA9cvYrmN75oKrG1jJsMEl6HfC/ZPzEj6E51/p1PRdHP7CdUUA+DG8x4M3jn+e43psVuAR
|
||||||
|
a1XbN+8/bOa0ubt7ljVPjAEvWRSvU9dRaQz93w3fduAuM07dBAD/ayK3e0d6JMJMrU50lNOXQBgL
|
||||||
|
rFbg4rWzPO9BJQdhjOhmOZQiUa1Q+EV+s95yIUg1OAfaMP9KRIljr5RCdGNS6WoMNBAQOSrZpelf
|
||||||
|
jW4NpzphNfWDGVkUoPoskVtJz/nu9d860dGd3Al0kSmtUpMu5QKlo+sSxXUPbWLUn8V9/wP/ScCW
|
||||||
|
H+0gtL4R7SFazPeTIP+Cu5oR7A/DlFVLJKa3vo+atkhSvwxHGbg04vb/W4mKhGGVtMBtlhRmaWOe
|
||||||
|
PhUulU5FdaYsdlpN/Yd+hhgU6NHlyImPGVEHWD8c6CG8qoZfpR33j2sqshs4i/MtJZeBvl62vxPn
|
||||||
|
9bDN7KAjFNll9axAjIkCPgQYAQIACQUCVduQkQIbLgEpCRDrgyxn616JV8BdIAQZAQIABgUCVduQ
|
||||||
|
kQAKCRArYtevdF38xtzgB/4zVzozBpVOnagRkA7FDsHo36xX60Lik+ew0m28ueDDhnV3bXQsCvn/
|
||||||
|
6wiCVWqLOTDeYCPlyTTpEMyk8zwdCICW6MgSkVHWcEDOrRqIrqm86rirjTGjJSgQe3l4CqJvkn6j
|
||||||
|
ybShYoBk1OZZV6vVv9hPTXXv9E6dLKoEW5YZBrrF+VC0w1iOIvaAQ+QXph20eV4KBIrp/bhG6Pdn
|
||||||
|
igKxuBZ79cdqDnXIzT9UiIa6LYpR0rbeg+7BmuZTTPS8t+41hIiKS+UZFdKa67eYENtyOmEMWOFC
|
||||||
|
LLRJGxkleukchiMJ70rknloZXsvJIweXBzSZ6m7mJQBgaig/L/dXyjv6+j2pNB4H/1trYUtJjXQK
|
||||||
|
HmqlgCmpCkHt3g7JoxWvglnDNmE6q3hIWuVIYQpnzZy1g05+X9Egwc1WVpBB02H7PkUZTfpaP/L6
|
||||||
|
DLneMmSKPhZE3I+lPIPjwrxqh6xy5uQezcWkJTNKvPWF4FJzrVvx7XTPjfGvOB0UPEnjvtZTp5yO
|
||||||
|
hTeZK7DgIEtb/Wcrqs+iRArQKboM930ORSZhwvGK3F9V/gMDpIrvge5vDFsTEYQdw/2epIewH0L/
|
||||||
|
FUb/6jBRcVEpGo9Ayg+Jnhq14GOGcd1y9oMZ48kYVLVBTA9tQ+82WE8Bch7uFPj4MFOMVRn1dc3q
|
||||||
|
dXlg3mimA+iK7tABQfG0RJ9YzWs=`
|
||||||
|
|
||||||
|
TestPrivKey3 = `lQOXBFXbkiMBCACiHW4/VI2JkfvSEINddS7vE6wEu5e1leNQDaLUh6PrATQZS2a4Q6kRE6WlJumj
|
||||||
|
6wCeN753Cm93UGQl2Bi3USIEeArIZnPTcocrckOVXxtoLBNKXgqKvEsDXgfw8A+doSfXoDm/3Js4
|
||||||
|
Wy3WsYKNR9LaPuJZHnpjsFAJhvRVyhH4UFD+1RTSSefq1mozPfDdMoZeZNEpfhwt3DuTJs7RqcTH
|
||||||
|
CgR2CqhEHnOOE5jJUljHKYLCglE2+8dth1bZlQi4xly/VHZzP3Bn7wKeolK/ROP6VZz/e0xq/BKy
|
||||||
|
resmxvlBWZ1zWwqGIrV9b0uwYvGrh2hOd5C5+5oGaA2MGcjxwaLBABEBAAEAB/dQbElFIa0VklZa
|
||||||
|
39ZLhtbBxACSWH3ql3EtRZaB2Mh4zSALbFyJDQfScOy8AZHmv66Ozxit9X9WsYr9OzcHujgl/2da
|
||||||
|
A3lybF6iLw1YDNaL11G6kuyn5sFP6lYGMRGOIWSik9oSVF6slo8m8ujRLdBsdMXVcElHKzCJiWmt
|
||||||
|
JZHEnUkl9X96fIPajMBfWjHHwcaeMOc77nvjwqy5wC4EY8TSVYzxeZHL7DADQ0EHBcThlmfizpCq
|
||||||
|
26LMVb6ju8STH7uDDFyKmhr/hC2vOkt+PKsvBCmW8/ESanO1zKPD9cvSsOWr2rZWNnkDRftqzOU5
|
||||||
|
OCrI+3o9E74+toNb07bPntEEAMEStOzSvqZ6NKdh7EZYPA4mkkFC+EiHYIoinP1sd9V8O2Hq+dzx
|
||||||
|
yFHtWu0LmP6uWXk45vsP9y1UMJcEa33ew5JJa7zgucI772/BNvd/Oys/PqwIAl6uNIY8uYLgmn4L
|
||||||
|
1IPatp7vDiXzZSivPZd4yN4S4zCypZp9cnpO3qv8q7CtBADW87IA0TabdoxiN+m4XL7sYDRIfglr
|
||||||
|
MRPAlfrkAUaGDBx/t1xb6IaKk7giFdwHpTI6+g9XNkqKqogMe4Fp+nsd1xtfsNUBn6iKZavm5kXe
|
||||||
|
Lp9QgE+K6mvIreOTe2PKQqXqgPRG6+SRGatoKeY76fIpd8AxOJyWERxcq2lUHLn45QP/UXDTcYB7
|
||||||
|
gzJtZrfpXN0GqQ0lYXMzbQfLnkUsu3mYzArfNy0otzEmKTkwmKclNY1/EJSzSdHfgmeA260a0nLK
|
||||||
|
64C0wPgSmOqw90qwi5odAYSjSFBapDbyGF86JpHrLxyEEpGoXanRPwWfbiWp19Nwg6nknA87AtaM
|
||||||
|
3+AHjbWzwCpHL7QQVmF1bHQgVGVzdCBLZXkgM4kBOAQTAQIAIgUCVduSIwIbLwYLCQgHAwIGFQgC
|
||||||
|
CQoLBBYCAwECHgECF4AACgkQ9HlLVvwtxt1aMQf/aaGoL1rRWTUjM6DEShXFhWpV29rEjSdNk5N+
|
||||||
|
ZwVifgdCVD5IsSjI1Z7mO2SHHiTm4eKnHAofM6/TZgzXg1YLpu8rDYJARMsM8bgK/xgxSamGjm2c
|
||||||
|
wN220jOnwePIlG0drNTW5N6zb/K6qHoscJ6NUkjS5JPdGJuq7B0bdCM8/xSbG75gL34U5bYqK38B
|
||||||
|
DwmW4UMl2rf/BJfxV9hmsZ2Cat4TspgyiWEKTMZI+PugXKDDwuoqgm+320K4EqFkwG4y/WwHkKgk
|
||||||
|
hZ0+io5lzhTsvVd2p8q8VlH9GG5eA3WWQj0yqucsOmKQvcuT5y0vFY6NQJbyuioqgdlgEXtc+p0B
|
||||||
|
+Z0DmARV25IjAQgA49yN3hCBsuWoiTezoE9FHJXOCVOBR1/4jStQPJtoMl8mhtl3xTp7iGQ+9GhD
|
||||||
|
y0l5+fP+qcP/rfBq0BslhxVOZ7jQjdUoM6ZUZzJoPGIo/V2KwqpwQl3tdCIjvagCJeYQfTL7lTCc
|
||||||
|
4ySz+XBoAYMwZVGMcRcjp+JE8Wx9Ovzuq8wnelbU6I5dVJ7O4E1OWbIkLuytDX+fDEvfft6/oPXN
|
||||||
|
Bl3cm6FzEuQetQQss3DOG9xnvS+DrjmMCbPwR2a++ioQ8+geoqA/kB4cAI6xOb3ncoeGDHc1i4Y9
|
||||||
|
T9Ggi+6Aq3girmfDtNYVOM8cZUXcZNCvLkJn8DNeIvnuFUSEO+a5PwARAQABAAf/TPd98CmRNdV/
|
||||||
|
VUI8aYT9Kkervdi4DVzsfvrHcoFn88PSJrCkVTmI6qw526Kwa6VZD0YMmll7LszLt5nD1lorDrwN
|
||||||
|
rir3FmMzlVwge20IvXRwX4rkunYxtA2oFvL+LsEEhtXGx0ERbWRDapk+eGxQ15hxIO4Y/Cdg9E+a
|
||||||
|
CWfQUrTSnC6qMVfVYMGfnM1yNX3OWattEFfmxQas5XqQk/0FgjCZALixdanjN/r1tjp5/2MiSD8N
|
||||||
|
Wkemzsr6yPicnc3+BOZc5YOOnH8FqBvVHcDlSJI6pCOCEiO3Pq2QEk/1evONulbF116mLnQoGrpp
|
||||||
|
W77l+5O42VUpZfjROCPd5DYyMQQA492CFXZpDIJ2emB9/nK8X6IzdVRK3oof8btbSNnme5afIzhs
|
||||||
|
wR1ruX30O7ThfB+5ezpbgK1C988CWkr9SNSTy43omarafGig6/Y1RzdiITILuIGfbChoSpc70jXx
|
||||||
|
U0nzJ/1i9yZ/vDgP3EC2miRhlDcp5w0Bu0oMBlgG/1uhj0cEAP/+7aFGP0fo2MZPhyl5feHKWj4k
|
||||||
|
85XoAIpMBnzF6HTGU3ljAE56a+4sVw3bWB755DPhvpZvDkX60I9iIJxio8TK5ITdfjlLhxuskXyt
|
||||||
|
ycwWI/4J+soeq4meoxK9jxZJuDl/qvoGfyzNg1oy2OBehX8+6erW46kr6Z/MQutS3zJJBACmJHrK
|
||||||
|
VR40qD7a8KbvfuM3ruwlm5JqT/Ykq1gfKKxHjWDIUIeyBX/axGQvAGNYeuuQCzZ0+QsEWur3C4kN
|
||||||
|
U+Pb5K1WGyOKkhJzivSI56AG3d8TA/Q0JhqST6maY0fvUoahWSCcpd7MULa3n1zx5Wsvi8mkVtup
|
||||||
|
Js/IDi/kqneqM0XviQI+BBgBAgAJBQJV25IjAhsuASkJEPR5S1b8LcbdwF0gBBkBAgAGBQJV25Ij
|
||||||
|
AAoJEAUj/03Hcrkg84UIAKxn9nizYtwSgDnVNb5PnD5h6+Ui6r7ffYm2o0im4YhakbFTHIPI9PRh
|
||||||
|
BavRI5sE5Fg2vtE/x38jattoUrJoNoq9Gh9iv5PBfL3amEGjul0RRqYGl+ub+yv7YGAAHbHcdZen
|
||||||
|
4gx15VWGpB7y3hycWbdzV8h3EAPKIm5XmB7YyXmArnI3CoJA+HtTZGoL6WZWUwka9YichGfaZ/oD
|
||||||
|
umENg1l87Pp2RqvjLKHmv2tGCtnDzyv/IiWur9zopFQiCc8ysVgRq6CA5x5nzbv6MqRspYUS4e2I
|
||||||
|
LFbuREA3blR+caw9oX41IYzarW8IbgeIXJ3HqUyhczRKF/z5nDKtX/kHMCqlbAgAnfu0TALnwVuj
|
||||||
|
KeXLo4Y7OA9LTEqfORcw62q5OjSoQf/VsRSwGSefv3kGZk5N/igELluU3qpG/twZI/TSL6zGqXU2
|
||||||
|
FOMlyMm1849TOB9b4B//4dHrjzPhztzowKMMUqeTxmSgYtFTshKN6eQ0XO+7ZuOXEmSKXS4kOUs9
|
||||||
|
ttfzSiPNXUZL2D5nFU9H7rw3VAuXYVTrOx+Dfi6mYsscbxUbi8THODI2Q7B9Ni92DJE1OOe4+57o
|
||||||
|
fXZ9ln24I14bna/uVHd6hBwLEE6eLCCKkHxQnnZFZduXDHMK0a0OL8RYHfMtNSem4pyC5wDQui1u
|
||||||
|
KFIzGEPKVoBF9U7VBXpyxpsz+A==`
|
||||||
|
|
||||||
|
TestPubKey1 = `mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzzwiMwBS5cD0da
|
||||||
|
rGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7H+/mhfFvKmgr0Y5kDCF1j0T/
|
||||||
|
063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0f
|
||||||
|
sF5St9jhO7mbZU9EFkv9O3t3EaURfHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg
|
||||||
|
8hQssKeVGpuskTdz5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3Qg
|
||||||
|
S2V5IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOfLr44B
|
||||||
|
HbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRTJfjECi+AuTGeDwBy84TD
|
||||||
|
cRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3CEe8cMwIPqPT2kajJVdOyrvkyuFOdPFOE
|
||||||
|
A7bdCH0MqgIdM2SdF8t40k/ATfuD2K1ZmumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlB
|
||||||
|
C0yoArn+0QA3cf2B9T4zJ2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXa
|
||||||
|
QKfOt5x+7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7oEDCn
|
||||||
|
aY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I1Ktm698UAZS9Jt8y
|
||||||
|
jak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okjh5o/3d4cBt1yZPUJJyLKY43Wvptb
|
||||||
|
6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTjOleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5N
|
||||||
|
ZLGnED3lq+hQNbe+8UI5tD2oP/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu
|
||||||
|
9p315E87DOleYwxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
|
||||||
|
AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVhEGipBmpDGRYu
|
||||||
|
lEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHkGRHG0/DGum0l4sKTta3OPGHN
|
||||||
|
C1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRdtPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0
|
||||||
|
YwKoz3h9+QEcZHvsjSZjgydKvfLYcm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJi
|
||||||
|
oPn2jVMnXCm4EKc7fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH
|
||||||
|
/AtY+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7moViAAcI
|
||||||
|
PXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWkojHqyob3cyLgy6z9Q557O
|
||||||
|
9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJiEBt8UZGypQ/E56/343epmYAe0a87sHx
|
||||||
|
8iDV+dNtDVKfPRENiLOOc19MmS+phmUyrbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKd
|
||||||
|
OIu60YPNE4+h7u2CfYyFPu3AlUaGNMBlvy6PEpU=`
|
||||||
|
|
||||||
|
TestPubKey2 = `mQENBFXbkJEBCADKb1ZvlT14XrJa2rTOe5924LQr2PTZlRv+651TXy33yEhelZ+V4sMrELN8fKEG
|
||||||
|
Zy1kNixmbq3MCF/671k3LigHA7VrOaH9iiQgr6IIq2MeIkUYKZ27C992vQkYLjbYUG8+zl5h69S4
|
||||||
|
0Ixm0yL0M54XOJ0gm+maEK1ZESKTUlDNkIS7l0jLZSYwfUeGXSEt6FWs8OgbyRTaHw4PDHrDEE9e
|
||||||
|
Q67K6IZ3YMhPOL4fVk4Jwrp5R/RwiklT+lNozWEyFVwPFH4MeQMs9nMbt+fWlTzEA7tI4acI9yDk
|
||||||
|
Cm1yN2R9rmY0UjODRiJw6z6sLV2T+Pf32n3MNSUOYczOjZa4VBwjABEBAAG0EFZhdWx0IFRlc3Qg
|
||||||
|
S2V5IDKJATgEEwECACIFAlXbkJECGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOuDLGfr
|
||||||
|
XolXqz4H/28IuoRxGKoJ064YHjPkkpoddW6zdzzNfHipZnNfEUiTEls4qF1IB81M2xqfiXIFRIdO
|
||||||
|
2kaLkRPFhO0hRxbtI6VuZYLgG3QCaXhxW6GyFa5zKABqhb5ojexdnAYRswaHV201ZCclj9rnJN1P
|
||||||
|
Ag0Rz6MdX/w1euEWktQxWKo42oZKyx8oT9p6lrv5KRmGkdrg8K8ARmRILjmwuBAgJM0eXBZHNGWX
|
||||||
|
elk4YmOgnAAcZA6ZAo1G+8Pg6pKKP61ETewuCg3/u7N0vDttB+ZXqF88W9jAYlvdgbTtajNF5IDY
|
||||||
|
DjTzWfeCaIB18F9gOzXq15SwWeDDI+CU9Nmq358IzXlxk4e5AQ0EVduQkQEIAOjZV5tbpfIh5Qef
|
||||||
|
pIp2dpGMVfpgPj4RNc15CyFnb8y6dhCrdybkY9GveXJe4F3GNYnSfB42cgxrfhizX3LakmZQ/SAg
|
||||||
|
+YO5KxfCIN7Q9LPNeTgPsZZT6h8lVuXUxOFKXfRaR3/tGF5xE3e5CoZRsHV/c92h3t1LdJNOnC5m
|
||||||
|
UKIPO4zDxiw/C2T2q3rP1kmIMaOH724kEH5A+xcp1cBHyt0tdHtIWuQv6joTJzujqViRhlCwQYzQ
|
||||||
|
SKpSBxwhBsorPvyinZI/ZXA4XXZc5RoMqV9rikedrb1rENO8JOuPu6tMS+znFu67skq2gFFZwCQW
|
||||||
|
IjdHm+2ukE+PE580WAWudyMAEQEAAYkCPgQYAQIACQUCVduQkQIbLgEpCRDrgyxn616JV8BdIAQZ
|
||||||
|
AQIABgUCVduQkQAKCRArYtevdF38xtzgB/4zVzozBpVOnagRkA7FDsHo36xX60Lik+ew0m28ueDD
|
||||||
|
hnV3bXQsCvn/6wiCVWqLOTDeYCPlyTTpEMyk8zwdCICW6MgSkVHWcEDOrRqIrqm86rirjTGjJSgQ
|
||||||
|
e3l4CqJvkn6jybShYoBk1OZZV6vVv9hPTXXv9E6dLKoEW5YZBrrF+VC0w1iOIvaAQ+QXph20eV4K
|
||||||
|
BIrp/bhG6PdnigKxuBZ79cdqDnXIzT9UiIa6LYpR0rbeg+7BmuZTTPS8t+41hIiKS+UZFdKa67eY
|
||||||
|
ENtyOmEMWOFCLLRJGxkleukchiMJ70rknloZXsvJIweXBzSZ6m7mJQBgaig/L/dXyjv6+j2pNB4H
|
||||||
|
/1trYUtJjXQKHmqlgCmpCkHt3g7JoxWvglnDNmE6q3hIWuVIYQpnzZy1g05+X9Egwc1WVpBB02H7
|
||||||
|
PkUZTfpaP/L6DLneMmSKPhZE3I+lPIPjwrxqh6xy5uQezcWkJTNKvPWF4FJzrVvx7XTPjfGvOB0U
|
||||||
|
PEnjvtZTp5yOhTeZK7DgIEtb/Wcrqs+iRArQKboM930ORSZhwvGK3F9V/gMDpIrvge5vDFsTEYQd
|
||||||
|
w/2epIewH0L/FUb/6jBRcVEpGo9Ayg+Jnhq14GOGcd1y9oMZ48kYVLVBTA9tQ+82WE8Bch7uFPj4
|
||||||
|
MFOMVRn1dc3qdXlg3mimA+iK7tABQfG0RJ9YzWs=`
|
||||||
|
|
||||||
|
TestPubKey3 = `mQENBFXbkiMBCACiHW4/VI2JkfvSEINddS7vE6wEu5e1leNQDaLUh6PrATQZS2a4Q6kRE6WlJumj
|
||||||
|
6wCeN753Cm93UGQl2Bi3USIEeArIZnPTcocrckOVXxtoLBNKXgqKvEsDXgfw8A+doSfXoDm/3Js4
|
||||||
|
Wy3WsYKNR9LaPuJZHnpjsFAJhvRVyhH4UFD+1RTSSefq1mozPfDdMoZeZNEpfhwt3DuTJs7RqcTH
|
||||||
|
CgR2CqhEHnOOE5jJUljHKYLCglE2+8dth1bZlQi4xly/VHZzP3Bn7wKeolK/ROP6VZz/e0xq/BKy
|
||||||
|
resmxvlBWZ1zWwqGIrV9b0uwYvGrh2hOd5C5+5oGaA2MGcjxwaLBABEBAAG0EFZhdWx0IFRlc3Qg
|
||||||
|
S2V5IDOJATgEEwECACIFAlXbkiMCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPR5S1b8
|
||||||
|
LcbdWjEH/2mhqC9a0Vk1IzOgxEoVxYVqVdvaxI0nTZOTfmcFYn4HQlQ+SLEoyNWe5jtkhx4k5uHi
|
||||||
|
pxwKHzOv02YM14NWC6bvKw2CQETLDPG4Cv8YMUmpho5tnMDdttIzp8HjyJRtHazU1uTes2/yuqh6
|
||||||
|
LHCejVJI0uST3RibquwdG3QjPP8Umxu+YC9+FOW2Kit/AQ8JluFDJdq3/wSX8VfYZrGdgmreE7KY
|
||||||
|
MolhCkzGSPj7oFygw8LqKoJvt9tCuBKhZMBuMv1sB5CoJIWdPoqOZc4U7L1XdqfKvFZR/RhuXgN1
|
||||||
|
lkI9MqrnLDpikL3Lk+ctLxWOjUCW8roqKoHZYBF7XPqdAfm5AQ0EVduSIwEIAOPcjd4QgbLlqIk3
|
||||||
|
s6BPRRyVzglTgUdf+I0rUDybaDJfJobZd8U6e4hkPvRoQ8tJefnz/qnD/63watAbJYcVTme40I3V
|
||||||
|
KDOmVGcyaDxiKP1disKqcEJd7XQiI72oAiXmEH0y+5UwnOMks/lwaAGDMGVRjHEXI6fiRPFsfTr8
|
||||||
|
7qvMJ3pW1OiOXVSezuBNTlmyJC7srQ1/nwxL337ev6D1zQZd3JuhcxLkHrUELLNwzhvcZ70vg645
|
||||||
|
jAmz8EdmvvoqEPPoHqKgP5AeHACOsTm953KHhgx3NYuGPU/RoIvugKt4Iq5nw7TWFTjPHGVF3GTQ
|
||||||
|
ry5CZ/AzXiL57hVEhDvmuT8AEQEAAYkCPgQYAQIACQUCVduSIwIbLgEpCRD0eUtW/C3G3cBdIAQZ
|
||||||
|
AQIABgUCVduSIwAKCRAFI/9Nx3K5IPOFCACsZ/Z4s2LcEoA51TW+T5w+YevlIuq+332JtqNIpuGI
|
||||||
|
WpGxUxyDyPT0YQWr0SObBORYNr7RP8d/I2rbaFKyaDaKvRofYr+TwXy92phBo7pdEUamBpfrm/sr
|
||||||
|
+2BgAB2x3HWXp+IMdeVVhqQe8t4cnFm3c1fIdxADyiJuV5ge2Ml5gK5yNwqCQPh7U2RqC+lmVlMJ
|
||||||
|
GvWInIRn2mf6A7phDYNZfOz6dkar4yyh5r9rRgrZw88r/yIlrq/c6KRUIgnPMrFYEauggOceZ827
|
||||||
|
+jKkbKWFEuHtiCxW7kRAN25UfnGsPaF+NSGM2q1vCG4HiFydx6lMoXM0Shf8+ZwyrV/5BzAqpWwI
|
||||||
|
AJ37tEwC58Fboynly6OGOzgPS0xKnzkXMOtquTo0qEH/1bEUsBknn795BmZOTf4oBC5blN6qRv7c
|
||||||
|
GSP00i+sxql1NhTjJcjJtfOPUzgfW+Af/+HR648z4c7c6MCjDFKnk8ZkoGLRU7ISjenkNFzvu2bj
|
||||||
|
lxJkil0uJDlLPbbX80ojzV1GS9g+ZxVPR+68N1QLl2FU6zsfg34upmLLHG8VG4vExzgyNkOwfTYv
|
||||||
|
dgyRNTjnuPue6H12fZZ9uCNeG52v7lR3eoQcCxBOniwgipB8UJ52RWXblwxzCtGtDi/EWB3zLTUn
|
||||||
|
puKcgucA0LotbihSMxhDylaARfVO1QV6csabM/g=`
|
||||||
|
|
||||||
|
TestAAPubKey1 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
mQENBFXbjPUBCADjNjCUQwfxKL+RR2GA6pv/1K+zJZ8UWIF9S0lk7cVIEfJiprzz
|
||||||
|
wiMwBS5cD0darGin1FHvIWOZxujA7oW0O2TUuatqI3aAYDTfRYurh6iKLC+VS+F7
|
||||||
|
H+/mhfFvKmgr0Y5kDCF1j0T/063QZ84IRGucR/X43IY7kAtmxGXH0dYOCzOe5UBX
|
||||||
|
1fTn3mXGe2ImCDWBH7gOViynXmb6XNvXkP0fsF5St9jhO7mbZU9EFkv9O3t3EaUR
|
||||||
|
fHopsCVDOlCkFCw5ArY+DUORHRzoMX0PnkyQb5OzibkChzpg8hQssKeVGpuskTdz
|
||||||
|
5Q7PtdW71jXd4fFVzoNH8fYwRpziD2xNvi6HABEBAAG0EFZhdWx0IFRlc3QgS2V5
|
||||||
|
IDGJATgEEwECACIFAlXbjPUCGy8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
|
||||||
|
EOfLr44BHbeTo+sH/i7bapIgPnZsJ81hmxPj4W12uvunksGJiC7d4hIHsG7kmJRT
|
||||||
|
JfjECi+AuTGeDwBy84TDcRaOB6e79fj65Fg6HgSahDUtKJbGxj/lWzmaBuTzlN3C
|
||||||
|
Ee8cMwIPqPT2kajJVdOyrvkyuFOdPFOEA7bdCH0MqgIdM2SdF8t40k/ATfuD2K1Z
|
||||||
|
mumJ508I3gF39jgTnPzD4C8quswrMQ3bzfvKC3klXRlBC0yoArn+0QA3cf2B9T4z
|
||||||
|
J2qnvgotVbeK/b1OJRNj6Poeo+SsWNc/A5mw7lGScnDgL3yfwCm1gQXaQKfOt5x+
|
||||||
|
7GqhWDw10q+bJpJlI10FfzAnhMF9etSqSeURBRW5AQ0EVduM9QEIAL53hJ5bZJ7o
|
||||||
|
EDCnaY+SCzt9QsAfnFTAnZJQrvkvusJzrTQ088eUQmAjvxkfRqnv981fFwGnh2+I
|
||||||
|
1Ktm698UAZS9Jt8yjak9wWUICKQO5QUt5k8cHwldQXNXVXFa+TpQWQR5yW1a9okj
|
||||||
|
h5o/3d4cBt1yZPUJJyLKY43Wvptb6EuEsScO2DnRkh5wSMDQ7dTooddJCmaq3LTj
|
||||||
|
OleRFQbu9ij386Do6jzK69mJU56TfdcydkxkWF5NZLGnED3lq+hQNbe+8UI5tD2o
|
||||||
|
P/3r5tXKgMy1R/XPvR/zbfwvx4FAKFOP01awLq4P3d/2xOkMu4Lu9p315E87DOle
|
||||||
|
Ywxk+FoTqXEAEQEAAYkCPgQYAQIACQUCVduM9QIbLgEpCRDny6+OAR23k8BdIAQZ
|
||||||
|
AQIABgUCVduM9QAKCRAID0JGyHtSGmqYB/4m4rJbbWa7dBJ8VqRU7ZKnNRDR9CVh
|
||||||
|
EGipBmpDGRYulEimOPzLUX/ZXZmTZzgemeXLBaJJlWnopVUWuAsyjQuZAfdd8nHk
|
||||||
|
GRHG0/DGum0l4sKTta3OPGHNC1z1dAcQ1RCr9bTD3PxjLBczdGqhzw71trkQRBRd
|
||||||
|
tPiUchltPMIyjUHqVJ0xmg0hPqFic0fICsr0YwKoz3h9+QEcZHvsjSZjgydKvfLY
|
||||||
|
cm+4DDMCCqcHuJrbXJKUWmJcXR0y/+HQONGrGJ5xWdO+6eJioPn2jVMnXCm4EKc7
|
||||||
|
fcLFrz/LKmJ8seXhxjM3EdFtylBGCrx3xdK0f+JDNQaC/rhUb5V2XuX6VwoH/AtY
|
||||||
|
+XsKVYRfNIupLOUcf/srsm3IXT4SXWVomOc9hjGQiJ3rraIbADsc+6bCAr4XNZS7
|
||||||
|
moViAAcIPXFv3m3WfUlnG/om78UjQqyVACRZqqAGmuPq+TSkRUCpt9h+A39LQWko
|
||||||
|
jHqyob3cyLgy6z9Q557O9uK3lQozbw2gH9zC0RqnePl+rsWIUU/ga16fH6pWc1uJ
|
||||||
|
iEBt8UZGypQ/E56/343epmYAe0a87sHx8iDV+dNtDVKfPRENiLOOc19MmS+phmUy
|
||||||
|
rbHqI91c0pmysYcJZCD3a502X1gpjFbPZcRtiTmGnUKdOIu60YPNE4+h7u2CfYyF
|
||||||
|
Pu3AlUaGNMBlvy6PEpU=
|
||||||
|
=NUTS
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----`
|
||||||
|
)
|
27
vendor/github.com/keybase/go-crypto/LICENSE
generated
vendored
Normal file
27
vendor/github.com/keybase/go-crypto/LICENSE
generated
vendored
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2009 The Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
22
vendor/github.com/keybase/go-crypto/PATENTS
generated
vendored
Normal file
22
vendor/github.com/keybase/go-crypto/PATENTS
generated
vendored
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Additional IP Rights Grant (Patents)
|
||||||
|
|
||||||
|
"This implementation" means the copyrightable works distributed by
|
||||||
|
Google as part of the Go project.
|
||||||
|
|
||||||
|
Google hereby grants to You a perpetual, worldwide, non-exclusive,
|
||||||
|
no-charge, royalty-free, irrevocable (except as stated in this section)
|
||||||
|
patent license to make, have made, use, offer to sell, sell, import,
|
||||||
|
transfer and otherwise run, modify and propagate the contents of this
|
||||||
|
implementation of Go, where such license applies only to those patent
|
||||||
|
claims, both currently owned or controlled by Google and acquired in
|
||||||
|
the future, licensable by Google that are necessarily infringed by this
|
||||||
|
implementation of Go. This grant does not include claims that would be
|
||||||
|
infringed only as a consequence of further modification of this
|
||||||
|
implementation. If you or your agent or exclusive licensee institute or
|
||||||
|
order or agree to the institution of patent litigation against any
|
||||||
|
entity (including a cross-claim or counterclaim in a lawsuit) alleging
|
||||||
|
that this implementation of Go or any code incorporated within this
|
||||||
|
implementation of Go constitutes direct or contributory patent
|
||||||
|
infringement, or inducement of patent infringement, then any patent
|
||||||
|
rights granted to you under this License for this implementation of Go
|
||||||
|
shall terminate as of the date such litigation is filed.
|
134
vendor/github.com/keybase/go-crypto/brainpool/brainpool.go
generated
vendored
Normal file
134
vendor/github.com/keybase/go-crypto/brainpool/brainpool.go
generated
vendored
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
// Package brainpool implements Brainpool elliptic curves.
|
||||||
|
// Implementation of rcurves is from github.com/ebfe/brainpool
|
||||||
|
// Note that these curves are implemented with naive, non-constant time operations
|
||||||
|
// and are likely not suitable for enviroments where timing attacks are a concern.
|
||||||
|
package brainpool
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
once sync.Once
|
||||||
|
p256t1, p384t1, p512t1 *elliptic.CurveParams
|
||||||
|
p256r1, p384r1, p512r1 *rcurve
|
||||||
|
)
|
||||||
|
|
||||||
|
func initAll() {
|
||||||
|
initP256t1()
|
||||||
|
initP384t1()
|
||||||
|
initP512t1()
|
||||||
|
initP256r1()
|
||||||
|
initP384r1()
|
||||||
|
initP512r1()
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP256t1() {
|
||||||
|
p256t1 = &elliptic.CurveParams{Name: "brainpoolP256t1"}
|
||||||
|
p256t1.P, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16)
|
||||||
|
p256t1.N, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16)
|
||||||
|
p256t1.B, _ = new(big.Int).SetString("662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04", 16)
|
||||||
|
p256t1.Gx, _ = new(big.Int).SetString("A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4", 16)
|
||||||
|
p256t1.Gy, _ = new(big.Int).SetString("2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE", 16)
|
||||||
|
p256t1.BitSize = 256
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP256r1() {
|
||||||
|
twisted := p256t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP256r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 16)
|
||||||
|
z, _ := new(big.Int).SetString("3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0", 16)
|
||||||
|
p256r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP384t1() {
|
||||||
|
p384t1 = &elliptic.CurveParams{Name: "brainpoolP384t1"}
|
||||||
|
p384t1.P, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 16)
|
||||||
|
p384t1.N, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16)
|
||||||
|
p384t1.B, _ = new(big.Int).SetString("7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE", 16)
|
||||||
|
p384t1.Gx, _ = new(big.Int).SetString("18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC", 16)
|
||||||
|
p384t1.Gy, _ = new(big.Int).SetString("25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928", 16)
|
||||||
|
p384t1.BitSize = 384
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP384r1() {
|
||||||
|
twisted := p384t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP384r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", 16)
|
||||||
|
z, _ := new(big.Int).SetString("41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE97D2D63DBC87BCCDDCCC5DA39E8589291C", 16)
|
||||||
|
p384r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP512t1() {
|
||||||
|
p512t1 = &elliptic.CurveParams{Name: "brainpoolP512t1"}
|
||||||
|
p512t1.P, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 16)
|
||||||
|
p512t1.N, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16)
|
||||||
|
p512t1.B, _ = new(big.Int).SetString("7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E", 16)
|
||||||
|
p512t1.Gx, _ = new(big.Int).SetString("640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA", 16)
|
||||||
|
p512t1.Gy, _ = new(big.Int).SetString("5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332", 16)
|
||||||
|
p512t1.BitSize = 512
|
||||||
|
}
|
||||||
|
|
||||||
|
func initP512r1() {
|
||||||
|
twisted := p512t1
|
||||||
|
params := &elliptic.CurveParams{
|
||||||
|
Name: "brainpoolP512r1",
|
||||||
|
P: twisted.P,
|
||||||
|
N: twisted.N,
|
||||||
|
BitSize: twisted.BitSize,
|
||||||
|
}
|
||||||
|
params.Gx, _ = new(big.Int).SetString("81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", 16)
|
||||||
|
params.Gy, _ = new(big.Int).SetString("7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", 16)
|
||||||
|
z, _ := new(big.Int).SetString("12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB", 16)
|
||||||
|
p512r1 = newrcurve(twisted, params, z)
|
||||||
|
}
|
||||||
|
|
||||||
|
// P256t1 returns a Curve which implements Brainpool P256t1 (see RFC 5639, section 3.4)
|
||||||
|
func P256t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p256t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P256r1 returns a Curve which implements Brainpool P256r1 (see RFC 5639, section 3.4)
|
||||||
|
func P256r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p256r1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P384t1 returns a Curve which implements Brainpool P384t1 (see RFC 5639, section 3.6)
|
||||||
|
func P384t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p384t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P384r1 returns a Curve which implements Brainpool P384r1 (see RFC 5639, section 3.6)
|
||||||
|
func P384r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p384r1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P512t1 returns a Curve which implements Brainpool P512t1 (see RFC 5639, section 3.7)
|
||||||
|
func P512t1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p512t1
|
||||||
|
}
|
||||||
|
|
||||||
|
// P512r1 returns a Curve which implements Brainpool P512r1 (see RFC 5639, section 3.7)
|
||||||
|
func P512r1() elliptic.Curve {
|
||||||
|
once.Do(initAll)
|
||||||
|
return p512r1
|
||||||
|
}
|
83
vendor/github.com/keybase/go-crypto/brainpool/rcurve.go
generated
vendored
Normal file
83
vendor/github.com/keybase/go-crypto/brainpool/rcurve.go
generated
vendored
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
package brainpool
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ elliptic.Curve = (*rcurve)(nil)
|
||||||
|
|
||||||
|
type rcurve struct {
|
||||||
|
twisted elliptic.Curve
|
||||||
|
params *elliptic.CurveParams
|
||||||
|
z *big.Int
|
||||||
|
zinv *big.Int
|
||||||
|
z2 *big.Int
|
||||||
|
z3 *big.Int
|
||||||
|
zinv2 *big.Int
|
||||||
|
zinv3 *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
two = big.NewInt(2)
|
||||||
|
three = big.NewInt(3)
|
||||||
|
)
|
||||||
|
|
||||||
|
func newrcurve(twisted elliptic.Curve, params *elliptic.CurveParams, z *big.Int) *rcurve {
|
||||||
|
zinv := new(big.Int).ModInverse(z, params.P)
|
||||||
|
return &rcurve{
|
||||||
|
twisted: twisted,
|
||||||
|
params: params,
|
||||||
|
z: z,
|
||||||
|
zinv: zinv,
|
||||||
|
z2: new(big.Int).Exp(z, two, params.P),
|
||||||
|
z3: new(big.Int).Exp(z, three, params.P),
|
||||||
|
zinv2: new(big.Int).Exp(zinv, two, params.P),
|
||||||
|
zinv3: new(big.Int).Exp(zinv, three, params.P),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) toTwisted(x, y *big.Int) (*big.Int, *big.Int) {
|
||||||
|
var tx, ty big.Int
|
||||||
|
tx.Mul(x, curve.z2)
|
||||||
|
tx.Mod(&tx, curve.params.P)
|
||||||
|
ty.Mul(y, curve.z3)
|
||||||
|
ty.Mod(&ty, curve.params.P)
|
||||||
|
return &tx, &ty
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) fromTwisted(tx, ty *big.Int) (*big.Int, *big.Int) {
|
||||||
|
var x, y big.Int
|
||||||
|
x.Mul(tx, curve.zinv2)
|
||||||
|
x.Mod(&x, curve.params.P)
|
||||||
|
y.Mul(ty, curve.zinv3)
|
||||||
|
y.Mod(&y, curve.params.P)
|
||||||
|
return &x, &y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Params() *elliptic.CurveParams {
|
||||||
|
return curve.params
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) IsOnCurve(x, y *big.Int) bool {
|
||||||
|
return curve.twisted.IsOnCurve(curve.toTwisted(x, y))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int) {
|
||||||
|
tx1, ty1 := curve.toTwisted(x1, y1)
|
||||||
|
tx2, ty2 := curve.toTwisted(x2, y2)
|
||||||
|
return curve.fromTwisted(curve.twisted.Add(tx1, ty1, tx2, ty2))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) Double(x1, y1 *big.Int) (x, y *big.Int) {
|
||||||
|
return curve.fromTwisted(curve.twisted.Double(curve.toTwisted(x1, y1)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) {
|
||||||
|
tx1, ty1 := curve.toTwisted(x1, y1)
|
||||||
|
return curve.fromTwisted(curve.twisted.ScalarMult(tx1, ty1, scalar))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve *rcurve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
|
||||||
|
return curve.fromTwisted(curve.twisted.ScalarBaseMult(scalar))
|
||||||
|
}
|
526
vendor/github.com/keybase/go-crypto/cast5/cast5.go
generated
vendored
Normal file
526
vendor/github.com/keybase/go-crypto/cast5/cast5.go
generated
vendored
Normal file
@ -0,0 +1,526 @@
|
|||||||
|
// Copyright 2010 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common
|
||||||
|
// OpenPGP cipher.
|
||||||
|
package cast5
|
||||||
|
|
||||||
|
import "errors"
|
||||||
|
|
||||||
|
const BlockSize = 8
|
||||||
|
const KeySize = 16
|
||||||
|
|
||||||
|
type Cipher struct {
|
||||||
|
masking [16]uint32
|
||||||
|
rotate [16]uint8
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewCipher(key []byte) (c *Cipher, err error) {
|
||||||
|
if len(key) != KeySize {
|
||||||
|
return nil, errors.New("CAST5: keys must be 16 bytes")
|
||||||
|
}
|
||||||
|
|
||||||
|
c = new(Cipher)
|
||||||
|
c.keySchedule(key)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Cipher) BlockSize() int {
|
||||||
|
return BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Cipher) Encrypt(dst, src []byte) {
|
||||||
|
l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
|
||||||
|
r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
|
||||||
|
|
||||||
|
l, r = r, l^f1(r, c.masking[0], c.rotate[0])
|
||||||
|
l, r = r, l^f2(r, c.masking[1], c.rotate[1])
|
||||||
|
l, r = r, l^f3(r, c.masking[2], c.rotate[2])
|
||||||
|
l, r = r, l^f1(r, c.masking[3], c.rotate[3])
|
||||||
|
|
||||||
|
l, r = r, l^f2(r, c.masking[4], c.rotate[4])
|
||||||
|
l, r = r, l^f3(r, c.masking[5], c.rotate[5])
|
||||||
|
l, r = r, l^f1(r, c.masking[6], c.rotate[6])
|
||||||
|
l, r = r, l^f2(r, c.masking[7], c.rotate[7])
|
||||||
|
|
||||||
|
l, r = r, l^f3(r, c.masking[8], c.rotate[8])
|
||||||
|
l, r = r, l^f1(r, c.masking[9], c.rotate[9])
|
||||||
|
l, r = r, l^f2(r, c.masking[10], c.rotate[10])
|
||||||
|
l, r = r, l^f3(r, c.masking[11], c.rotate[11])
|
||||||
|
|
||||||
|
l, r = r, l^f1(r, c.masking[12], c.rotate[12])
|
||||||
|
l, r = r, l^f2(r, c.masking[13], c.rotate[13])
|
||||||
|
l, r = r, l^f3(r, c.masking[14], c.rotate[14])
|
||||||
|
l, r = r, l^f1(r, c.masking[15], c.rotate[15])
|
||||||
|
|
||||||
|
dst[0] = uint8(r >> 24)
|
||||||
|
dst[1] = uint8(r >> 16)
|
||||||
|
dst[2] = uint8(r >> 8)
|
||||||
|
dst[3] = uint8(r)
|
||||||
|
dst[4] = uint8(l >> 24)
|
||||||
|
dst[5] = uint8(l >> 16)
|
||||||
|
dst[6] = uint8(l >> 8)
|
||||||
|
dst[7] = uint8(l)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Cipher) Decrypt(dst, src []byte) {
|
||||||
|
l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
|
||||||
|
r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
|
||||||
|
|
||||||
|
l, r = r, l^f1(r, c.masking[15], c.rotate[15])
|
||||||
|
l, r = r, l^f3(r, c.masking[14], c.rotate[14])
|
||||||
|
l, r = r, l^f2(r, c.masking[13], c.rotate[13])
|
||||||
|
l, r = r, l^f1(r, c.masking[12], c.rotate[12])
|
||||||
|
|
||||||
|
l, r = r, l^f3(r, c.masking[11], c.rotate[11])
|
||||||
|
l, r = r, l^f2(r, c.masking[10], c.rotate[10])
|
||||||
|
l, r = r, l^f1(r, c.masking[9], c.rotate[9])
|
||||||
|
l, r = r, l^f3(r, c.masking[8], c.rotate[8])
|
||||||
|
|
||||||
|
l, r = r, l^f2(r, c.masking[7], c.rotate[7])
|
||||||
|
l, r = r, l^f1(r, c.masking[6], c.rotate[6])
|
||||||
|
l, r = r, l^f3(r, c.masking[5], c.rotate[5])
|
||||||
|
l, r = r, l^f2(r, c.masking[4], c.rotate[4])
|
||||||
|
|
||||||
|
l, r = r, l^f1(r, c.masking[3], c.rotate[3])
|
||||||
|
l, r = r, l^f3(r, c.masking[2], c.rotate[2])
|
||||||
|
l, r = r, l^f2(r, c.masking[1], c.rotate[1])
|
||||||
|
l, r = r, l^f1(r, c.masking[0], c.rotate[0])
|
||||||
|
|
||||||
|
dst[0] = uint8(r >> 24)
|
||||||
|
dst[1] = uint8(r >> 16)
|
||||||
|
dst[2] = uint8(r >> 8)
|
||||||
|
dst[3] = uint8(r)
|
||||||
|
dst[4] = uint8(l >> 24)
|
||||||
|
dst[5] = uint8(l >> 16)
|
||||||
|
dst[6] = uint8(l >> 8)
|
||||||
|
dst[7] = uint8(l)
|
||||||
|
}
|
||||||
|
|
||||||
|
type keyScheduleA [4][7]uint8
|
||||||
|
type keyScheduleB [4][5]uint8
|
||||||
|
|
||||||
|
// keyScheduleRound contains the magic values for a round of the key schedule.
|
||||||
|
// The keyScheduleA deals with the lines like:
|
||||||
|
// z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8]
|
||||||
|
// Conceptually, both x and z are in the same array, x first. The first
|
||||||
|
// element describes which word of this array gets written to and the
|
||||||
|
// second, which word gets read. So, for the line above, it's "4, 0", because
|
||||||
|
// it's writing to the first word of z, which, being after x, is word 4, and
|
||||||
|
// reading from the first word of x: word 0.
|
||||||
|
//
|
||||||
|
// Next are the indexes into the S-boxes. Now the array is treated as bytes. So
|
||||||
|
// "xD" is 0xd. The first byte of z is written as "16 + 0", just to be clear
|
||||||
|
// that it's z that we're indexing.
|
||||||
|
//
|
||||||
|
// keyScheduleB deals with lines like:
|
||||||
|
// K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2]
|
||||||
|
// "K1" is ignored because key words are always written in order. So the five
|
||||||
|
// elements are the S-box indexes. They use the same form as in keyScheduleA,
|
||||||
|
// above.
|
||||||
|
|
||||||
|
type keyScheduleRound struct{}
|
||||||
|
type keySchedule []keyScheduleRound
|
||||||
|
|
||||||
|
var schedule = []struct {
|
||||||
|
a keyScheduleA
|
||||||
|
b keyScheduleB
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
keyScheduleA{
|
||||||
|
{4, 0, 0xd, 0xf, 0xc, 0xe, 0x8},
|
||||||
|
{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
|
||||||
|
{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
|
||||||
|
{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
|
||||||
|
},
|
||||||
|
keyScheduleB{
|
||||||
|
{16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2},
|
||||||
|
{16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6},
|
||||||
|
{16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9},
|
||||||
|
{16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
keyScheduleA{
|
||||||
|
{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
|
||||||
|
{1, 4, 0, 2, 1, 3, 16 + 2},
|
||||||
|
{2, 5, 7, 6, 5, 4, 16 + 1},
|
||||||
|
{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
|
||||||
|
},
|
||||||
|
keyScheduleB{
|
||||||
|
{3, 2, 0xc, 0xd, 8},
|
||||||
|
{1, 0, 0xe, 0xf, 0xd},
|
||||||
|
{7, 6, 8, 9, 3},
|
||||||
|
{5, 4, 0xa, 0xb, 7},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
keyScheduleA{
|
||||||
|
{4, 0, 0xd, 0xf, 0xc, 0xe, 8},
|
||||||
|
{5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa},
|
||||||
|
{6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9},
|
||||||
|
{7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb},
|
||||||
|
},
|
||||||
|
keyScheduleB{
|
||||||
|
{16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9},
|
||||||
|
{16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc},
|
||||||
|
{16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2},
|
||||||
|
{16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
keyScheduleA{
|
||||||
|
{0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0},
|
||||||
|
{1, 4, 0, 2, 1, 3, 16 + 2},
|
||||||
|
{2, 5, 7, 6, 5, 4, 16 + 1},
|
||||||
|
{3, 7, 0xa, 9, 0xb, 8, 16 + 3},
|
||||||
|
},
|
||||||
|
keyScheduleB{
|
||||||
|
{8, 9, 7, 6, 3},
|
||||||
|
{0xa, 0xb, 5, 4, 7},
|
||||||
|
{0xc, 0xd, 3, 2, 8},
|
||||||
|
{0xe, 0xf, 1, 0, 0xd},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Cipher) keySchedule(in []byte) {
|
||||||
|
var t [8]uint32
|
||||||
|
var k [32]uint32
|
||||||
|
|
||||||
|
for i := 0; i < 4; i++ {
|
||||||
|
j := i * 4
|
||||||
|
t[i] = uint32(in[j])<<24 | uint32(in[j+1])<<16 | uint32(in[j+2])<<8 | uint32(in[j+3])
|
||||||
|
}
|
||||||
|
|
||||||
|
x := []byte{6, 7, 4, 5}
|
||||||
|
ki := 0
|
||||||
|
|
||||||
|
for half := 0; half < 2; half++ {
|
||||||
|
for _, round := range schedule {
|
||||||
|
for j := 0; j < 4; j++ {
|
||||||
|
var a [7]uint8
|
||||||
|
copy(a[:], round.a[j][:])
|
||||||
|
w := t[a[1]]
|
||||||
|
w ^= sBox[4][(t[a[2]>>2]>>(24-8*(a[2]&3)))&0xff]
|
||||||
|
w ^= sBox[5][(t[a[3]>>2]>>(24-8*(a[3]&3)))&0xff]
|
||||||
|
w ^= sBox[6][(t[a[4]>>2]>>(24-8*(a[4]&3)))&0xff]
|
||||||
|
w ^= sBox[7][(t[a[5]>>2]>>(24-8*(a[5]&3)))&0xff]
|
||||||
|
w ^= sBox[x[j]][(t[a[6]>>2]>>(24-8*(a[6]&3)))&0xff]
|
||||||
|
t[a[0]] = w
|
||||||
|
}
|
||||||
|
|
||||||
|
for j := 0; j < 4; j++ {
|
||||||
|
var b [5]uint8
|
||||||
|
copy(b[:], round.b[j][:])
|
||||||
|
w := sBox[4][(t[b[0]>>2]>>(24-8*(b[0]&3)))&0xff]
|
||||||
|
w ^= sBox[5][(t[b[1]>>2]>>(24-8*(b[1]&3)))&0xff]
|
||||||
|
w ^= sBox[6][(t[b[2]>>2]>>(24-8*(b[2]&3)))&0xff]
|
||||||
|
w ^= sBox[7][(t[b[3]>>2]>>(24-8*(b[3]&3)))&0xff]
|
||||||
|
w ^= sBox[4+j][(t[b[4]>>2]>>(24-8*(b[4]&3)))&0xff]
|
||||||
|
k[ki] = w
|
||||||
|
ki++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := 0; i < 16; i++ {
|
||||||
|
c.masking[i] = k[i]
|
||||||
|
c.rotate[i] = uint8(k[16+i] & 0x1f)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are the three 'f' functions. See RFC 2144, section 2.2.
|
||||||
|
func f1(d, m uint32, r uint8) uint32 {
|
||||||
|
t := m + d
|
||||||
|
I := (t << r) | (t >> (32 - r))
|
||||||
|
return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff]
|
||||||
|
}
|
||||||
|
|
||||||
|
func f2(d, m uint32, r uint8) uint32 {
|
||||||
|
t := m ^ d
|
||||||
|
I := (t << r) | (t >> (32 - r))
|
||||||
|
return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff]
|
||||||
|
}
|
||||||
|
|
||||||
|
func f3(d, m uint32, r uint8) uint32 {
|
||||||
|
t := m - d
|
||||||
|
I := (t << r) | (t >> (32 - r))
|
||||||
|
return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff]
|
||||||
|
}
|
||||||
|
|
||||||
|
var sBox = [8][256]uint32{
|
||||||
|
{
|
||||||
|
0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949,
|
||||||
|
0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e,
|
||||||
|
0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
|
||||||
|
0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0,
|
||||||
|
0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7,
|
||||||
|
0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
|
||||||
|
0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d,
|
||||||
|
0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50,
|
||||||
|
0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
|
||||||
|
0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3,
|
||||||
|
0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167,
|
||||||
|
0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
|
||||||
|
0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779,
|
||||||
|
0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2,
|
||||||
|
0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
|
||||||
|
0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d,
|
||||||
|
0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5,
|
||||||
|
0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
|
||||||
|
0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c,
|
||||||
|
0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc,
|
||||||
|
0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
|
||||||
|
0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96,
|
||||||
|
0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a,
|
||||||
|
0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
|
||||||
|
0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd,
|
||||||
|
0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6,
|
||||||
|
0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
|
||||||
|
0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872,
|
||||||
|
0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c,
|
||||||
|
0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
|
||||||
|
0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9,
|
||||||
|
0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651,
|
||||||
|
0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3,
|
||||||
|
0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
|
||||||
|
0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806,
|
||||||
|
0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b,
|
||||||
|
0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
|
||||||
|
0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b,
|
||||||
|
0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c,
|
||||||
|
0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
|
||||||
|
0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb,
|
||||||
|
0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd,
|
||||||
|
0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
|
||||||
|
0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b,
|
||||||
|
0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304,
|
||||||
|
0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
|
||||||
|
0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf,
|
||||||
|
0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c,
|
||||||
|
0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
|
||||||
|
0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f,
|
||||||
|
0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6,
|
||||||
|
0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
|
||||||
|
0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58,
|
||||||
|
0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906,
|
||||||
|
0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
|
||||||
|
0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6,
|
||||||
|
0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4,
|
||||||
|
0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
|
||||||
|
0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f,
|
||||||
|
0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249,
|
||||||
|
0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
|
||||||
|
0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9,
|
||||||
|
0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90,
|
||||||
|
0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5,
|
||||||
|
0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
|
||||||
|
0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240,
|
||||||
|
0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5,
|
||||||
|
0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
|
||||||
|
0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71,
|
||||||
|
0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04,
|
||||||
|
0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
|
||||||
|
0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15,
|
||||||
|
0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2,
|
||||||
|
0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
|
||||||
|
0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148,
|
||||||
|
0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc,
|
||||||
|
0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
|
||||||
|
0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e,
|
||||||
|
0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51,
|
||||||
|
0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
|
||||||
|
0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a,
|
||||||
|
0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b,
|
||||||
|
0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
|
||||||
|
0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5,
|
||||||
|
0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45,
|
||||||
|
0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
|
||||||
|
0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc,
|
||||||
|
0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0,
|
||||||
|
0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
|
||||||
|
0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2,
|
||||||
|
0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49,
|
||||||
|
0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
|
||||||
|
0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a,
|
||||||
|
0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1,
|
||||||
|
0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf,
|
||||||
|
0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
|
||||||
|
0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121,
|
||||||
|
0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25,
|
||||||
|
0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
|
||||||
|
0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb,
|
||||||
|
0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5,
|
||||||
|
0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
|
||||||
|
0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6,
|
||||||
|
0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23,
|
||||||
|
0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
|
||||||
|
0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6,
|
||||||
|
0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119,
|
||||||
|
0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
|
||||||
|
0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a,
|
||||||
|
0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79,
|
||||||
|
0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
|
||||||
|
0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26,
|
||||||
|
0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab,
|
||||||
|
0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
|
||||||
|
0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417,
|
||||||
|
0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2,
|
||||||
|
0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
|
||||||
|
0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a,
|
||||||
|
0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919,
|
||||||
|
0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
|
||||||
|
0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876,
|
||||||
|
0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab,
|
||||||
|
0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
|
||||||
|
0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282,
|
||||||
|
0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f,
|
||||||
|
0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a,
|
||||||
|
0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
|
||||||
|
0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02,
|
||||||
|
0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a,
|
||||||
|
0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
|
||||||
|
0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9,
|
||||||
|
0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981,
|
||||||
|
0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
|
||||||
|
0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655,
|
||||||
|
0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2,
|
||||||
|
0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
|
||||||
|
0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1,
|
||||||
|
0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da,
|
||||||
|
0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
|
||||||
|
0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f,
|
||||||
|
0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba,
|
||||||
|
0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
|
||||||
|
0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3,
|
||||||
|
0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840,
|
||||||
|
0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
|
||||||
|
0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2,
|
||||||
|
0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7,
|
||||||
|
0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
|
||||||
|
0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e,
|
||||||
|
0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e,
|
||||||
|
0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
|
||||||
|
0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad,
|
||||||
|
0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0,
|
||||||
|
0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
|
||||||
|
0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8,
|
||||||
|
0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac,
|
||||||
|
0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138,
|
||||||
|
0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
|
||||||
|
0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98,
|
||||||
|
0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072,
|
||||||
|
0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
|
||||||
|
0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd,
|
||||||
|
0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8,
|
||||||
|
0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
|
||||||
|
0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54,
|
||||||
|
0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387,
|
||||||
|
0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
|
||||||
|
0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf,
|
||||||
|
0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf,
|
||||||
|
0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
|
||||||
|
0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289,
|
||||||
|
0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950,
|
||||||
|
0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
|
||||||
|
0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b,
|
||||||
|
0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be,
|
||||||
|
0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
|
||||||
|
0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976,
|
||||||
|
0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0,
|
||||||
|
0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
|
||||||
|
0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da,
|
||||||
|
0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc,
|
||||||
|
0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
|
||||||
|
0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25,
|
||||||
|
0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121,
|
||||||
|
0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
|
||||||
|
0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd,
|
||||||
|
0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f,
|
||||||
|
0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de,
|
||||||
|
0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
|
||||||
|
0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19,
|
||||||
|
0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2,
|
||||||
|
0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
|
||||||
|
0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88,
|
||||||
|
0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816,
|
||||||
|
0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
|
||||||
|
0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a,
|
||||||
|
0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264,
|
||||||
|
0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
|
||||||
|
0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28,
|
||||||
|
0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3,
|
||||||
|
0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
|
||||||
|
0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06,
|
||||||
|
0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033,
|
||||||
|
0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
|
||||||
|
0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566,
|
||||||
|
0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509,
|
||||||
|
0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
|
||||||
|
0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e,
|
||||||
|
0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c,
|
||||||
|
0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
|
||||||
|
0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285,
|
||||||
|
0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301,
|
||||||
|
0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
|
||||||
|
0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767,
|
||||||
|
0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647,
|
||||||
|
0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
|
||||||
|
0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c,
|
||||||
|
0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5,
|
||||||
|
0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc,
|
||||||
|
0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
|
||||||
|
0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d,
|
||||||
|
0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2,
|
||||||
|
0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
|
||||||
|
0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc,
|
||||||
|
0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c,
|
||||||
|
0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
|
||||||
|
0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039,
|
||||||
|
0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8,
|
||||||
|
0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
|
||||||
|
0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5,
|
||||||
|
0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472,
|
||||||
|
0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
|
||||||
|
0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c,
|
||||||
|
0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb,
|
||||||
|
0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
|
||||||
|
0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70,
|
||||||
|
0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc,
|
||||||
|
0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
|
||||||
|
0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3,
|
||||||
|
0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4,
|
||||||
|
0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
|
||||||
|
0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f,
|
||||||
|
0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e,
|
||||||
|
0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
|
||||||
|
0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c,
|
||||||
|
0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384,
|
||||||
|
0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
|
||||||
|
0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82,
|
||||||
|
0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e,
|
||||||
|
},
|
||||||
|
}
|
20
vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s
generated
vendored
Normal file
20
vendor/github.com/keybase/go-crypto/curve25519/const_amd64.s
generated
vendored
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
DATA ·REDMASK51(SB)/8, $0x0007FFFFFFFFFFFF
|
||||||
|
GLOBL ·REDMASK51(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_121666_213(SB)/8, $996687872
|
||||||
|
GLOBL ·_121666_213(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
|
||||||
|
GLOBL ·_2P0(SB), 8, $8
|
||||||
|
|
||||||
|
DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
|
||||||
|
GLOBL ·_2P1234(SB), 8, $8
|
88
vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s
generated
vendored
Normal file
88
vendor/github.com/keybase/go-crypto/curve25519/cswap_amd64.s
generated
vendored
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func cswap(inout *[5]uint64, v uint64)
|
||||||
|
TEXT ·cswap(SB),7,$0
|
||||||
|
MOVQ inout+0(FP),DI
|
||||||
|
MOVQ v+8(FP),SI
|
||||||
|
|
||||||
|
CMPQ SI,$1
|
||||||
|
MOVQ 0(DI),SI
|
||||||
|
MOVQ 80(DI),DX
|
||||||
|
MOVQ 8(DI),CX
|
||||||
|
MOVQ 88(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,0(DI)
|
||||||
|
MOVQ DX,80(DI)
|
||||||
|
MOVQ CX,8(DI)
|
||||||
|
MOVQ R8,88(DI)
|
||||||
|
MOVQ 16(DI),SI
|
||||||
|
MOVQ 96(DI),DX
|
||||||
|
MOVQ 24(DI),CX
|
||||||
|
MOVQ 104(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,16(DI)
|
||||||
|
MOVQ DX,96(DI)
|
||||||
|
MOVQ CX,24(DI)
|
||||||
|
MOVQ R8,104(DI)
|
||||||
|
MOVQ 32(DI),SI
|
||||||
|
MOVQ 112(DI),DX
|
||||||
|
MOVQ 40(DI),CX
|
||||||
|
MOVQ 120(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,32(DI)
|
||||||
|
MOVQ DX,112(DI)
|
||||||
|
MOVQ CX,40(DI)
|
||||||
|
MOVQ R8,120(DI)
|
||||||
|
MOVQ 48(DI),SI
|
||||||
|
MOVQ 128(DI),DX
|
||||||
|
MOVQ 56(DI),CX
|
||||||
|
MOVQ 136(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,48(DI)
|
||||||
|
MOVQ DX,128(DI)
|
||||||
|
MOVQ CX,56(DI)
|
||||||
|
MOVQ R8,136(DI)
|
||||||
|
MOVQ 64(DI),SI
|
||||||
|
MOVQ 144(DI),DX
|
||||||
|
MOVQ 72(DI),CX
|
||||||
|
MOVQ 152(DI),R8
|
||||||
|
MOVQ SI,R9
|
||||||
|
CMOVQEQ DX,SI
|
||||||
|
CMOVQEQ R9,DX
|
||||||
|
MOVQ CX,R9
|
||||||
|
CMOVQEQ R8,CX
|
||||||
|
CMOVQEQ R9,R8
|
||||||
|
MOVQ SI,64(DI)
|
||||||
|
MOVQ DX,144(DI)
|
||||||
|
MOVQ CX,72(DI)
|
||||||
|
MOVQ R8,152(DI)
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
841
vendor/github.com/keybase/go-crypto/curve25519/curve25519.go
generated
vendored
Normal file
841
vendor/github.com/keybase/go-crypto/curve25519/curve25519.go
generated
vendored
Normal file
@ -0,0 +1,841 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// We have a implementation in amd64 assembly so this code is only run on
|
||||||
|
// non-amd64 platforms. The amd64 assembly does not support gccgo.
|
||||||
|
// +build !amd64 gccgo appengine
|
||||||
|
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// This code is a port of the public domain, "ref10" implementation of
|
||||||
|
// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
|
||||||
|
|
||||||
|
// fieldElement represents an element of the field GF(2^255 - 19). An element
|
||||||
|
// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
|
||||||
|
// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
|
||||||
|
// context.
|
||||||
|
type fieldElement [10]int32
|
||||||
|
|
||||||
|
func feZero(fe *fieldElement) {
|
||||||
|
for i := range fe {
|
||||||
|
fe[i] = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feOne(fe *fieldElement) {
|
||||||
|
feZero(fe)
|
||||||
|
fe[0] = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
func feAdd(dst, a, b *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = a[i] + b[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feSub(dst, a, b *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = a[i] - b[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func feCopy(dst, src *fieldElement) {
|
||||||
|
for i := range dst {
|
||||||
|
dst[i] = src[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
|
||||||
|
//
|
||||||
|
// Preconditions: b in {0,1}.
|
||||||
|
func feCSwap(f, g *fieldElement, b int32) {
|
||||||
|
var x fieldElement
|
||||||
|
b = -b
|
||||||
|
for i := range x {
|
||||||
|
x[i] = b & (f[i] ^ g[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range f {
|
||||||
|
f[i] ^= x[i]
|
||||||
|
}
|
||||||
|
for i := range g {
|
||||||
|
g[i] ^= x[i]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// load3 reads a 24-bit, little-endian value from in.
|
||||||
|
func load3(in []byte) int64 {
|
||||||
|
var r int64
|
||||||
|
r = int64(in[0])
|
||||||
|
r |= int64(in[1]) << 8
|
||||||
|
r |= int64(in[2]) << 16
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
// load4 reads a 32-bit, little-endian value from in.
|
||||||
|
func load4(in []byte) int64 {
|
||||||
|
var r int64
|
||||||
|
r = int64(in[0])
|
||||||
|
r |= int64(in[1]) << 8
|
||||||
|
r |= int64(in[2]) << 16
|
||||||
|
r |= int64(in[3]) << 24
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
func feFromBytes(dst *fieldElement, src *[32]byte) {
|
||||||
|
h0 := load4(src[:])
|
||||||
|
h1 := load3(src[4:]) << 6
|
||||||
|
h2 := load3(src[7:]) << 5
|
||||||
|
h3 := load3(src[10:]) << 3
|
||||||
|
h4 := load3(src[13:]) << 2
|
||||||
|
h5 := load4(src[16:])
|
||||||
|
h6 := load3(src[20:]) << 7
|
||||||
|
h7 := load3(src[23:]) << 5
|
||||||
|
h8 := load3(src[26:]) << 4
|
||||||
|
h9 := load3(src[29:]) << 2
|
||||||
|
|
||||||
|
var carry [10]int64
|
||||||
|
carry[9] = (h9 + 1<<24) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
carry[1] = (h1 + 1<<24) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[3] = (h3 + 1<<24) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[5] = (h5 + 1<<24) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
carry[7] = (h7 + 1<<24) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + 1<<25) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[2] = (h2 + 1<<25) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[4] = (h4 + 1<<25) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[6] = (h6 + 1<<25) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
carry[8] = (h8 + 1<<25) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
dst[0] = int32(h0)
|
||||||
|
dst[1] = int32(h1)
|
||||||
|
dst[2] = int32(h2)
|
||||||
|
dst[3] = int32(h3)
|
||||||
|
dst[4] = int32(h4)
|
||||||
|
dst[5] = int32(h5)
|
||||||
|
dst[6] = int32(h6)
|
||||||
|
dst[7] = int32(h7)
|
||||||
|
dst[8] = int32(h8)
|
||||||
|
dst[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feToBytes marshals h to s.
|
||||||
|
// Preconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
//
|
||||||
|
// Write p=2^255-19; q=floor(h/p).
|
||||||
|
// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
|
||||||
|
//
|
||||||
|
// Proof:
|
||||||
|
// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
|
||||||
|
// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
|
||||||
|
//
|
||||||
|
// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
|
||||||
|
// Then 0<y<1.
|
||||||
|
//
|
||||||
|
// Write r=h-pq.
|
||||||
|
// Have 0<=r<=p-1=2^255-20.
|
||||||
|
// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
|
||||||
|
//
|
||||||
|
// Write x=r+19(2^-255)r+y.
|
||||||
|
// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
|
||||||
|
//
|
||||||
|
// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
|
||||||
|
// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
|
||||||
|
func feToBytes(s *[32]byte, h *fieldElement) {
|
||||||
|
var carry [10]int32
|
||||||
|
|
||||||
|
q := (19*h[9] + (1 << 24)) >> 25
|
||||||
|
q = (h[0] + q) >> 26
|
||||||
|
q = (h[1] + q) >> 25
|
||||||
|
q = (h[2] + q) >> 26
|
||||||
|
q = (h[3] + q) >> 25
|
||||||
|
q = (h[4] + q) >> 26
|
||||||
|
q = (h[5] + q) >> 25
|
||||||
|
q = (h[6] + q) >> 26
|
||||||
|
q = (h[7] + q) >> 25
|
||||||
|
q = (h[8] + q) >> 26
|
||||||
|
q = (h[9] + q) >> 25
|
||||||
|
|
||||||
|
// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
|
||||||
|
h[0] += 19 * q
|
||||||
|
// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
|
||||||
|
|
||||||
|
carry[0] = h[0] >> 26
|
||||||
|
h[1] += carry[0]
|
||||||
|
h[0] -= carry[0] << 26
|
||||||
|
carry[1] = h[1] >> 25
|
||||||
|
h[2] += carry[1]
|
||||||
|
h[1] -= carry[1] << 25
|
||||||
|
carry[2] = h[2] >> 26
|
||||||
|
h[3] += carry[2]
|
||||||
|
h[2] -= carry[2] << 26
|
||||||
|
carry[3] = h[3] >> 25
|
||||||
|
h[4] += carry[3]
|
||||||
|
h[3] -= carry[3] << 25
|
||||||
|
carry[4] = h[4] >> 26
|
||||||
|
h[5] += carry[4]
|
||||||
|
h[4] -= carry[4] << 26
|
||||||
|
carry[5] = h[5] >> 25
|
||||||
|
h[6] += carry[5]
|
||||||
|
h[5] -= carry[5] << 25
|
||||||
|
carry[6] = h[6] >> 26
|
||||||
|
h[7] += carry[6]
|
||||||
|
h[6] -= carry[6] << 26
|
||||||
|
carry[7] = h[7] >> 25
|
||||||
|
h[8] += carry[7]
|
||||||
|
h[7] -= carry[7] << 25
|
||||||
|
carry[8] = h[8] >> 26
|
||||||
|
h[9] += carry[8]
|
||||||
|
h[8] -= carry[8] << 26
|
||||||
|
carry[9] = h[9] >> 25
|
||||||
|
h[9] -= carry[9] << 25
|
||||||
|
// h10 = carry9
|
||||||
|
|
||||||
|
// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
|
||||||
|
// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
|
||||||
|
// evidently 2^255 h10-2^255 q = 0.
|
||||||
|
// Goal: Output h[0]+...+2^230 h[9].
|
||||||
|
|
||||||
|
s[0] = byte(h[0] >> 0)
|
||||||
|
s[1] = byte(h[0] >> 8)
|
||||||
|
s[2] = byte(h[0] >> 16)
|
||||||
|
s[3] = byte((h[0] >> 24) | (h[1] << 2))
|
||||||
|
s[4] = byte(h[1] >> 6)
|
||||||
|
s[5] = byte(h[1] >> 14)
|
||||||
|
s[6] = byte((h[1] >> 22) | (h[2] << 3))
|
||||||
|
s[7] = byte(h[2] >> 5)
|
||||||
|
s[8] = byte(h[2] >> 13)
|
||||||
|
s[9] = byte((h[2] >> 21) | (h[3] << 5))
|
||||||
|
s[10] = byte(h[3] >> 3)
|
||||||
|
s[11] = byte(h[3] >> 11)
|
||||||
|
s[12] = byte((h[3] >> 19) | (h[4] << 6))
|
||||||
|
s[13] = byte(h[4] >> 2)
|
||||||
|
s[14] = byte(h[4] >> 10)
|
||||||
|
s[15] = byte(h[4] >> 18)
|
||||||
|
s[16] = byte(h[5] >> 0)
|
||||||
|
s[17] = byte(h[5] >> 8)
|
||||||
|
s[18] = byte(h[5] >> 16)
|
||||||
|
s[19] = byte((h[5] >> 24) | (h[6] << 1))
|
||||||
|
s[20] = byte(h[6] >> 7)
|
||||||
|
s[21] = byte(h[6] >> 15)
|
||||||
|
s[22] = byte((h[6] >> 23) | (h[7] << 3))
|
||||||
|
s[23] = byte(h[7] >> 5)
|
||||||
|
s[24] = byte(h[7] >> 13)
|
||||||
|
s[25] = byte((h[7] >> 21) | (h[8] << 4))
|
||||||
|
s[26] = byte(h[8] >> 4)
|
||||||
|
s[27] = byte(h[8] >> 12)
|
||||||
|
s[28] = byte((h[8] >> 20) | (h[9] << 6))
|
||||||
|
s[29] = byte(h[9] >> 2)
|
||||||
|
s[30] = byte(h[9] >> 10)
|
||||||
|
s[31] = byte(h[9] >> 18)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feMul calculates h = f * g
|
||||||
|
// Can overlap h with f or g.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
//
|
||||||
|
// Notes on implementation strategy:
|
||||||
|
//
|
||||||
|
// Using schoolbook multiplication.
|
||||||
|
// Karatsuba would save a little in some cost models.
|
||||||
|
//
|
||||||
|
// Most multiplications by 2 and 19 are 32-bit precomputations;
|
||||||
|
// cheaper than 64-bit postcomputations.
|
||||||
|
//
|
||||||
|
// There is one remaining multiplication by 19 in the carry chain;
|
||||||
|
// one *19 precomputation can be merged into this,
|
||||||
|
// but the resulting data flow is considerably less clean.
|
||||||
|
//
|
||||||
|
// There are 12 carries below.
|
||||||
|
// 10 of them are 2-way parallelizable and vectorizable.
|
||||||
|
// Can get away with 11 carries, but then data flow is much deeper.
|
||||||
|
//
|
||||||
|
// With tighter constraints on inputs can squeeze carries into int32.
|
||||||
|
func feMul(h, f, g *fieldElement) {
|
||||||
|
f0 := f[0]
|
||||||
|
f1 := f[1]
|
||||||
|
f2 := f[2]
|
||||||
|
f3 := f[3]
|
||||||
|
f4 := f[4]
|
||||||
|
f5 := f[5]
|
||||||
|
f6 := f[6]
|
||||||
|
f7 := f[7]
|
||||||
|
f8 := f[8]
|
||||||
|
f9 := f[9]
|
||||||
|
g0 := g[0]
|
||||||
|
g1 := g[1]
|
||||||
|
g2 := g[2]
|
||||||
|
g3 := g[3]
|
||||||
|
g4 := g[4]
|
||||||
|
g5 := g[5]
|
||||||
|
g6 := g[6]
|
||||||
|
g7 := g[7]
|
||||||
|
g8 := g[8]
|
||||||
|
g9 := g[9]
|
||||||
|
g1_19 := 19 * g1 // 1.4*2^29
|
||||||
|
g2_19 := 19 * g2 // 1.4*2^30; still ok
|
||||||
|
g3_19 := 19 * g3
|
||||||
|
g4_19 := 19 * g4
|
||||||
|
g5_19 := 19 * g5
|
||||||
|
g6_19 := 19 * g6
|
||||||
|
g7_19 := 19 * g7
|
||||||
|
g8_19 := 19 * g8
|
||||||
|
g9_19 := 19 * g9
|
||||||
|
f1_2 := 2 * f1
|
||||||
|
f3_2 := 2 * f3
|
||||||
|
f5_2 := 2 * f5
|
||||||
|
f7_2 := 2 * f7
|
||||||
|
f9_2 := 2 * f9
|
||||||
|
f0g0 := int64(f0) * int64(g0)
|
||||||
|
f0g1 := int64(f0) * int64(g1)
|
||||||
|
f0g2 := int64(f0) * int64(g2)
|
||||||
|
f0g3 := int64(f0) * int64(g3)
|
||||||
|
f0g4 := int64(f0) * int64(g4)
|
||||||
|
f0g5 := int64(f0) * int64(g5)
|
||||||
|
f0g6 := int64(f0) * int64(g6)
|
||||||
|
f0g7 := int64(f0) * int64(g7)
|
||||||
|
f0g8 := int64(f0) * int64(g8)
|
||||||
|
f0g9 := int64(f0) * int64(g9)
|
||||||
|
f1g0 := int64(f1) * int64(g0)
|
||||||
|
f1g1_2 := int64(f1_2) * int64(g1)
|
||||||
|
f1g2 := int64(f1) * int64(g2)
|
||||||
|
f1g3_2 := int64(f1_2) * int64(g3)
|
||||||
|
f1g4 := int64(f1) * int64(g4)
|
||||||
|
f1g5_2 := int64(f1_2) * int64(g5)
|
||||||
|
f1g6 := int64(f1) * int64(g6)
|
||||||
|
f1g7_2 := int64(f1_2) * int64(g7)
|
||||||
|
f1g8 := int64(f1) * int64(g8)
|
||||||
|
f1g9_38 := int64(f1_2) * int64(g9_19)
|
||||||
|
f2g0 := int64(f2) * int64(g0)
|
||||||
|
f2g1 := int64(f2) * int64(g1)
|
||||||
|
f2g2 := int64(f2) * int64(g2)
|
||||||
|
f2g3 := int64(f2) * int64(g3)
|
||||||
|
f2g4 := int64(f2) * int64(g4)
|
||||||
|
f2g5 := int64(f2) * int64(g5)
|
||||||
|
f2g6 := int64(f2) * int64(g6)
|
||||||
|
f2g7 := int64(f2) * int64(g7)
|
||||||
|
f2g8_19 := int64(f2) * int64(g8_19)
|
||||||
|
f2g9_19 := int64(f2) * int64(g9_19)
|
||||||
|
f3g0 := int64(f3) * int64(g0)
|
||||||
|
f3g1_2 := int64(f3_2) * int64(g1)
|
||||||
|
f3g2 := int64(f3) * int64(g2)
|
||||||
|
f3g3_2 := int64(f3_2) * int64(g3)
|
||||||
|
f3g4 := int64(f3) * int64(g4)
|
||||||
|
f3g5_2 := int64(f3_2) * int64(g5)
|
||||||
|
f3g6 := int64(f3) * int64(g6)
|
||||||
|
f3g7_38 := int64(f3_2) * int64(g7_19)
|
||||||
|
f3g8_19 := int64(f3) * int64(g8_19)
|
||||||
|
f3g9_38 := int64(f3_2) * int64(g9_19)
|
||||||
|
f4g0 := int64(f4) * int64(g0)
|
||||||
|
f4g1 := int64(f4) * int64(g1)
|
||||||
|
f4g2 := int64(f4) * int64(g2)
|
||||||
|
f4g3 := int64(f4) * int64(g3)
|
||||||
|
f4g4 := int64(f4) * int64(g4)
|
||||||
|
f4g5 := int64(f4) * int64(g5)
|
||||||
|
f4g6_19 := int64(f4) * int64(g6_19)
|
||||||
|
f4g7_19 := int64(f4) * int64(g7_19)
|
||||||
|
f4g8_19 := int64(f4) * int64(g8_19)
|
||||||
|
f4g9_19 := int64(f4) * int64(g9_19)
|
||||||
|
f5g0 := int64(f5) * int64(g0)
|
||||||
|
f5g1_2 := int64(f5_2) * int64(g1)
|
||||||
|
f5g2 := int64(f5) * int64(g2)
|
||||||
|
f5g3_2 := int64(f5_2) * int64(g3)
|
||||||
|
f5g4 := int64(f5) * int64(g4)
|
||||||
|
f5g5_38 := int64(f5_2) * int64(g5_19)
|
||||||
|
f5g6_19 := int64(f5) * int64(g6_19)
|
||||||
|
f5g7_38 := int64(f5_2) * int64(g7_19)
|
||||||
|
f5g8_19 := int64(f5) * int64(g8_19)
|
||||||
|
f5g9_38 := int64(f5_2) * int64(g9_19)
|
||||||
|
f6g0 := int64(f6) * int64(g0)
|
||||||
|
f6g1 := int64(f6) * int64(g1)
|
||||||
|
f6g2 := int64(f6) * int64(g2)
|
||||||
|
f6g3 := int64(f6) * int64(g3)
|
||||||
|
f6g4_19 := int64(f6) * int64(g4_19)
|
||||||
|
f6g5_19 := int64(f6) * int64(g5_19)
|
||||||
|
f6g6_19 := int64(f6) * int64(g6_19)
|
||||||
|
f6g7_19 := int64(f6) * int64(g7_19)
|
||||||
|
f6g8_19 := int64(f6) * int64(g8_19)
|
||||||
|
f6g9_19 := int64(f6) * int64(g9_19)
|
||||||
|
f7g0 := int64(f7) * int64(g0)
|
||||||
|
f7g1_2 := int64(f7_2) * int64(g1)
|
||||||
|
f7g2 := int64(f7) * int64(g2)
|
||||||
|
f7g3_38 := int64(f7_2) * int64(g3_19)
|
||||||
|
f7g4_19 := int64(f7) * int64(g4_19)
|
||||||
|
f7g5_38 := int64(f7_2) * int64(g5_19)
|
||||||
|
f7g6_19 := int64(f7) * int64(g6_19)
|
||||||
|
f7g7_38 := int64(f7_2) * int64(g7_19)
|
||||||
|
f7g8_19 := int64(f7) * int64(g8_19)
|
||||||
|
f7g9_38 := int64(f7_2) * int64(g9_19)
|
||||||
|
f8g0 := int64(f8) * int64(g0)
|
||||||
|
f8g1 := int64(f8) * int64(g1)
|
||||||
|
f8g2_19 := int64(f8) * int64(g2_19)
|
||||||
|
f8g3_19 := int64(f8) * int64(g3_19)
|
||||||
|
f8g4_19 := int64(f8) * int64(g4_19)
|
||||||
|
f8g5_19 := int64(f8) * int64(g5_19)
|
||||||
|
f8g6_19 := int64(f8) * int64(g6_19)
|
||||||
|
f8g7_19 := int64(f8) * int64(g7_19)
|
||||||
|
f8g8_19 := int64(f8) * int64(g8_19)
|
||||||
|
f8g9_19 := int64(f8) * int64(g9_19)
|
||||||
|
f9g0 := int64(f9) * int64(g0)
|
||||||
|
f9g1_38 := int64(f9_2) * int64(g1_19)
|
||||||
|
f9g2_19 := int64(f9) * int64(g2_19)
|
||||||
|
f9g3_38 := int64(f9_2) * int64(g3_19)
|
||||||
|
f9g4_19 := int64(f9) * int64(g4_19)
|
||||||
|
f9g5_38 := int64(f9_2) * int64(g5_19)
|
||||||
|
f9g6_19 := int64(f9) * int64(g6_19)
|
||||||
|
f9g7_38 := int64(f9_2) * int64(g7_19)
|
||||||
|
f9g8_19 := int64(f9) * int64(g8_19)
|
||||||
|
f9g9_38 := int64(f9_2) * int64(g9_19)
|
||||||
|
h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
|
||||||
|
h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
|
||||||
|
h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
|
||||||
|
h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
|
||||||
|
h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
|
||||||
|
h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
|
||||||
|
h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
|
||||||
|
h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
|
||||||
|
h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
|
||||||
|
h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
|
||||||
|
// i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
|
||||||
|
// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
|
||||||
|
// i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
// |h0| <= 2^25
|
||||||
|
// |h4| <= 2^25
|
||||||
|
// |h1| <= 1.51*2^58
|
||||||
|
// |h5| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
// |h1| <= 2^24; from now on fits into int32
|
||||||
|
// |h5| <= 2^24; from now on fits into int32
|
||||||
|
// |h2| <= 1.21*2^59
|
||||||
|
// |h6| <= 1.21*2^59
|
||||||
|
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
// |h2| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h6| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h3| <= 1.51*2^58
|
||||||
|
// |h7| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
// |h3| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h7| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h4| <= 1.52*2^33
|
||||||
|
// |h8| <= 1.52*2^33
|
||||||
|
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
// |h4| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h8| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h5| <= 1.01*2^24
|
||||||
|
// |h9| <= 1.51*2^58
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
// |h9| <= 2^24; from now on fits into int32 unchanged
|
||||||
|
// |h0| <= 1.8*2^37
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
// |h0| <= 2^25; from now on fits into int32 unchanged
|
||||||
|
// |h1| <= 1.01*2^24
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feSquare calculates h = f*f. Can overlap h with f.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
func feSquare(h, f *fieldElement) {
|
||||||
|
f0 := f[0]
|
||||||
|
f1 := f[1]
|
||||||
|
f2 := f[2]
|
||||||
|
f3 := f[3]
|
||||||
|
f4 := f[4]
|
||||||
|
f5 := f[5]
|
||||||
|
f6 := f[6]
|
||||||
|
f7 := f[7]
|
||||||
|
f8 := f[8]
|
||||||
|
f9 := f[9]
|
||||||
|
f0_2 := 2 * f0
|
||||||
|
f1_2 := 2 * f1
|
||||||
|
f2_2 := 2 * f2
|
||||||
|
f3_2 := 2 * f3
|
||||||
|
f4_2 := 2 * f4
|
||||||
|
f5_2 := 2 * f5
|
||||||
|
f6_2 := 2 * f6
|
||||||
|
f7_2 := 2 * f7
|
||||||
|
f5_38 := 38 * f5 // 1.31*2^30
|
||||||
|
f6_19 := 19 * f6 // 1.31*2^30
|
||||||
|
f7_38 := 38 * f7 // 1.31*2^30
|
||||||
|
f8_19 := 19 * f8 // 1.31*2^30
|
||||||
|
f9_38 := 38 * f9 // 1.31*2^30
|
||||||
|
f0f0 := int64(f0) * int64(f0)
|
||||||
|
f0f1_2 := int64(f0_2) * int64(f1)
|
||||||
|
f0f2_2 := int64(f0_2) * int64(f2)
|
||||||
|
f0f3_2 := int64(f0_2) * int64(f3)
|
||||||
|
f0f4_2 := int64(f0_2) * int64(f4)
|
||||||
|
f0f5_2 := int64(f0_2) * int64(f5)
|
||||||
|
f0f6_2 := int64(f0_2) * int64(f6)
|
||||||
|
f0f7_2 := int64(f0_2) * int64(f7)
|
||||||
|
f0f8_2 := int64(f0_2) * int64(f8)
|
||||||
|
f0f9_2 := int64(f0_2) * int64(f9)
|
||||||
|
f1f1_2 := int64(f1_2) * int64(f1)
|
||||||
|
f1f2_2 := int64(f1_2) * int64(f2)
|
||||||
|
f1f3_4 := int64(f1_2) * int64(f3_2)
|
||||||
|
f1f4_2 := int64(f1_2) * int64(f4)
|
||||||
|
f1f5_4 := int64(f1_2) * int64(f5_2)
|
||||||
|
f1f6_2 := int64(f1_2) * int64(f6)
|
||||||
|
f1f7_4 := int64(f1_2) * int64(f7_2)
|
||||||
|
f1f8_2 := int64(f1_2) * int64(f8)
|
||||||
|
f1f9_76 := int64(f1_2) * int64(f9_38)
|
||||||
|
f2f2 := int64(f2) * int64(f2)
|
||||||
|
f2f3_2 := int64(f2_2) * int64(f3)
|
||||||
|
f2f4_2 := int64(f2_2) * int64(f4)
|
||||||
|
f2f5_2 := int64(f2_2) * int64(f5)
|
||||||
|
f2f6_2 := int64(f2_2) * int64(f6)
|
||||||
|
f2f7_2 := int64(f2_2) * int64(f7)
|
||||||
|
f2f8_38 := int64(f2_2) * int64(f8_19)
|
||||||
|
f2f9_38 := int64(f2) * int64(f9_38)
|
||||||
|
f3f3_2 := int64(f3_2) * int64(f3)
|
||||||
|
f3f4_2 := int64(f3_2) * int64(f4)
|
||||||
|
f3f5_4 := int64(f3_2) * int64(f5_2)
|
||||||
|
f3f6_2 := int64(f3_2) * int64(f6)
|
||||||
|
f3f7_76 := int64(f3_2) * int64(f7_38)
|
||||||
|
f3f8_38 := int64(f3_2) * int64(f8_19)
|
||||||
|
f3f9_76 := int64(f3_2) * int64(f9_38)
|
||||||
|
f4f4 := int64(f4) * int64(f4)
|
||||||
|
f4f5_2 := int64(f4_2) * int64(f5)
|
||||||
|
f4f6_38 := int64(f4_2) * int64(f6_19)
|
||||||
|
f4f7_38 := int64(f4) * int64(f7_38)
|
||||||
|
f4f8_38 := int64(f4_2) * int64(f8_19)
|
||||||
|
f4f9_38 := int64(f4) * int64(f9_38)
|
||||||
|
f5f5_38 := int64(f5) * int64(f5_38)
|
||||||
|
f5f6_38 := int64(f5_2) * int64(f6_19)
|
||||||
|
f5f7_76 := int64(f5_2) * int64(f7_38)
|
||||||
|
f5f8_38 := int64(f5_2) * int64(f8_19)
|
||||||
|
f5f9_76 := int64(f5_2) * int64(f9_38)
|
||||||
|
f6f6_19 := int64(f6) * int64(f6_19)
|
||||||
|
f6f7_38 := int64(f6) * int64(f7_38)
|
||||||
|
f6f8_38 := int64(f6_2) * int64(f8_19)
|
||||||
|
f6f9_38 := int64(f6) * int64(f9_38)
|
||||||
|
f7f7_38 := int64(f7) * int64(f7_38)
|
||||||
|
f7f8_38 := int64(f7_2) * int64(f8_19)
|
||||||
|
f7f9_76 := int64(f7_2) * int64(f9_38)
|
||||||
|
f8f8_19 := int64(f8) * int64(f8_19)
|
||||||
|
f8f9_38 := int64(f8) * int64(f9_38)
|
||||||
|
f9f9_38 := int64(f9) * int64(f9_38)
|
||||||
|
h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
|
||||||
|
h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
|
||||||
|
h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
|
||||||
|
h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
|
||||||
|
h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
|
||||||
|
h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
|
||||||
|
h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
|
||||||
|
h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
|
||||||
|
h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
|
||||||
|
h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feMul121666 calculates h = f * 121666. Can overlap h with f.
|
||||||
|
//
|
||||||
|
// Preconditions:
|
||||||
|
// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
|
||||||
|
//
|
||||||
|
// Postconditions:
|
||||||
|
// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
|
||||||
|
func feMul121666(h, f *fieldElement) {
|
||||||
|
h0 := int64(f[0]) * 121666
|
||||||
|
h1 := int64(f[1]) * 121666
|
||||||
|
h2 := int64(f[2]) * 121666
|
||||||
|
h3 := int64(f[3]) * 121666
|
||||||
|
h4 := int64(f[4]) * 121666
|
||||||
|
h5 := int64(f[5]) * 121666
|
||||||
|
h6 := int64(f[6]) * 121666
|
||||||
|
h7 := int64(f[7]) * 121666
|
||||||
|
h8 := int64(f[8]) * 121666
|
||||||
|
h9 := int64(f[9]) * 121666
|
||||||
|
var carry [10]int64
|
||||||
|
|
||||||
|
carry[9] = (h9 + (1 << 24)) >> 25
|
||||||
|
h0 += carry[9] * 19
|
||||||
|
h9 -= carry[9] << 25
|
||||||
|
carry[1] = (h1 + (1 << 24)) >> 25
|
||||||
|
h2 += carry[1]
|
||||||
|
h1 -= carry[1] << 25
|
||||||
|
carry[3] = (h3 + (1 << 24)) >> 25
|
||||||
|
h4 += carry[3]
|
||||||
|
h3 -= carry[3] << 25
|
||||||
|
carry[5] = (h5 + (1 << 24)) >> 25
|
||||||
|
h6 += carry[5]
|
||||||
|
h5 -= carry[5] << 25
|
||||||
|
carry[7] = (h7 + (1 << 24)) >> 25
|
||||||
|
h8 += carry[7]
|
||||||
|
h7 -= carry[7] << 25
|
||||||
|
|
||||||
|
carry[0] = (h0 + (1 << 25)) >> 26
|
||||||
|
h1 += carry[0]
|
||||||
|
h0 -= carry[0] << 26
|
||||||
|
carry[2] = (h2 + (1 << 25)) >> 26
|
||||||
|
h3 += carry[2]
|
||||||
|
h2 -= carry[2] << 26
|
||||||
|
carry[4] = (h4 + (1 << 25)) >> 26
|
||||||
|
h5 += carry[4]
|
||||||
|
h4 -= carry[4] << 26
|
||||||
|
carry[6] = (h6 + (1 << 25)) >> 26
|
||||||
|
h7 += carry[6]
|
||||||
|
h6 -= carry[6] << 26
|
||||||
|
carry[8] = (h8 + (1 << 25)) >> 26
|
||||||
|
h9 += carry[8]
|
||||||
|
h8 -= carry[8] << 26
|
||||||
|
|
||||||
|
h[0] = int32(h0)
|
||||||
|
h[1] = int32(h1)
|
||||||
|
h[2] = int32(h2)
|
||||||
|
h[3] = int32(h3)
|
||||||
|
h[4] = int32(h4)
|
||||||
|
h[5] = int32(h5)
|
||||||
|
h[6] = int32(h6)
|
||||||
|
h[7] = int32(h7)
|
||||||
|
h[8] = int32(h8)
|
||||||
|
h[9] = int32(h9)
|
||||||
|
}
|
||||||
|
|
||||||
|
// feInvert sets out = z^-1.
|
||||||
|
func feInvert(out, z *fieldElement) {
|
||||||
|
var t0, t1, t2, t3 fieldElement
|
||||||
|
var i int
|
||||||
|
|
||||||
|
feSquare(&t0, z)
|
||||||
|
for i = 1; i < 1; i++ {
|
||||||
|
feSquare(&t0, &t0)
|
||||||
|
}
|
||||||
|
feSquare(&t1, &t0)
|
||||||
|
for i = 1; i < 2; i++ {
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
}
|
||||||
|
feMul(&t1, z, &t1)
|
||||||
|
feMul(&t0, &t0, &t1)
|
||||||
|
feSquare(&t2, &t0)
|
||||||
|
for i = 1; i < 1; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t1, &t2)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 5; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 10; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t2, &t1)
|
||||||
|
feSquare(&t3, &t2)
|
||||||
|
for i = 1; i < 20; i++ {
|
||||||
|
feSquare(&t3, &t3)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t3, &t2)
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
for i = 1; i < 10; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t2, &t1)
|
||||||
|
for i = 1; i < 50; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t2, &t1)
|
||||||
|
feSquare(&t3, &t2)
|
||||||
|
for i = 1; i < 100; i++ {
|
||||||
|
feSquare(&t3, &t3)
|
||||||
|
}
|
||||||
|
feMul(&t2, &t3, &t2)
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
for i = 1; i < 50; i++ {
|
||||||
|
feSquare(&t2, &t2)
|
||||||
|
}
|
||||||
|
feMul(&t1, &t2, &t1)
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
for i = 1; i < 5; i++ {
|
||||||
|
feSquare(&t1, &t1)
|
||||||
|
}
|
||||||
|
feMul(out, &t1, &t0)
|
||||||
|
}
|
||||||
|
|
||||||
|
func scalarMult(out, in, base *[32]byte) {
|
||||||
|
var e [32]byte
|
||||||
|
|
||||||
|
copy(e[:], in[:])
|
||||||
|
e[0] &= 248
|
||||||
|
e[31] &= 127
|
||||||
|
e[31] |= 64
|
||||||
|
|
||||||
|
var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
|
||||||
|
feFromBytes(&x1, base)
|
||||||
|
feOne(&x2)
|
||||||
|
feCopy(&x3, &x1)
|
||||||
|
feOne(&z3)
|
||||||
|
|
||||||
|
swap := int32(0)
|
||||||
|
for pos := 254; pos >= 0; pos-- {
|
||||||
|
b := e[pos/8] >> uint(pos&7)
|
||||||
|
b &= 1
|
||||||
|
swap ^= int32(b)
|
||||||
|
feCSwap(&x2, &x3, swap)
|
||||||
|
feCSwap(&z2, &z3, swap)
|
||||||
|
swap = int32(b)
|
||||||
|
|
||||||
|
feSub(&tmp0, &x3, &z3)
|
||||||
|
feSub(&tmp1, &x2, &z2)
|
||||||
|
feAdd(&x2, &x2, &z2)
|
||||||
|
feAdd(&z2, &x3, &z3)
|
||||||
|
feMul(&z3, &tmp0, &x2)
|
||||||
|
feMul(&z2, &z2, &tmp1)
|
||||||
|
feSquare(&tmp0, &tmp1)
|
||||||
|
feSquare(&tmp1, &x2)
|
||||||
|
feAdd(&x3, &z3, &z2)
|
||||||
|
feSub(&z2, &z3, &z2)
|
||||||
|
feMul(&x2, &tmp1, &tmp0)
|
||||||
|
feSub(&tmp1, &tmp1, &tmp0)
|
||||||
|
feSquare(&z2, &z2)
|
||||||
|
feMul121666(&z3, &tmp1)
|
||||||
|
feSquare(&x3, &x3)
|
||||||
|
feAdd(&tmp0, &tmp0, &z3)
|
||||||
|
feMul(&z3, &x1, &z2)
|
||||||
|
feMul(&z2, &tmp1, &tmp0)
|
||||||
|
}
|
||||||
|
|
||||||
|
feCSwap(&x2, &x3, swap)
|
||||||
|
feCSwap(&z2, &z3, swap)
|
||||||
|
|
||||||
|
feInvert(&z2, &z2)
|
||||||
|
feMul(&x2, &x2, &z2)
|
||||||
|
feToBytes(out, &x2)
|
||||||
|
}
|
113
vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go
generated
vendored
Normal file
113
vendor/github.com/keybase/go-crypto/curve25519/curve_impl.go
generated
vendored
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
package curve25519
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/elliptic"
|
||||||
|
"math/big"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
var cv25519 cv25519Curve
|
||||||
|
|
||||||
|
type cv25519Curve struct {
|
||||||
|
*elliptic.CurveParams
|
||||||
|
}
|
||||||
|
|
||||||
|
func copyReverse(dst []byte, src []byte) {
|
||||||
|
// Curve 25519 multiplication functions expect scalars in reverse
|
||||||
|
// order than PGP. To keep the curve25519Curve type consistent
|
||||||
|
// with other curves, we reverse it here.
|
||||||
|
for i, j := 0, len(src)-1; j >= 0; i, j = i+1, j-1 {
|
||||||
|
dst[i] = src[j]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) {
|
||||||
|
// Assume y1 is 0 with cv25519.
|
||||||
|
var dst [32]byte
|
||||||
|
var x1Bytes [32]byte
|
||||||
|
var scalarBytes [32]byte
|
||||||
|
|
||||||
|
copy(x1Bytes[:], x1.Bytes()[:32])
|
||||||
|
copyReverse(scalarBytes[:], scalar[:32])
|
||||||
|
|
||||||
|
scalarMult(&dst, &scalarBytes, &x1Bytes)
|
||||||
|
|
||||||
|
x = new(big.Int).SetBytes(dst[:])
|
||||||
|
y = new(big.Int)
|
||||||
|
return x, y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
|
||||||
|
var dst [32]byte
|
||||||
|
var scalarBytes [32]byte
|
||||||
|
copyReverse(scalarBytes[:], scalar[:32])
|
||||||
|
scalarMult(&dst, &scalarBytes, &basePoint)
|
||||||
|
x = new(big.Int).SetBytes(dst[:])
|
||||||
|
y = new(big.Int)
|
||||||
|
return x, y
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) IsOnCurve(bigX, bigY *big.Int) bool {
|
||||||
|
return bigY.Sign() == 0 // bigY == 0 ?
|
||||||
|
}
|
||||||
|
|
||||||
|
// More information about 0x40 point format:
|
||||||
|
// https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00#section-3
|
||||||
|
// In addition to uncompressed point format described here:
|
||||||
|
// https://tools.ietf.org/html/rfc6637#section-6
|
||||||
|
|
||||||
|
func (cv25519Curve) MarshalType40(x, y *big.Int) []byte {
|
||||||
|
byteLen := 32
|
||||||
|
|
||||||
|
ret := make([]byte, 1+byteLen)
|
||||||
|
ret[0] = 0x40
|
||||||
|
|
||||||
|
xBytes := x.Bytes()
|
||||||
|
copy(ret[1+byteLen-len(xBytes):], xBytes)
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cv25519Curve) UnmarshalType40(data []byte) (x, y *big.Int) {
|
||||||
|
if len(data) != 1+32 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
if data[0] != 0x40 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
x = new(big.Int).SetBytes(data[1:])
|
||||||
|
// Any x is a valid curve point.
|
||||||
|
return x, new(big.Int)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ToCurve25519 casts given elliptic.Curve type to Curve25519 type, or
|
||||||
|
// returns nil, false if cast was unsuccessful.
|
||||||
|
func ToCurve25519(cv elliptic.Curve) (cv25519Curve, bool) {
|
||||||
|
cv2, ok := cv.(cv25519Curve)
|
||||||
|
return cv2, ok
|
||||||
|
}
|
||||||
|
|
||||||
|
func initCv25519() {
|
||||||
|
cv25519.CurveParams = &elliptic.CurveParams{Name: "Curve 25519"}
|
||||||
|
// Some code relies on these parameters being available for
|
||||||
|
// checking Curve coordinate length. They should not be used
|
||||||
|
// directly for any calculations.
|
||||||
|
cv25519.P, _ = new (big.Int).SetString("7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", 16)
|
||||||
|
cv25519.N, _ = new (big.Int).SetString("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", 16)
|
||||||
|
cv25519.Gx, _ = new (big.Int).SetString("9", 16)
|
||||||
|
cv25519.Gy, _ = new (big.Int).SetString("20ae19a1b8a086b4e01edd2c7748d14c923d4d7e6d7c61b229e9c5a27eced3d9", 16)
|
||||||
|
cv25519.BitSize = 256
|
||||||
|
}
|
||||||
|
|
||||||
|
var initonce sync.Once
|
||||||
|
|
||||||
|
// Cv25519 returns a Curve which (partially) implements Cv25519. Only
|
||||||
|
// ScalarMult and ScalarBaseMult are valid for this curve. Add and
|
||||||
|
// Double should not be used.
|
||||||
|
func Cv25519() elliptic.Curve {
|
||||||
|
initonce.Do(initCv25519)
|
||||||
|
return cv25519
|
||||||
|
}
|
||||||
|
|
||||||
|
func (curve cv25519Curve) Params() *elliptic.CurveParams {
|
||||||
|
return curve.CurveParams
|
||||||
|
}
|
23
vendor/github.com/keybase/go-crypto/curve25519/doc.go
generated
vendored
Normal file
23
vendor/github.com/keybase/go-crypto/curve25519/doc.go
generated
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package curve25519 provides an implementation of scalar multiplication on
|
||||||
|
// the elliptic curve known as curve25519. See http://cr.yp.to/ecdh.html
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// basePoint is the x coordinate of the generator of the curve.
|
||||||
|
var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
|
||||||
|
|
||||||
|
// ScalarMult sets dst to the product in*base where dst and base are the x
|
||||||
|
// coordinates of group points and all values are in little-endian form.
|
||||||
|
func ScalarMult(dst, in, base *[32]byte) {
|
||||||
|
scalarMult(dst, in, base)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ScalarBaseMult sets dst to the product in*base where dst and base are the x
|
||||||
|
// coordinates of group points, base is the standard generator and all values
|
||||||
|
// are in little-endian form.
|
||||||
|
func ScalarBaseMult(dst, in *[32]byte) {
|
||||||
|
ScalarMult(dst, in, &basePoint)
|
||||||
|
}
|
94
vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s
generated
vendored
Normal file
94
vendor/github.com/keybase/go-crypto/curve25519/freeze_amd64.s
generated
vendored
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func freeze(inout *[5]uint64)
|
||||||
|
TEXT ·freeze(SB),7,$96-8
|
||||||
|
MOVQ inout+0(FP), DI
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32,SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ 0(DI),SI
|
||||||
|
MOVQ 8(DI),DX
|
||||||
|
MOVQ 16(DI),CX
|
||||||
|
MOVQ 24(DI),R8
|
||||||
|
MOVQ 32(DI),R9
|
||||||
|
MOVQ ·REDMASK51(SB),AX
|
||||||
|
MOVQ AX,R10
|
||||||
|
SUBQ $18,R10
|
||||||
|
MOVQ $3,R11
|
||||||
|
REDUCELOOP:
|
||||||
|
MOVQ SI,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,SI
|
||||||
|
ADDQ R12,DX
|
||||||
|
MOVQ DX,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,DX
|
||||||
|
ADDQ R12,CX
|
||||||
|
MOVQ CX,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,CX
|
||||||
|
ADDQ R12,R8
|
||||||
|
MOVQ R8,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,R8
|
||||||
|
ADDQ R12,R9
|
||||||
|
MOVQ R9,R12
|
||||||
|
SHRQ $51,R12
|
||||||
|
ANDQ AX,R9
|
||||||
|
IMUL3Q $19,R12,R12
|
||||||
|
ADDQ R12,SI
|
||||||
|
SUBQ $1,R11
|
||||||
|
JA REDUCELOOP
|
||||||
|
MOVQ $1,R12
|
||||||
|
CMPQ R10,SI
|
||||||
|
CMOVQLT R11,R12
|
||||||
|
CMPQ AX,DX
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,CX
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,R8
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
CMPQ AX,R9
|
||||||
|
CMOVQNE R11,R12
|
||||||
|
NEGQ R12
|
||||||
|
ANDQ R12,AX
|
||||||
|
ANDQ R12,R10
|
||||||
|
SUBQ R10,SI
|
||||||
|
SUBQ AX,DX
|
||||||
|
SUBQ AX,CX
|
||||||
|
SUBQ AX,R8
|
||||||
|
SUBQ AX,R9
|
||||||
|
MOVQ SI,0(DI)
|
||||||
|
MOVQ DX,8(DI)
|
||||||
|
MOVQ CX,16(DI)
|
||||||
|
MOVQ R8,24(DI)
|
||||||
|
MOVQ R9,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
1398
vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s
generated
vendored
Normal file
1398
vendor/github.com/keybase/go-crypto/curve25519/ladderstep_amd64.s
generated
vendored
Normal file
File diff suppressed because it is too large
Load Diff
240
vendor/github.com/keybase/go-crypto/curve25519/mont25519_amd64.go
generated
vendored
Normal file
240
vendor/github.com/keybase/go-crypto/curve25519/mont25519_amd64.go
generated
vendored
Normal file
@ -0,0 +1,240 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
package curve25519
|
||||||
|
|
||||||
|
// These functions are implemented in the .s files. The names of the functions
|
||||||
|
// in the rest of the file are also taken from the SUPERCOP sources to help
|
||||||
|
// people following along.
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func cswap(inout *[5]uint64, v uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func ladderstep(inout *[5][5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func freeze(inout *[5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func mul(dest, a, b *[5]uint64)
|
||||||
|
|
||||||
|
//go:noescape
|
||||||
|
|
||||||
|
func square(out, in *[5]uint64)
|
||||||
|
|
||||||
|
// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
|
||||||
|
func mladder(xr, zr *[5]uint64, s *[32]byte) {
|
||||||
|
var work [5][5]uint64
|
||||||
|
|
||||||
|
work[0] = *xr
|
||||||
|
setint(&work[1], 1)
|
||||||
|
setint(&work[2], 0)
|
||||||
|
work[3] = *xr
|
||||||
|
setint(&work[4], 1)
|
||||||
|
|
||||||
|
j := uint(6)
|
||||||
|
var prevbit byte
|
||||||
|
|
||||||
|
for i := 31; i >= 0; i-- {
|
||||||
|
for j < 8 {
|
||||||
|
bit := ((*s)[i] >> j) & 1
|
||||||
|
swap := bit ^ prevbit
|
||||||
|
prevbit = bit
|
||||||
|
cswap(&work[1], uint64(swap))
|
||||||
|
ladderstep(&work)
|
||||||
|
j--
|
||||||
|
}
|
||||||
|
j = 7
|
||||||
|
}
|
||||||
|
|
||||||
|
*xr = work[1]
|
||||||
|
*zr = work[2]
|
||||||
|
}
|
||||||
|
|
||||||
|
func scalarMult(out, in, base *[32]byte) {
|
||||||
|
var e [32]byte
|
||||||
|
copy(e[:], (*in)[:])
|
||||||
|
e[0] &= 248
|
||||||
|
e[31] &= 127
|
||||||
|
e[31] |= 64
|
||||||
|
|
||||||
|
var t, z [5]uint64
|
||||||
|
unpack(&t, base)
|
||||||
|
mladder(&t, &z, &e)
|
||||||
|
invert(&z, &z)
|
||||||
|
mul(&t, &t, &z)
|
||||||
|
pack(out, &t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func setint(r *[5]uint64, v uint64) {
|
||||||
|
r[0] = v
|
||||||
|
r[1] = 0
|
||||||
|
r[2] = 0
|
||||||
|
r[3] = 0
|
||||||
|
r[4] = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
|
||||||
|
// order.
|
||||||
|
func unpack(r *[5]uint64, x *[32]byte) {
|
||||||
|
r[0] = uint64(x[0]) |
|
||||||
|
uint64(x[1])<<8 |
|
||||||
|
uint64(x[2])<<16 |
|
||||||
|
uint64(x[3])<<24 |
|
||||||
|
uint64(x[4])<<32 |
|
||||||
|
uint64(x[5])<<40 |
|
||||||
|
uint64(x[6]&7)<<48
|
||||||
|
|
||||||
|
r[1] = uint64(x[6])>>3 |
|
||||||
|
uint64(x[7])<<5 |
|
||||||
|
uint64(x[8])<<13 |
|
||||||
|
uint64(x[9])<<21 |
|
||||||
|
uint64(x[10])<<29 |
|
||||||
|
uint64(x[11])<<37 |
|
||||||
|
uint64(x[12]&63)<<45
|
||||||
|
|
||||||
|
r[2] = uint64(x[12])>>6 |
|
||||||
|
uint64(x[13])<<2 |
|
||||||
|
uint64(x[14])<<10 |
|
||||||
|
uint64(x[15])<<18 |
|
||||||
|
uint64(x[16])<<26 |
|
||||||
|
uint64(x[17])<<34 |
|
||||||
|
uint64(x[18])<<42 |
|
||||||
|
uint64(x[19]&1)<<50
|
||||||
|
|
||||||
|
r[3] = uint64(x[19])>>1 |
|
||||||
|
uint64(x[20])<<7 |
|
||||||
|
uint64(x[21])<<15 |
|
||||||
|
uint64(x[22])<<23 |
|
||||||
|
uint64(x[23])<<31 |
|
||||||
|
uint64(x[24])<<39 |
|
||||||
|
uint64(x[25]&15)<<47
|
||||||
|
|
||||||
|
r[4] = uint64(x[25])>>4 |
|
||||||
|
uint64(x[26])<<4 |
|
||||||
|
uint64(x[27])<<12 |
|
||||||
|
uint64(x[28])<<20 |
|
||||||
|
uint64(x[29])<<28 |
|
||||||
|
uint64(x[30])<<36 |
|
||||||
|
uint64(x[31]&127)<<44
|
||||||
|
}
|
||||||
|
|
||||||
|
// pack sets out = x where out is the usual, little-endian form of the 5,
|
||||||
|
// 51-bit limbs in x.
|
||||||
|
func pack(out *[32]byte, x *[5]uint64) {
|
||||||
|
t := *x
|
||||||
|
freeze(&t)
|
||||||
|
|
||||||
|
out[0] = byte(t[0])
|
||||||
|
out[1] = byte(t[0] >> 8)
|
||||||
|
out[2] = byte(t[0] >> 16)
|
||||||
|
out[3] = byte(t[0] >> 24)
|
||||||
|
out[4] = byte(t[0] >> 32)
|
||||||
|
out[5] = byte(t[0] >> 40)
|
||||||
|
out[6] = byte(t[0] >> 48)
|
||||||
|
|
||||||
|
out[6] ^= byte(t[1]<<3) & 0xf8
|
||||||
|
out[7] = byte(t[1] >> 5)
|
||||||
|
out[8] = byte(t[1] >> 13)
|
||||||
|
out[9] = byte(t[1] >> 21)
|
||||||
|
out[10] = byte(t[1] >> 29)
|
||||||
|
out[11] = byte(t[1] >> 37)
|
||||||
|
out[12] = byte(t[1] >> 45)
|
||||||
|
|
||||||
|
out[12] ^= byte(t[2]<<6) & 0xc0
|
||||||
|
out[13] = byte(t[2] >> 2)
|
||||||
|
out[14] = byte(t[2] >> 10)
|
||||||
|
out[15] = byte(t[2] >> 18)
|
||||||
|
out[16] = byte(t[2] >> 26)
|
||||||
|
out[17] = byte(t[2] >> 34)
|
||||||
|
out[18] = byte(t[2] >> 42)
|
||||||
|
out[19] = byte(t[2] >> 50)
|
||||||
|
|
||||||
|
out[19] ^= byte(t[3]<<1) & 0xfe
|
||||||
|
out[20] = byte(t[3] >> 7)
|
||||||
|
out[21] = byte(t[3] >> 15)
|
||||||
|
out[22] = byte(t[3] >> 23)
|
||||||
|
out[23] = byte(t[3] >> 31)
|
||||||
|
out[24] = byte(t[3] >> 39)
|
||||||
|
out[25] = byte(t[3] >> 47)
|
||||||
|
|
||||||
|
out[25] ^= byte(t[4]<<4) & 0xf0
|
||||||
|
out[26] = byte(t[4] >> 4)
|
||||||
|
out[27] = byte(t[4] >> 12)
|
||||||
|
out[28] = byte(t[4] >> 20)
|
||||||
|
out[29] = byte(t[4] >> 28)
|
||||||
|
out[30] = byte(t[4] >> 36)
|
||||||
|
out[31] = byte(t[4] >> 44)
|
||||||
|
}
|
||||||
|
|
||||||
|
// invert calculates r = x^-1 mod p using Fermat's little theorem.
|
||||||
|
func invert(r *[5]uint64, x *[5]uint64) {
|
||||||
|
var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
|
||||||
|
|
||||||
|
square(&z2, x) /* 2 */
|
||||||
|
square(&t, &z2) /* 4 */
|
||||||
|
square(&t, &t) /* 8 */
|
||||||
|
mul(&z9, &t, x) /* 9 */
|
||||||
|
mul(&z11, &z9, &z2) /* 11 */
|
||||||
|
square(&t, &z11) /* 22 */
|
||||||
|
mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
|
||||||
|
|
||||||
|
square(&t, &z2_5_0) /* 2^6 - 2^1 */
|
||||||
|
for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_10_0) /* 2^11 - 2^1 */
|
||||||
|
for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_20_0) /* 2^21 - 2^1 */
|
||||||
|
for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^41 - 2^1 */
|
||||||
|
for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_50_0) /* 2^51 - 2^1 */
|
||||||
|
for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &z2_100_0) /* 2^101 - 2^1 */
|
||||||
|
for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^201 - 2^1 */
|
||||||
|
for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
|
||||||
|
square(&t, &t)
|
||||||
|
}
|
||||||
|
mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^251 - 2^1 */
|
||||||
|
square(&t, &t) /* 2^252 - 2^2 */
|
||||||
|
square(&t, &t) /* 2^253 - 2^3 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^254 - 2^4 */
|
||||||
|
|
||||||
|
square(&t, &t) /* 2^255 - 2^5 */
|
||||||
|
mul(r, &t, &z11) /* 2^255 - 21 */
|
||||||
|
}
|
191
vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s
generated
vendored
Normal file
191
vendor/github.com/keybase/go-crypto/curve25519/mul_amd64.s
generated
vendored
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func mul(dest, a, b *[5]uint64)
|
||||||
|
TEXT ·mul(SB),0,$128-24
|
||||||
|
MOVQ dest+0(FP), DI
|
||||||
|
MOVQ a+8(FP), SI
|
||||||
|
MOVQ b+16(FP), DX
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32,SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ DI,56(SP)
|
||||||
|
MOVQ DX,CX
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MOVQ AX,64(SP)
|
||||||
|
MULQ 16(CX)
|
||||||
|
MOVQ AX,R8
|
||||||
|
MOVQ DX,R9
|
||||||
|
MOVQ 32(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MOVQ AX,72(SP)
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
MOVQ AX,R10
|
||||||
|
MOVQ DX,R11
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
MOVQ AX,R12
|
||||||
|
MOVQ DX,R13
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
MOVQ AX,R14
|
||||||
|
MOVQ DX,R15
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
MOVQ AX,BX
|
||||||
|
MOVQ DX,BP
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 8(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R8
|
||||||
|
ADCQ DX,R9
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 24(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ 24(SI),AX
|
||||||
|
MULQ 8(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 64(SP),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 64(SP),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 32(SI),AX
|
||||||
|
MULQ 0(CX)
|
||||||
|
ADDQ AX,BX
|
||||||
|
ADCQ DX,BP
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 16(CX)
|
||||||
|
ADDQ AX,R10
|
||||||
|
ADCQ DX,R11
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 24(CX)
|
||||||
|
ADDQ AX,R12
|
||||||
|
ADCQ DX,R13
|
||||||
|
MOVQ 72(SP),AX
|
||||||
|
MULQ 32(CX)
|
||||||
|
ADDQ AX,R14
|
||||||
|
ADCQ DX,R15
|
||||||
|
MOVQ ·REDMASK51(SB),SI
|
||||||
|
SHLQ $13,R9:R8
|
||||||
|
ANDQ SI,R8
|
||||||
|
SHLQ $13,R11:R10
|
||||||
|
ANDQ SI,R10
|
||||||
|
ADDQ R9,R10
|
||||||
|
SHLQ $13,R13:R12
|
||||||
|
ANDQ SI,R12
|
||||||
|
ADDQ R11,R12
|
||||||
|
SHLQ $13,R15:R14
|
||||||
|
ANDQ SI,R14
|
||||||
|
ADDQ R13,R14
|
||||||
|
SHLQ $13,BP:BX
|
||||||
|
ANDQ SI,BX
|
||||||
|
ADDQ R15,BX
|
||||||
|
IMUL3Q $19,BP,DX
|
||||||
|
ADDQ DX,R8
|
||||||
|
MOVQ R8,DX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R10,DX
|
||||||
|
MOVQ DX,CX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,R8
|
||||||
|
ADDQ R12,DX
|
||||||
|
MOVQ DX,R9
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,CX
|
||||||
|
ADDQ R14,DX
|
||||||
|
MOVQ DX,AX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,R9
|
||||||
|
ADDQ BX,DX
|
||||||
|
MOVQ DX,R10
|
||||||
|
SHRQ $51,DX
|
||||||
|
ANDQ SI,AX
|
||||||
|
IMUL3Q $19,DX,DX
|
||||||
|
ADDQ DX,R8
|
||||||
|
ANDQ SI,R10
|
||||||
|
MOVQ R8,0(DI)
|
||||||
|
MOVQ CX,8(DI)
|
||||||
|
MOVQ R9,16(DI)
|
||||||
|
MOVQ AX,24(DI)
|
||||||
|
MOVQ R10,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
153
vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s
generated
vendored
Normal file
153
vendor/github.com/keybase/go-crypto/curve25519/square_amd64.s
generated
vendored
Normal file
@ -0,0 +1,153 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// This code was translated into a form compatible with 6a from the public
|
||||||
|
// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
|
||||||
|
|
||||||
|
// +build amd64,!gccgo,!appengine
|
||||||
|
|
||||||
|
// func square(out, in *[5]uint64)
|
||||||
|
TEXT ·square(SB),7,$96-16
|
||||||
|
MOVQ out+0(FP), DI
|
||||||
|
MOVQ in+8(FP), SI
|
||||||
|
|
||||||
|
MOVQ SP,R11
|
||||||
|
MOVQ $31,CX
|
||||||
|
NOTQ CX
|
||||||
|
ANDQ CX,SP
|
||||||
|
ADDQ $32, SP
|
||||||
|
|
||||||
|
MOVQ R11,0(SP)
|
||||||
|
MOVQ R12,8(SP)
|
||||||
|
MOVQ R13,16(SP)
|
||||||
|
MOVQ R14,24(SP)
|
||||||
|
MOVQ R15,32(SP)
|
||||||
|
MOVQ BX,40(SP)
|
||||||
|
MOVQ BP,48(SP)
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
MULQ 0(SI)
|
||||||
|
MOVQ AX,CX
|
||||||
|
MOVQ DX,R8
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 8(SI)
|
||||||
|
MOVQ AX,R9
|
||||||
|
MOVQ DX,R10
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
MOVQ AX,R11
|
||||||
|
MOVQ DX,R12
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
MOVQ AX,R13
|
||||||
|
MOVQ DX,R14
|
||||||
|
MOVQ 0(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
MOVQ AX,R15
|
||||||
|
MOVQ DX,BX
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
MULQ 8(SI)
|
||||||
|
ADDQ AX,R11
|
||||||
|
ADCQ DX,R12
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
ADDQ AX,R13
|
||||||
|
ADCQ DX,R14
|
||||||
|
MOVQ 8(SI),AX
|
||||||
|
SHLQ $1,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,R15
|
||||||
|
ADCQ DX,BX
|
||||||
|
MOVQ 8(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,CX
|
||||||
|
ADCQ DX,R8
|
||||||
|
MOVQ 16(SI),AX
|
||||||
|
MULQ 16(SI)
|
||||||
|
ADDQ AX,R15
|
||||||
|
ADCQ DX,BX
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,CX
|
||||||
|
ADCQ DX,R8
|
||||||
|
MOVQ 16(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R9
|
||||||
|
ADCQ DX,R10
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 24(SI)
|
||||||
|
ADDQ AX,R9
|
||||||
|
ADCQ DX,R10
|
||||||
|
MOVQ 24(SI),DX
|
||||||
|
IMUL3Q $38,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R11
|
||||||
|
ADCQ DX,R12
|
||||||
|
MOVQ 32(SI),DX
|
||||||
|
IMUL3Q $19,DX,AX
|
||||||
|
MULQ 32(SI)
|
||||||
|
ADDQ AX,R13
|
||||||
|
ADCQ DX,R14
|
||||||
|
MOVQ ·REDMASK51(SB),SI
|
||||||
|
SHLQ $13,R8:CX
|
||||||
|
ANDQ SI,CX
|
||||||
|
SHLQ $13,R10:R9
|
||||||
|
ANDQ SI,R9
|
||||||
|
ADDQ R8,R9
|
||||||
|
SHLQ $13,R12:R11
|
||||||
|
ANDQ SI,R11
|
||||||
|
ADDQ R10,R11
|
||||||
|
SHLQ $13,R14:R13
|
||||||
|
ANDQ SI,R13
|
||||||
|
ADDQ R12,R13
|
||||||
|
SHLQ $13,BX:R15
|
||||||
|
ANDQ SI,R15
|
||||||
|
ADDQ R14,R15
|
||||||
|
IMUL3Q $19,BX,DX
|
||||||
|
ADDQ DX,CX
|
||||||
|
MOVQ CX,DX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R9,DX
|
||||||
|
ANDQ SI,CX
|
||||||
|
MOVQ DX,R8
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R11,DX
|
||||||
|
ANDQ SI,R8
|
||||||
|
MOVQ DX,R9
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R13,DX
|
||||||
|
ANDQ SI,R9
|
||||||
|
MOVQ DX,AX
|
||||||
|
SHRQ $51,DX
|
||||||
|
ADDQ R15,DX
|
||||||
|
ANDQ SI,AX
|
||||||
|
MOVQ DX,R10
|
||||||
|
SHRQ $51,DX
|
||||||
|
IMUL3Q $19,DX,DX
|
||||||
|
ADDQ DX,CX
|
||||||
|
ANDQ SI,R10
|
||||||
|
MOVQ CX,0(DI)
|
||||||
|
MOVQ R8,8(DI)
|
||||||
|
MOVQ R9,16(DI)
|
||||||
|
MOVQ AX,24(DI)
|
||||||
|
MOVQ R10,32(DI)
|
||||||
|
MOVQ 0(SP),R11
|
||||||
|
MOVQ 8(SP),R12
|
||||||
|
MOVQ 16(SP),R13
|
||||||
|
MOVQ 24(SP),R14
|
||||||
|
MOVQ 32(SP),R15
|
||||||
|
MOVQ 40(SP),BX
|
||||||
|
MOVQ 48(SP),BP
|
||||||
|
MOVQ R11,SP
|
||||||
|
MOVQ DI,AX
|
||||||
|
MOVQ SI,DX
|
||||||
|
RET
|
181
vendor/github.com/keybase/go-crypto/ed25519/ed25519.go
generated
vendored
Normal file
181
vendor/github.com/keybase/go-crypto/ed25519/ed25519.go
generated
vendored
Normal file
@ -0,0 +1,181 @@
|
|||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package ed25519 implements the Ed25519 signature algorithm. See
|
||||||
|
// http://ed25519.cr.yp.to/.
|
||||||
|
//
|
||||||
|
// These functions are also compatible with the “Ed25519” function defined in
|
||||||
|
// https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05.
|
||||||
|
package ed25519
|
||||||
|
|
||||||
|
// This code is a port of the public domain, “ref10” implementation of ed25519
|
||||||
|
// from SUPERCOP.
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
cryptorand "crypto/rand"
|
||||||
|
"crypto/sha512"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/ed25519/internal/edwards25519"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// PublicKeySize is the size, in bytes, of public keys as used in this package.
|
||||||
|
PublicKeySize = 32
|
||||||
|
// PrivateKeySize is the size, in bytes, of private keys as used in this package.
|
||||||
|
PrivateKeySize = 64
|
||||||
|
// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
|
||||||
|
SignatureSize = 64
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKey is the type of Ed25519 public keys.
|
||||||
|
type PublicKey []byte
|
||||||
|
|
||||||
|
// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
|
||||||
|
type PrivateKey []byte
|
||||||
|
|
||||||
|
// Public returns the PublicKey corresponding to priv.
|
||||||
|
func (priv PrivateKey) Public() crypto.PublicKey {
|
||||||
|
publicKey := make([]byte, PublicKeySize)
|
||||||
|
copy(publicKey, priv[32:])
|
||||||
|
return PublicKey(publicKey)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs the given message with priv.
|
||||||
|
// Ed25519 performs two passes over messages to be signed and therefore cannot
|
||||||
|
// handle pre-hashed messages. Thus opts.HashFunc() must return zero to
|
||||||
|
// indicate the message hasn't been hashed. This can be achieved by passing
|
||||||
|
// crypto.Hash(0) as the value for opts.
|
||||||
|
func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) {
|
||||||
|
if opts.HashFunc() != crypto.Hash(0) {
|
||||||
|
return nil, errors.New("ed25519: cannot sign hashed message")
|
||||||
|
}
|
||||||
|
|
||||||
|
return Sign(priv, message), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateKey generates a public/private key pair using entropy from rand.
|
||||||
|
// If rand is nil, crypto/rand.Reader will be used.
|
||||||
|
func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) {
|
||||||
|
if rand == nil {
|
||||||
|
rand = cryptorand.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
privateKey = make([]byte, PrivateKeySize)
|
||||||
|
publicKey = make([]byte, PublicKeySize)
|
||||||
|
_, err = io.ReadFull(rand, privateKey[:32])
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
digest := sha512.Sum512(privateKey[:32])
|
||||||
|
digest[0] &= 248
|
||||||
|
digest[31] &= 127
|
||||||
|
digest[31] |= 64
|
||||||
|
|
||||||
|
var A edwards25519.ExtendedGroupElement
|
||||||
|
var hBytes [32]byte
|
||||||
|
copy(hBytes[:], digest[:])
|
||||||
|
edwards25519.GeScalarMultBase(&A, &hBytes)
|
||||||
|
var publicKeyBytes [32]byte
|
||||||
|
A.ToBytes(&publicKeyBytes)
|
||||||
|
|
||||||
|
copy(privateKey[32:], publicKeyBytes[:])
|
||||||
|
copy(publicKey, publicKeyBytes[:])
|
||||||
|
|
||||||
|
return publicKey, privateKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs the message with privateKey and returns a signature. It will
|
||||||
|
// panic if len(privateKey) is not PrivateKeySize.
|
||||||
|
func Sign(privateKey PrivateKey, message []byte) []byte {
|
||||||
|
if l := len(privateKey); l != PrivateKeySize {
|
||||||
|
panic("ed25519: bad private key length: " + strconv.Itoa(l))
|
||||||
|
}
|
||||||
|
|
||||||
|
h := sha512.New()
|
||||||
|
h.Write(privateKey[:32])
|
||||||
|
|
||||||
|
var digest1, messageDigest, hramDigest [64]byte
|
||||||
|
var expandedSecretKey [32]byte
|
||||||
|
h.Sum(digest1[:0])
|
||||||
|
copy(expandedSecretKey[:], digest1[:])
|
||||||
|
expandedSecretKey[0] &= 248
|
||||||
|
expandedSecretKey[31] &= 63
|
||||||
|
expandedSecretKey[31] |= 64
|
||||||
|
|
||||||
|
h.Reset()
|
||||||
|
h.Write(digest1[32:])
|
||||||
|
h.Write(message)
|
||||||
|
h.Sum(messageDigest[:0])
|
||||||
|
|
||||||
|
var messageDigestReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
|
||||||
|
var R edwards25519.ExtendedGroupElement
|
||||||
|
edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
|
||||||
|
|
||||||
|
var encodedR [32]byte
|
||||||
|
R.ToBytes(&encodedR)
|
||||||
|
|
||||||
|
h.Reset()
|
||||||
|
h.Write(encodedR[:])
|
||||||
|
h.Write(privateKey[32:])
|
||||||
|
h.Write(message)
|
||||||
|
h.Sum(hramDigest[:0])
|
||||||
|
var hramDigestReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
|
||||||
|
|
||||||
|
var s [32]byte
|
||||||
|
edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
|
||||||
|
|
||||||
|
signature := make([]byte, SignatureSize)
|
||||||
|
copy(signature[:], encodedR[:])
|
||||||
|
copy(signature[32:], s[:])
|
||||||
|
|
||||||
|
return signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify reports whether sig is a valid signature of message by publicKey. It
|
||||||
|
// will panic if len(publicKey) is not PublicKeySize.
|
||||||
|
func Verify(publicKey PublicKey, message, sig []byte) bool {
|
||||||
|
if l := len(publicKey); l != PublicKeySize {
|
||||||
|
panic("ed25519: bad public key length: " + strconv.Itoa(l))
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig) != SignatureSize || sig[63]&224 != 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
var A edwards25519.ExtendedGroupElement
|
||||||
|
var publicKeyBytes [32]byte
|
||||||
|
copy(publicKeyBytes[:], publicKey)
|
||||||
|
if !A.FromBytes(&publicKeyBytes) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
edwards25519.FeNeg(&A.X, &A.X)
|
||||||
|
edwards25519.FeNeg(&A.T, &A.T)
|
||||||
|
|
||||||
|
h := sha512.New()
|
||||||
|
h.Write(sig[:32])
|
||||||
|
h.Write(publicKey[:])
|
||||||
|
h.Write(message)
|
||||||
|
var digest [64]byte
|
||||||
|
h.Sum(digest[:0])
|
||||||
|
|
||||||
|
var hReduced [32]byte
|
||||||
|
edwards25519.ScReduce(&hReduced, &digest)
|
||||||
|
|
||||||
|
var R edwards25519.ProjectiveGroupElement
|
||||||
|
var b [32]byte
|
||||||
|
copy(b[:], sig[32:])
|
||||||
|
edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
|
||||||
|
|
||||||
|
var checkR [32]byte
|
||||||
|
R.ToBytes(&checkR)
|
||||||
|
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
|
||||||
|
}
|
1422
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/const.go
generated
vendored
Normal file
1422
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/const.go
generated
vendored
Normal file
File diff suppressed because it is too large
Load Diff
1771
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go
generated
vendored
Normal file
1771
vendor/github.com/keybase/go-crypto/ed25519/internal/edwards25519/edwards25519.go
generated
vendored
Normal file
File diff suppressed because it is too large
Load Diff
237
vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go
generated
vendored
Normal file
237
vendor/github.com/keybase/go-crypto/openpgp/armor/armor.go
generated
vendored
Normal file
@ -0,0 +1,237 @@
|
|||||||
|
// Copyright 2010 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is
|
||||||
|
// very similar to PEM except that it has an additional CRC checksum.
|
||||||
|
package armor // import "github.com/keybase/go-crypto/openpgp/armor"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bufio"
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"unicode"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// A Block represents an OpenPGP armored structure.
|
||||||
|
//
|
||||||
|
// The encoded form is:
|
||||||
|
// -----BEGIN Type-----
|
||||||
|
// Headers
|
||||||
|
//
|
||||||
|
// base64-encoded Bytes
|
||||||
|
// '=' base64 encoded checksum
|
||||||
|
// -----END Type-----
|
||||||
|
// where Headers is a possibly empty sequence of Key: Value lines.
|
||||||
|
//
|
||||||
|
// Since the armored data can be very large, this package presents a streaming
|
||||||
|
// interface.
|
||||||
|
type Block struct {
|
||||||
|
Type string // The type, taken from the preamble (i.e. "PGP SIGNATURE").
|
||||||
|
Header map[string]string // Optional headers.
|
||||||
|
Body io.Reader // A Reader from which the contents can be read
|
||||||
|
lReader lineReader
|
||||||
|
oReader openpgpReader
|
||||||
|
}
|
||||||
|
|
||||||
|
var ArmorCorrupt error = errors.StructuralError("armor invalid")
|
||||||
|
|
||||||
|
const crc24Init = 0xb704ce
|
||||||
|
const crc24Poly = 0x1864cfb
|
||||||
|
const crc24Mask = 0xffffff
|
||||||
|
|
||||||
|
// crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1
|
||||||
|
func crc24(crc uint32, d []byte) uint32 {
|
||||||
|
for _, b := range d {
|
||||||
|
crc ^= uint32(b) << 16
|
||||||
|
for i := 0; i < 8; i++ {
|
||||||
|
crc <<= 1
|
||||||
|
if crc&0x1000000 != 0 {
|
||||||
|
crc ^= crc24Poly
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return crc
|
||||||
|
}
|
||||||
|
|
||||||
|
var armorStart = []byte("-----BEGIN ")
|
||||||
|
var armorEnd = []byte("-----END ")
|
||||||
|
var armorEndOfLine = []byte("-----")
|
||||||
|
|
||||||
|
// lineReader wraps a line based reader. It watches for the end of an armor
|
||||||
|
// block and records the expected CRC value.
|
||||||
|
type lineReader struct {
|
||||||
|
in *bufio.Reader
|
||||||
|
buf []byte
|
||||||
|
eof bool
|
||||||
|
crc *uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// ourIsSpace checks if a rune is either space according to unicode
|
||||||
|
// package, or ZeroWidthSpace (which is not a space according to
|
||||||
|
// unicode module). Used to trim lines during header reading.
|
||||||
|
func ourIsSpace(r rune) bool {
|
||||||
|
return r == '\u200b' || unicode.IsSpace(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *lineReader) Read(p []byte) (n int, err error) {
|
||||||
|
if l.eof {
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(l.buf) > 0 {
|
||||||
|
n = copy(p, l.buf)
|
||||||
|
l.buf = l.buf[n:]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
line, _, err := l.in.ReadLine()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
line = bytes.TrimFunc(line, ourIsSpace)
|
||||||
|
|
||||||
|
if len(line) == 5 && line[0] == '=' {
|
||||||
|
// This is the checksum line
|
||||||
|
var expectedBytes [3]byte
|
||||||
|
var m int
|
||||||
|
m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:])
|
||||||
|
if m != 3 || err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
crc := uint32(expectedBytes[0])<<16 |
|
||||||
|
uint32(expectedBytes[1])<<8 |
|
||||||
|
uint32(expectedBytes[2])
|
||||||
|
l.crc = &crc
|
||||||
|
|
||||||
|
for {
|
||||||
|
line, _, err = l.in.ReadLine()
|
||||||
|
if err != nil && err != io.EOF {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(strings.TrimSpace(string(line))) > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !bytes.HasPrefix(line, armorEnd) {
|
||||||
|
return 0, ArmorCorrupt
|
||||||
|
}
|
||||||
|
|
||||||
|
l.eof = true
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
if bytes.HasPrefix(line, armorEnd) {
|
||||||
|
// Unexpected ending, there was no checksum.
|
||||||
|
l.eof = true
|
||||||
|
l.crc = nil
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
n = copy(p, line)
|
||||||
|
bytesToSave := len(line) - n
|
||||||
|
if bytesToSave > 0 {
|
||||||
|
if cap(l.buf) < bytesToSave {
|
||||||
|
l.buf = make([]byte, 0, bytesToSave)
|
||||||
|
}
|
||||||
|
l.buf = l.buf[0:bytesToSave]
|
||||||
|
copy(l.buf, line[n:])
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// openpgpReader passes Read calls to the underlying base64 decoder, but keeps
|
||||||
|
// a running CRC of the resulting data and checks the CRC against the value
|
||||||
|
// found by the lineReader at EOF.
|
||||||
|
type openpgpReader struct {
|
||||||
|
lReader *lineReader
|
||||||
|
b64Reader io.Reader
|
||||||
|
currentCRC uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *openpgpReader) Read(p []byte) (n int, err error) {
|
||||||
|
n, err = r.b64Reader.Read(p)
|
||||||
|
r.currentCRC = crc24(r.currentCRC, p[:n])
|
||||||
|
|
||||||
|
if err == io.EOF {
|
||||||
|
if r.lReader.crc != nil && *r.lReader.crc != uint32(r.currentCRC&crc24Mask) {
|
||||||
|
return 0, ArmorCorrupt
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decode reads a PGP armored block from the given Reader. It will ignore
|
||||||
|
// leading garbage. If it doesn't find a block, it will return nil, io.EOF. The
|
||||||
|
// given Reader is not usable after calling this function: an arbitrary amount
|
||||||
|
// of data may have been read past the end of the block.
|
||||||
|
func Decode(in io.Reader) (p *Block, err error) {
|
||||||
|
r := bufio.NewReaderSize(in, 100)
|
||||||
|
var line []byte
|
||||||
|
ignoreNext := false
|
||||||
|
|
||||||
|
TryNextBlock:
|
||||||
|
p = nil
|
||||||
|
|
||||||
|
// Skip leading garbage
|
||||||
|
for {
|
||||||
|
ignoreThis := ignoreNext
|
||||||
|
line, ignoreNext, err = r.ReadLine()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ignoreNext || ignoreThis {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
line = bytes.TrimSpace(line)
|
||||||
|
if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
p = new(Block)
|
||||||
|
p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)])
|
||||||
|
p.Header = make(map[string]string)
|
||||||
|
nextIsContinuation := false
|
||||||
|
var lastKey string
|
||||||
|
|
||||||
|
// Read headers
|
||||||
|
for {
|
||||||
|
isContinuation := nextIsContinuation
|
||||||
|
line, nextIsContinuation, err = r.ReadLine()
|
||||||
|
if err != nil {
|
||||||
|
p = nil
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if isContinuation {
|
||||||
|
p.Header[lastKey] += string(line)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
line = bytes.TrimFunc(line, ourIsSpace)
|
||||||
|
if len(line) == 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
i := bytes.Index(line, []byte(": "))
|
||||||
|
if i == -1 {
|
||||||
|
goto TryNextBlock
|
||||||
|
}
|
||||||
|
lastKey = string(line[:i])
|
||||||
|
p.Header[lastKey] = string(line[i+2:])
|
||||||
|
}
|
||||||
|
|
||||||
|
p.lReader.in = r
|
||||||
|
p.oReader.currentCRC = crc24Init
|
||||||
|
p.oReader.lReader = &p.lReader
|
||||||
|
p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader)
|
||||||
|
p.Body = &p.oReader
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
160
vendor/github.com/keybase/go-crypto/openpgp/armor/encode.go
generated
vendored
Normal file
160
vendor/github.com/keybase/go-crypto/openpgp/armor/encode.go
generated
vendored
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
// Copyright 2010 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package armor
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
var armorHeaderSep = []byte(": ")
|
||||||
|
var blockEnd = []byte("\n=")
|
||||||
|
var newline = []byte("\n")
|
||||||
|
var armorEndOfLineOut = []byte("-----\n")
|
||||||
|
|
||||||
|
// writeSlices writes its arguments to the given Writer.
|
||||||
|
func writeSlices(out io.Writer, slices ...[]byte) (err error) {
|
||||||
|
for _, s := range slices {
|
||||||
|
_, err = out.Write(s)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// lineBreaker breaks data across several lines, all of the same byte length
|
||||||
|
// (except possibly the last). Lines are broken with a single '\n'.
|
||||||
|
type lineBreaker struct {
|
||||||
|
lineLength int
|
||||||
|
line []byte
|
||||||
|
used int
|
||||||
|
out io.Writer
|
||||||
|
haveWritten bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func newLineBreaker(out io.Writer, lineLength int) *lineBreaker {
|
||||||
|
return &lineBreaker{
|
||||||
|
lineLength: lineLength,
|
||||||
|
line: make([]byte, lineLength),
|
||||||
|
used: 0,
|
||||||
|
out: out,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *lineBreaker) Write(b []byte) (n int, err error) {
|
||||||
|
n = len(b)
|
||||||
|
|
||||||
|
if n == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if l.used == 0 && l.haveWritten {
|
||||||
|
_, err = l.out.Write([]byte{'\n'})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if l.used+len(b) < l.lineLength {
|
||||||
|
l.used += copy(l.line[l.used:], b)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
l.haveWritten = true
|
||||||
|
_, err = l.out.Write(l.line[0:l.used])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
excess := l.lineLength - l.used
|
||||||
|
l.used = 0
|
||||||
|
|
||||||
|
_, err = l.out.Write(b[0:excess])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = l.Write(b[excess:])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *lineBreaker) Close() (err error) {
|
||||||
|
if l.used > 0 {
|
||||||
|
_, err = l.out.Write(l.line[0:l.used])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// encoding keeps track of a running CRC24 over the data which has been written
|
||||||
|
// to it and outputs a OpenPGP checksum when closed, followed by an armor
|
||||||
|
// trailer.
|
||||||
|
//
|
||||||
|
// It's built into a stack of io.Writers:
|
||||||
|
// encoding -> base64 encoder -> lineBreaker -> out
|
||||||
|
type encoding struct {
|
||||||
|
out io.Writer
|
||||||
|
breaker *lineBreaker
|
||||||
|
b64 io.WriteCloser
|
||||||
|
crc uint32
|
||||||
|
blockType []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *encoding) Write(data []byte) (n int, err error) {
|
||||||
|
e.crc = crc24(e.crc, data)
|
||||||
|
return e.b64.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *encoding) Close() (err error) {
|
||||||
|
err = e.b64.Close()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
e.breaker.Close()
|
||||||
|
|
||||||
|
var checksumBytes [3]byte
|
||||||
|
checksumBytes[0] = byte(e.crc >> 16)
|
||||||
|
checksumBytes[1] = byte(e.crc >> 8)
|
||||||
|
checksumBytes[2] = byte(e.crc)
|
||||||
|
|
||||||
|
var b64ChecksumBytes [4]byte
|
||||||
|
base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:])
|
||||||
|
|
||||||
|
return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine, []byte{'\n'})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encode returns a WriteCloser which will encode the data written to it in
|
||||||
|
// OpenPGP armor.
|
||||||
|
func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) {
|
||||||
|
bType := []byte(blockType)
|
||||||
|
err = writeSlices(out, armorStart, bType, armorEndOfLineOut)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for k, v := range headers {
|
||||||
|
err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = out.Write(newline)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
e := &encoding{
|
||||||
|
out: out,
|
||||||
|
breaker: newLineBreaker(out, 64),
|
||||||
|
crc: crc24Init,
|
||||||
|
blockType: bType,
|
||||||
|
}
|
||||||
|
e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker)
|
||||||
|
return e, nil
|
||||||
|
}
|
59
vendor/github.com/keybase/go-crypto/openpgp/canonical_text.go
generated
vendored
Normal file
59
vendor/github.com/keybase/go-crypto/openpgp/canonical_text.go
generated
vendored
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package openpgp
|
||||||
|
|
||||||
|
import "hash"
|
||||||
|
|
||||||
|
// NewCanonicalTextHash reformats text written to it into the canonical
|
||||||
|
// form and then applies the hash h. See RFC 4880, section 5.2.1.
|
||||||
|
func NewCanonicalTextHash(h hash.Hash) hash.Hash {
|
||||||
|
return &canonicalTextHash{h, 0}
|
||||||
|
}
|
||||||
|
|
||||||
|
type canonicalTextHash struct {
|
||||||
|
h hash.Hash
|
||||||
|
s int
|
||||||
|
}
|
||||||
|
|
||||||
|
var newline = []byte{'\r', '\n'}
|
||||||
|
|
||||||
|
func (cth *canonicalTextHash) Write(buf []byte) (int, error) {
|
||||||
|
start := 0
|
||||||
|
|
||||||
|
for i, c := range buf {
|
||||||
|
switch cth.s {
|
||||||
|
case 0:
|
||||||
|
if c == '\r' {
|
||||||
|
cth.s = 1
|
||||||
|
} else if c == '\n' {
|
||||||
|
cth.h.Write(buf[start:i])
|
||||||
|
cth.h.Write(newline)
|
||||||
|
start = i + 1
|
||||||
|
}
|
||||||
|
case 1:
|
||||||
|
cth.s = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
cth.h.Write(buf[start:])
|
||||||
|
return len(buf), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cth *canonicalTextHash) Sum(in []byte) []byte {
|
||||||
|
return cth.h.Sum(in)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cth *canonicalTextHash) Reset() {
|
||||||
|
cth.h.Reset()
|
||||||
|
cth.s = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cth *canonicalTextHash) Size() int {
|
||||||
|
return cth.h.Size()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cth *canonicalTextHash) BlockSize() int {
|
||||||
|
return cth.h.BlockSize()
|
||||||
|
}
|
282
vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go
generated
vendored
Normal file
282
vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go
generated
vendored
Normal file
@ -0,0 +1,282 @@
|
|||||||
|
package ecdh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"github.com/keybase/go-crypto/curve25519"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
type PublicKey struct {
|
||||||
|
elliptic.Curve
|
||||||
|
X, Y *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
type PrivateKey struct {
|
||||||
|
PublicKey
|
||||||
|
X *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
// KDF implements Key Derivation Function as described in
|
||||||
|
// https://tools.ietf.org/html/rfc6637#section-7
|
||||||
|
func (e *PublicKey) KDF(S []byte, kdfParams []byte, hash crypto.Hash) []byte {
|
||||||
|
sLen := (e.Curve.Params().P.BitLen() + 7) / 8
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
buf.Write([]byte{0, 0, 0, 1})
|
||||||
|
if sLen > len(S) {
|
||||||
|
// zero-pad the S. If we got invalid S (bigger than curve's
|
||||||
|
// P), we are going to produce invalid key. Garbage in,
|
||||||
|
// garbage out.
|
||||||
|
buf.Write(make([]byte, sLen-len(S)))
|
||||||
|
}
|
||||||
|
buf.Write(S)
|
||||||
|
buf.Write(kdfParams)
|
||||||
|
|
||||||
|
hashw := hash.New()
|
||||||
|
|
||||||
|
hashw.Write(buf.Bytes())
|
||||||
|
key := hashw.Sum(nil)
|
||||||
|
|
||||||
|
return key
|
||||||
|
}
|
||||||
|
|
||||||
|
// AESKeyUnwrap implements RFC 3394 Key Unwrapping. See
|
||||||
|
// http://tools.ietf.org/html/rfc3394#section-2.2.1
|
||||||
|
// Note: The second described algorithm ("index-based") is implemented
|
||||||
|
// here.
|
||||||
|
func AESKeyUnwrap(key, cipherText []byte) ([]byte, error) {
|
||||||
|
if len(cipherText)%8 != 0 {
|
||||||
|
return nil, errors.New("cipherText must by a multiple of 64 bits")
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
nblocks := len(cipherText)/8 - 1
|
||||||
|
|
||||||
|
// 1) Initialize variables.
|
||||||
|
// - Set A = C[0]
|
||||||
|
var A [aes.BlockSize]byte
|
||||||
|
copy(A[:8], cipherText[:8])
|
||||||
|
|
||||||
|
// For i = 1 to n
|
||||||
|
// Set R[i] = C[i]
|
||||||
|
R := make([]byte, len(cipherText)-8)
|
||||||
|
copy(R, cipherText[8:])
|
||||||
|
|
||||||
|
// 2) Compute intermediate values.
|
||||||
|
for j := 5; j >= 0; j-- {
|
||||||
|
for i := nblocks - 1; i >= 0; i-- {
|
||||||
|
// B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
|
||||||
|
// A = MSB(64, B)
|
||||||
|
t := uint64(nblocks*j + i + 1)
|
||||||
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
||||||
|
binary.BigEndian.PutUint64(A[:8], At)
|
||||||
|
|
||||||
|
copy(A[8:], R[i*8:i*8+8])
|
||||||
|
cipher.Decrypt(A[:], A[:])
|
||||||
|
|
||||||
|
// R[i] = LSB(B, 64)
|
||||||
|
copy(R[i*8:i*8+8], A[8:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3) Output results.
|
||||||
|
// If A is an appropriate initial value (see 2.2.3),
|
||||||
|
for i := 0; i < 8; i++ {
|
||||||
|
if A[i] != 0xA6 {
|
||||||
|
return nil, errors.New("Failed to unwrap key (A is not IV)")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return R, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AESKeyWrap implements RFC 3394 Key Wrapping. See
|
||||||
|
// https://tools.ietf.org/html/rfc3394#section-2.2.2
|
||||||
|
// Note: The second described algorithm ("index-based") is implemented
|
||||||
|
// here.
|
||||||
|
func AESKeyWrap(key, plainText []byte) ([]byte, error) {
|
||||||
|
if len(plainText)%8 != 0 {
|
||||||
|
return nil, errors.New("plainText must be a multiple of 64 bits")
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher, err := aes.NewCipher(key) // NewCipher checks key size
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
nblocks := len(plainText) / 8
|
||||||
|
|
||||||
|
// 1) Initialize variables.
|
||||||
|
var A [aes.BlockSize]byte
|
||||||
|
// Section 2.2.3.1 -- Initial Value
|
||||||
|
// http://tools.ietf.org/html/rfc3394#section-2.2.3.1
|
||||||
|
for i := 0; i < 8; i++ {
|
||||||
|
A[i] = 0xA6
|
||||||
|
}
|
||||||
|
|
||||||
|
// For i = 1 to n
|
||||||
|
// Set R[i] = P[i]
|
||||||
|
R := make([]byte, len(plainText))
|
||||||
|
copy(R, plainText)
|
||||||
|
|
||||||
|
// 2) Calculate intermediate values.
|
||||||
|
for j := 0; j <= 5; j++ {
|
||||||
|
for i := 0; i < nblocks; i++ {
|
||||||
|
// B = AES(K, A | R[i])
|
||||||
|
copy(A[8:], R[i*8:i*8+8])
|
||||||
|
cipher.Encrypt(A[:], A[:])
|
||||||
|
|
||||||
|
// (Assume B = A)
|
||||||
|
// A = MSB(64, B) ^ t where t = (n*j)+1
|
||||||
|
t := uint64(j*nblocks + i + 1)
|
||||||
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
||||||
|
binary.BigEndian.PutUint64(A[:8], At)
|
||||||
|
|
||||||
|
// R[i] = LSB(64, B)
|
||||||
|
copy(R[i*8:i*8+8], A[8:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3) Output results.
|
||||||
|
// Set C[0] = A
|
||||||
|
// For i = 1 to n
|
||||||
|
// C[i] = R[i]
|
||||||
|
return append(A[:8], R...), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PadBuffer pads byte buffer buf to a length being multiple of
|
||||||
|
// blockLen. Additional bytes appended to the buffer have value of the
|
||||||
|
// number padded bytes. E.g. if the buffer is 3 bytes short of being
|
||||||
|
// 40 bytes total, the appended bytes will be [03, 03, 03].
|
||||||
|
func PadBuffer(buf []byte, blockLen int) []byte {
|
||||||
|
padding := blockLen - (len(buf) % blockLen)
|
||||||
|
if padding == 0 {
|
||||||
|
return buf
|
||||||
|
}
|
||||||
|
|
||||||
|
padBuf := make([]byte, padding)
|
||||||
|
for i := 0; i < padding; i++ {
|
||||||
|
padBuf[i] = byte(padding)
|
||||||
|
}
|
||||||
|
|
||||||
|
return append(buf, padBuf...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnpadBuffer verifies that buffer contains proper padding and
|
||||||
|
// returns buffer without the padding, or nil if the padding was
|
||||||
|
// invalid.
|
||||||
|
func UnpadBuffer(buf []byte, dataLen int) []byte {
|
||||||
|
padding := len(buf) - dataLen
|
||||||
|
outBuf := buf[:dataLen]
|
||||||
|
|
||||||
|
for i := dataLen; i < len(buf); i++ {
|
||||||
|
if buf[i] != byte(padding) {
|
||||||
|
// Invalid padding - bail out
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return outBuf
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PublicKey) Encrypt(random io.Reader, kdfParams []byte, plain []byte, hash crypto.Hash, kdfKeySize int) (Vx *big.Int, Vy *big.Int, C []byte, err error) {
|
||||||
|
// Vx, Vy - encryption key
|
||||||
|
|
||||||
|
// Note for Curve 25519 - curve25519 library already does key
|
||||||
|
// clamping in scalarMult, so we can use generic random scalar
|
||||||
|
// generation from elliptic.
|
||||||
|
priv, Vx, Vy, err := elliptic.GenerateKey(e.Curve, random)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sx, Sy - shared secret
|
||||||
|
Sx, _ := e.Curve.ScalarMult(e.X, e.Y, priv)
|
||||||
|
|
||||||
|
// Encrypt the payload with KDF-ed S as the encryption key. Pass
|
||||||
|
// the ciphertext along with V to the recipient. Recipient can
|
||||||
|
// generate S using V and their priv key, and then KDF(S), on
|
||||||
|
// their own, to get encryption key and decrypt the ciphertext,
|
||||||
|
// revealing encryption key for symmetric encryption later.
|
||||||
|
|
||||||
|
plain = PadBuffer(plain, 8)
|
||||||
|
key := e.KDF(Sx.Bytes(), kdfParams, hash)
|
||||||
|
|
||||||
|
// Take only as many bytes from key as the key length (the hash
|
||||||
|
// result might be bigger)
|
||||||
|
encrypted, err := AESKeyWrap(key[:kdfKeySize], plain)
|
||||||
|
|
||||||
|
return Vx, Vy, encrypted, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PrivateKey) DecryptShared(X, Y *big.Int) []byte {
|
||||||
|
Sx, _ := e.Curve.ScalarMult(X, Y, e.X.Bytes())
|
||||||
|
return Sx.Bytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
func countBits(buffer []byte) int {
|
||||||
|
var headerLen int
|
||||||
|
switch buffer[0] {
|
||||||
|
case 0x4:
|
||||||
|
headerLen = 3
|
||||||
|
case 0x40:
|
||||||
|
headerLen = 7
|
||||||
|
default:
|
||||||
|
// Unexpected header - but we can still count the bits.
|
||||||
|
val := buffer[0]
|
||||||
|
headerLen = 0
|
||||||
|
for val > 0 {
|
||||||
|
val = val / 2
|
||||||
|
headerLen++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return headerLen + (len(buffer)-1)*8
|
||||||
|
}
|
||||||
|
|
||||||
|
// elliptic.Marshal and elliptic.Unmarshal only marshals uncompressed
|
||||||
|
// 0x4 MPI types. These functions will check if the curve is cv25519,
|
||||||
|
// and if so, use 0x40 compressed type to (un)marshal. Otherwise,
|
||||||
|
// elliptic.(Un)marshal will be called.
|
||||||
|
|
||||||
|
// Marshal encodes point into either 0x4 uncompressed point form, or
|
||||||
|
// 0x40 compressed point for Curve 25519.
|
||||||
|
func Marshal(curve elliptic.Curve, x, y *big.Int) (buf []byte, bitSize int) {
|
||||||
|
// NOTE: Read more about MPI encoding in the RFC:
|
||||||
|
// https://tools.ietf.org/html/rfc4880#section-3.2
|
||||||
|
|
||||||
|
// We are required to encode size in bits, counting from the most-
|
||||||
|
// significant non-zero bit. So assuming that the buffer never
|
||||||
|
// starts with 0x00, we only need to count bits in the first byte
|
||||||
|
// - and in current implentation it will always be 0x4 or 0x40.
|
||||||
|
|
||||||
|
cv, ok := curve25519.ToCurve25519(curve)
|
||||||
|
if ok {
|
||||||
|
buf = cv.MarshalType40(x, y)
|
||||||
|
} else {
|
||||||
|
buf = elliptic.Marshal(curve, x, y)
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf, countBits(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal converts point, serialized by Marshal, into x, y pair.
|
||||||
|
// For 0x40 compressed points (for Curve 25519), y will always be 0.
|
||||||
|
// It is an error if point is not on the curve, On error, x = nil.
|
||||||
|
func Unmarshal(curve elliptic.Curve, data []byte) (x, y *big.Int) {
|
||||||
|
cv, ok := curve25519.ToCurve25519(curve)
|
||||||
|
if ok {
|
||||||
|
return cv.UnmarshalType40(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
return elliptic.Unmarshal(curve, data)
|
||||||
|
}
|
122
vendor/github.com/keybase/go-crypto/openpgp/elgamal/elgamal.go
generated
vendored
Normal file
122
vendor/github.com/keybase/go-crypto/openpgp/elgamal/elgamal.go
generated
vendored
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package elgamal implements ElGamal encryption, suitable for OpenPGP,
|
||||||
|
// as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on
|
||||||
|
// Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31,
|
||||||
|
// n. 4, 1985, pp. 469-472.
|
||||||
|
//
|
||||||
|
// This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it
|
||||||
|
// unsuitable for other protocols. RSA should be used in preference in any
|
||||||
|
// case.
|
||||||
|
package elgamal // import "github.com/keybase/go-crypto/openpgp/elgamal"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKey represents an ElGamal public key.
|
||||||
|
type PublicKey struct {
|
||||||
|
G, P, Y *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
// PrivateKey represents an ElGamal private key.
|
||||||
|
type PrivateKey struct {
|
||||||
|
PublicKey
|
||||||
|
X *big.Int
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt encrypts the given message to the given public key. The result is a
|
||||||
|
// pair of integers. Errors can result from reading random, or because msg is
|
||||||
|
// too large to be encrypted to the public key.
|
||||||
|
func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
|
||||||
|
pLen := (pub.P.BitLen() + 7) / 8
|
||||||
|
if len(msg) > pLen-11 {
|
||||||
|
err = errors.New("elgamal: message too long")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// EM = 0x02 || PS || 0x00 || M
|
||||||
|
em := make([]byte, pLen-1)
|
||||||
|
em[0] = 2
|
||||||
|
ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):]
|
||||||
|
err = nonZeroRandomBytes(ps, random)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
em[len(em)-len(msg)-1] = 0
|
||||||
|
copy(mm, msg)
|
||||||
|
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
|
||||||
|
k, err := rand.Int(random, pub.P)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c1 = new(big.Int).Exp(pub.G, k, pub.P)
|
||||||
|
s := new(big.Int).Exp(pub.Y, k, pub.P)
|
||||||
|
c2 = s.Mul(s, m)
|
||||||
|
c2.Mod(c2, pub.P)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt takes two integers, resulting from an ElGamal encryption, and
|
||||||
|
// returns the plaintext of the message. An error can result only if the
|
||||||
|
// ciphertext is invalid. Users should keep in mind that this is a padding
|
||||||
|
// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
|
||||||
|
// be used to break the cryptosystem. See ``Chosen Ciphertext Attacks
|
||||||
|
// Against Protocols Based on the RSA Encryption Standard PKCS #1'', Daniel
|
||||||
|
// Bleichenbacher, Advances in Cryptology (Crypto '98),
|
||||||
|
func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
|
||||||
|
s := new(big.Int).Exp(c1, priv.X, priv.P)
|
||||||
|
s.ModInverse(s, priv.P)
|
||||||
|
s.Mul(s, c2)
|
||||||
|
s.Mod(s, priv.P)
|
||||||
|
em := s.Bytes()
|
||||||
|
|
||||||
|
firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
|
||||||
|
|
||||||
|
// The remainder of the plaintext must be a string of non-zero random
|
||||||
|
// octets, followed by a 0, followed by the message.
|
||||||
|
// lookingForIndex: 1 iff we are still looking for the zero.
|
||||||
|
// index: the offset of the first zero byte.
|
||||||
|
var lookingForIndex, index int
|
||||||
|
lookingForIndex = 1
|
||||||
|
|
||||||
|
for i := 1; i < len(em); i++ {
|
||||||
|
equals0 := subtle.ConstantTimeByteEq(em[i], 0)
|
||||||
|
index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
|
||||||
|
lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
|
||||||
|
}
|
||||||
|
|
||||||
|
if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
|
||||||
|
return nil, errors.New("elgamal: decryption error")
|
||||||
|
}
|
||||||
|
return em[index+1:], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// nonZeroRandomBytes fills the given slice with non-zero random octets.
|
||||||
|
func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
|
||||||
|
_, err = io.ReadFull(rand, s)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := 0; i < len(s); i++ {
|
||||||
|
for s[i] == 0 {
|
||||||
|
_, err = io.ReadFull(rand, s[i:i+1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
72
vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go
generated
vendored
Normal file
72
vendor/github.com/keybase/go-crypto/openpgp/errors/errors.go
generated
vendored
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
// Copyright 2010 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package errors contains common error types for the OpenPGP packages.
|
||||||
|
package errors // import "github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strconv"
|
||||||
|
)
|
||||||
|
|
||||||
|
// A StructuralError is returned when OpenPGP data is found to be syntactically
|
||||||
|
// invalid.
|
||||||
|
type StructuralError string
|
||||||
|
|
||||||
|
func (s StructuralError) Error() string {
|
||||||
|
return "openpgp: invalid data: " + string(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnsupportedError indicates that, although the OpenPGP data is valid, it
|
||||||
|
// makes use of currently unimplemented features.
|
||||||
|
type UnsupportedError string
|
||||||
|
|
||||||
|
func (s UnsupportedError) Error() string {
|
||||||
|
return "openpgp: unsupported feature: " + string(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
// InvalidArgumentError indicates that the caller is in error and passed an
|
||||||
|
// incorrect value.
|
||||||
|
type InvalidArgumentError string
|
||||||
|
|
||||||
|
func (i InvalidArgumentError) Error() string {
|
||||||
|
return "openpgp: invalid argument: " + string(i)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignatureError indicates that a syntactically valid signature failed to
|
||||||
|
// validate.
|
||||||
|
type SignatureError string
|
||||||
|
|
||||||
|
func (b SignatureError) Error() string {
|
||||||
|
return "openpgp: invalid signature: " + string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
type keyIncorrectError int
|
||||||
|
|
||||||
|
func (ki keyIncorrectError) Error() string {
|
||||||
|
return "openpgp: incorrect key"
|
||||||
|
}
|
||||||
|
|
||||||
|
var ErrKeyIncorrect error = keyIncorrectError(0)
|
||||||
|
|
||||||
|
type unknownIssuerError int
|
||||||
|
|
||||||
|
func (unknownIssuerError) Error() string {
|
||||||
|
return "openpgp: signature made by unknown entity"
|
||||||
|
}
|
||||||
|
|
||||||
|
var ErrUnknownIssuer error = unknownIssuerError(0)
|
||||||
|
|
||||||
|
type keyRevokedError int
|
||||||
|
|
||||||
|
func (keyRevokedError) Error() string {
|
||||||
|
return "openpgp: signature made by revoked key"
|
||||||
|
}
|
||||||
|
|
||||||
|
var ErrKeyRevoked error = keyRevokedError(0)
|
||||||
|
|
||||||
|
type UnknownPacketTypeError uint8
|
||||||
|
|
||||||
|
func (upte UnknownPacketTypeError) Error() string {
|
||||||
|
return "openpgp: unknown packet type: " + strconv.Itoa(int(upte))
|
||||||
|
}
|
902
vendor/github.com/keybase/go-crypto/openpgp/keys.go
generated
vendored
Normal file
902
vendor/github.com/keybase/go-crypto/openpgp/keys.go
generated
vendored
Normal file
@ -0,0 +1,902 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package openpgp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"io"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/armor"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKeyType is the armor type for a PGP public key.
|
||||||
|
var PublicKeyType = "PGP PUBLIC KEY BLOCK"
|
||||||
|
|
||||||
|
// PrivateKeyType is the armor type for a PGP private key.
|
||||||
|
var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
|
||||||
|
|
||||||
|
// An Entity represents the components of an OpenPGP key: a primary public key
|
||||||
|
// (which must be a signing key), one or more identities claimed by that key,
|
||||||
|
// and zero or more subkeys, which may be encryption keys.
|
||||||
|
type Entity struct {
|
||||||
|
PrimaryKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
Identities map[string]*Identity // indexed by Identity.Name
|
||||||
|
Revocations []*packet.Signature
|
||||||
|
// Revocations that are signed by designated revokers. Reading keys
|
||||||
|
// will not verify these revocations, because it won't have access to
|
||||||
|
// issuers' public keys, API consumers should do this instead (or
|
||||||
|
// not, and just assume that the key is probably revoked).
|
||||||
|
UnverifiedRevocations []*packet.Signature
|
||||||
|
Subkeys []Subkey
|
||||||
|
BadSubkeys []BadSubkey
|
||||||
|
}
|
||||||
|
|
||||||
|
// An Identity represents an identity claimed by an Entity and zero or more
|
||||||
|
// assertions by other entities about that claim.
|
||||||
|
type Identity struct {
|
||||||
|
Name string // by convention, has the form "Full Name (comment) <email@example.com>"
|
||||||
|
UserId *packet.UserId
|
||||||
|
SelfSignature *packet.Signature
|
||||||
|
Signatures []*packet.Signature
|
||||||
|
Revocation *packet.Signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// A Subkey is an additional public key in an Entity. Subkeys can be used for
|
||||||
|
// encryption.
|
||||||
|
type Subkey struct {
|
||||||
|
PublicKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
Sig *packet.Signature
|
||||||
|
Revocation *packet.Signature
|
||||||
|
}
|
||||||
|
|
||||||
|
// BadSubkey is one that failed reconstruction, but we'll keep it around for
|
||||||
|
// informational purposes.
|
||||||
|
type BadSubkey struct {
|
||||||
|
Subkey
|
||||||
|
Err error
|
||||||
|
}
|
||||||
|
|
||||||
|
// A Key identifies a specific public key in an Entity. This is either the
|
||||||
|
// Entity's primary key or a subkey.
|
||||||
|
type Key struct {
|
||||||
|
Entity *Entity
|
||||||
|
PublicKey *packet.PublicKey
|
||||||
|
PrivateKey *packet.PrivateKey
|
||||||
|
SelfSignature *packet.Signature
|
||||||
|
KeyFlags packet.KeyFlagBits
|
||||||
|
}
|
||||||
|
|
||||||
|
// A KeyRing provides access to public and private keys.
|
||||||
|
type KeyRing interface {
|
||||||
|
|
||||||
|
// KeysById returns the set of keys that have the given key id.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
KeysById(id uint64, fp []byte) []Key
|
||||||
|
|
||||||
|
// KeysByIdAndUsage returns the set of keys with the given id
|
||||||
|
// that also meet the key usage given by requiredUsage.
|
||||||
|
// The requiredUsage is expressed as the bitwise-OR of
|
||||||
|
// packet.KeyFlag* values.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
KeysByIdUsage(id uint64, fp []byte, requiredUsage byte) []Key
|
||||||
|
|
||||||
|
// DecryptionKeys returns all private keys that are valid for
|
||||||
|
// decryption.
|
||||||
|
DecryptionKeys() []Key
|
||||||
|
}
|
||||||
|
|
||||||
|
// primaryIdentity returns the Identity marked as primary or the first identity
|
||||||
|
// if none are so marked.
|
||||||
|
func (e *Entity) primaryIdentity() *Identity {
|
||||||
|
var firstIdentity *Identity
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
if firstIdentity == nil {
|
||||||
|
firstIdentity = ident
|
||||||
|
}
|
||||||
|
if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
||||||
|
return ident
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return firstIdentity
|
||||||
|
}
|
||||||
|
|
||||||
|
// encryptionKey returns the best candidate Key for encrypting a message to the
|
||||||
|
// given Entity.
|
||||||
|
func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
|
||||||
|
candidateSubkey := -1
|
||||||
|
|
||||||
|
// Iterate the keys to find the newest key
|
||||||
|
var maxTime time.Time
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
|
||||||
|
// NOTE(maxtaco)
|
||||||
|
// If there is a Flags subpacket, then we have to follow it, and only
|
||||||
|
// use keys that are marked for Encryption of Communication. If there
|
||||||
|
// isn't a Flags subpacket, and this is an Encrypt-Only key (right now only ElGamal
|
||||||
|
// suffices), then we implicitly use it. The check for primary below is a little
|
||||||
|
// more open-ended, but for now, let's be strict and potentially open up
|
||||||
|
// if we see bugs in the wild.
|
||||||
|
//
|
||||||
|
// One more note: old DSA/ElGamal keys tend not to have the Flags subpacket,
|
||||||
|
// so this sort of thing is pretty important for encrypting to older keys.
|
||||||
|
//
|
||||||
|
if ((subkey.Sig.FlagsValid && subkey.Sig.FlagEncryptCommunications) ||
|
||||||
|
(!subkey.Sig.FlagsValid && subkey.PublicKey.PubKeyAlgo == packet.PubKeyAlgoElGamal)) &&
|
||||||
|
subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
|
||||||
|
!subkey.Sig.KeyExpired(now) &&
|
||||||
|
subkey.Revocation == nil &&
|
||||||
|
(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
|
||||||
|
candidateSubkey = i
|
||||||
|
maxTime = subkey.Sig.CreationTime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if candidateSubkey != -1 {
|
||||||
|
subkey := e.Subkeys[candidateSubkey]
|
||||||
|
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Sig.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we don't have any candidate subkeys for encryption and
|
||||||
|
// the primary key doesn't have any usage metadata then we
|
||||||
|
// assume that the primary key is ok. Or, if the primary key is
|
||||||
|
// marked as ok to encrypt to, then we can obviously use it.
|
||||||
|
//
|
||||||
|
// NOTE(maxtaco) - see note above, how this policy is a little too open-ended
|
||||||
|
// for my liking, but leave it for now.
|
||||||
|
i := e.primaryIdentity()
|
||||||
|
if (!i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications) &&
|
||||||
|
e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
|
||||||
|
!i.SelfSignature.KeyExpired(now) {
|
||||||
|
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, i.SelfSignature.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// This Entity appears to be signing only.
|
||||||
|
return Key{}, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// signingKey return the best candidate Key for signing a message with this
|
||||||
|
// Entity.
|
||||||
|
func (e *Entity) signingKey(now time.Time) (Key, bool) {
|
||||||
|
candidateSubkey := -1
|
||||||
|
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
if (!subkey.Sig.FlagsValid || subkey.Sig.FlagSign) &&
|
||||||
|
subkey.PrivateKey.PrivateKey != nil &&
|
||||||
|
subkey.PublicKey.PubKeyAlgo.CanSign() &&
|
||||||
|
subkey.Revocation == nil &&
|
||||||
|
!subkey.Sig.KeyExpired(now) {
|
||||||
|
candidateSubkey = i
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if candidateSubkey != -1 {
|
||||||
|
subkey := e.Subkeys[candidateSubkey]
|
||||||
|
return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Sig.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we have no candidate subkey then we assume that it's ok to sign
|
||||||
|
// with the primary key.
|
||||||
|
i := e.primaryIdentity()
|
||||||
|
if (!i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign) &&
|
||||||
|
e.PrimaryKey.PubKeyAlgo.CanSign() &&
|
||||||
|
!i.SelfSignature.KeyExpired(now) &&
|
||||||
|
e.PrivateKey.PrivateKey != nil {
|
||||||
|
return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature, i.SelfSignature.GetKeyFlags()}, true
|
||||||
|
}
|
||||||
|
|
||||||
|
return Key{}, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// An EntityList contains one or more Entities.
|
||||||
|
type EntityList []*Entity
|
||||||
|
|
||||||
|
func keyMatchesIdAndFingerprint(key *packet.PublicKey, id uint64, fp []byte) bool {
|
||||||
|
if key.KeyId != id {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if fp == nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return hmac.Equal(fp, key.Fingerprint[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeysById returns the set of keys that have the given key id.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
func (el EntityList) KeysById(id uint64, fp []byte) (keys []Key) {
|
||||||
|
for _, e := range el {
|
||||||
|
if keyMatchesIdAndFingerprint(e.PrimaryKey, id, fp) {
|
||||||
|
var selfSig *packet.Signature
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
if selfSig == nil {
|
||||||
|
selfSig = ident.SelfSignature
|
||||||
|
} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
||||||
|
selfSig = ident.SelfSignature
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var keyFlags packet.KeyFlagBits
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
keyFlags.Merge(ident.SelfSignature.GetKeyFlags())
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig, keyFlags})
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, subKey := range e.Subkeys {
|
||||||
|
if keyMatchesIdAndFingerprint(subKey.PublicKey, id, fp) {
|
||||||
|
|
||||||
|
// If there's both a a revocation and a sig, then take the
|
||||||
|
// revocation. Otherwise, we can proceed with the sig.
|
||||||
|
sig := subKey.Revocation
|
||||||
|
if sig == nil {
|
||||||
|
sig = subKey.Sig
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, sig, sig.GetKeyFlags()})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeysByIdAndUsage returns the set of keys with the given id that also meet
|
||||||
|
// the key usage given by requiredUsage. The requiredUsage is expressed as
|
||||||
|
// the bitwise-OR of packet.KeyFlag* values.
|
||||||
|
// fp can be optionally supplied, which is the full key fingerprint.
|
||||||
|
// If it's provided, then it must match. This comes up in the case
|
||||||
|
// of GPG subpacket 33.
|
||||||
|
func (el EntityList) KeysByIdUsage(id uint64, fp []byte, requiredUsage byte) (keys []Key) {
|
||||||
|
for _, key := range el.KeysById(id, fp) {
|
||||||
|
if len(key.Entity.Revocations) > 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if key.SelfSignature.RevocationReason != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if requiredUsage != 0 {
|
||||||
|
var usage byte
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case key.KeyFlags.Valid:
|
||||||
|
usage = key.KeyFlags.BitField
|
||||||
|
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoElGamal:
|
||||||
|
// We also need to handle the case where, although the sig's
|
||||||
|
// flags aren't valid, the key can is implicitly usable for
|
||||||
|
// encryption by virtue of being ElGamal. See also the comment
|
||||||
|
// in encryptionKey() above.
|
||||||
|
usage |= packet.KeyFlagEncryptCommunications
|
||||||
|
usage |= packet.KeyFlagEncryptStorage
|
||||||
|
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoDSA ||
|
||||||
|
key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoECDSA ||
|
||||||
|
key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoEdDSA:
|
||||||
|
usage |= packet.KeyFlagSign
|
||||||
|
|
||||||
|
// For a primary RSA key without any key flags, be as permissiable
|
||||||
|
// as possible.
|
||||||
|
case key.PublicKey.PubKeyAlgo == packet.PubKeyAlgoRSA &&
|
||||||
|
keyMatchesIdAndFingerprint(key.Entity.PrimaryKey, id, fp):
|
||||||
|
usage = (packet.KeyFlagCertify | packet.KeyFlagSign |
|
||||||
|
packet.KeyFlagEncryptCommunications | packet.KeyFlagEncryptStorage)
|
||||||
|
}
|
||||||
|
|
||||||
|
if usage&requiredUsage != requiredUsage {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = append(keys, key)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptionKeys returns all private keys that are valid for decryption.
|
||||||
|
func (el EntityList) DecryptionKeys() (keys []Key) {
|
||||||
|
for _, e := range el {
|
||||||
|
for _, subKey := range e.Subkeys {
|
||||||
|
if subKey.PrivateKey != nil && subKey.PrivateKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
|
||||||
|
keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig, subKey.Sig.GetKeyFlags()})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
|
||||||
|
func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
|
||||||
|
block, err := armor.Decode(r)
|
||||||
|
if err == io.EOF {
|
||||||
|
return nil, errors.InvalidArgumentError("no armored data found")
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if block.Type != PublicKeyType && block.Type != PrivateKeyType {
|
||||||
|
return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ReadKeyRing(block.Body)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadKeyRing reads one or more public/private keys. Unsupported keys are
|
||||||
|
// ignored as long as at least a single valid key is found.
|
||||||
|
func ReadKeyRing(r io.Reader) (el EntityList, err error) {
|
||||||
|
packets := packet.NewReader(r)
|
||||||
|
var lastUnsupportedError error
|
||||||
|
|
||||||
|
for {
|
||||||
|
var e *Entity
|
||||||
|
e, err = ReadEntity(packets)
|
||||||
|
if err != nil {
|
||||||
|
// TODO: warn about skipped unsupported/unreadable keys
|
||||||
|
if _, ok := err.(errors.UnsupportedError); ok {
|
||||||
|
lastUnsupportedError = err
|
||||||
|
err = readToNextPublicKey(packets)
|
||||||
|
} else if _, ok := err.(errors.StructuralError); ok {
|
||||||
|
// Skip unreadable, badly-formatted keys
|
||||||
|
lastUnsupportedError = err
|
||||||
|
err = readToNextPublicKey(packets)
|
||||||
|
}
|
||||||
|
if err == io.EOF {
|
||||||
|
err = nil
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
el = nil
|
||||||
|
break
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
el = append(el, e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(el) == 0 && err == nil {
|
||||||
|
err = lastUnsupportedError
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// readToNextPublicKey reads packets until the start of the entity and leaves
|
||||||
|
// the first packet of the new entity in the Reader.
|
||||||
|
func readToNextPublicKey(packets *packet.Reader) (err error) {
|
||||||
|
var p packet.Packet
|
||||||
|
for {
|
||||||
|
p, err = packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
return
|
||||||
|
} else if err != nil {
|
||||||
|
if _, ok := err.(errors.UnsupportedError); ok {
|
||||||
|
err = nil
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
|
||||||
|
packets.Unread(p)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadEntity reads an entity (public key, identities, subkeys etc) from the
|
||||||
|
// given Reader.
|
||||||
|
func ReadEntity(packets *packet.Reader) (*Entity, error) {
|
||||||
|
e := new(Entity)
|
||||||
|
e.Identities = make(map[string]*Identity)
|
||||||
|
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
|
||||||
|
if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
|
||||||
|
packets.Unread(p)
|
||||||
|
return nil, errors.StructuralError("first packet was not a public/private key")
|
||||||
|
} else {
|
||||||
|
e.PrimaryKey = &e.PrivateKey.PublicKey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !e.PrimaryKey.PubKeyAlgo.CanSign() {
|
||||||
|
return nil, errors.StructuralError("primary key cannot be used for signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
var current *Identity
|
||||||
|
var revocations []*packet.Signature
|
||||||
|
|
||||||
|
designatedRevokers := make(map[uint64]bool)
|
||||||
|
EachPacket:
|
||||||
|
for {
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
break
|
||||||
|
} else if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
switch pkt := p.(type) {
|
||||||
|
case *packet.UserId:
|
||||||
|
|
||||||
|
// Make a new Identity object, that we might wind up throwing away.
|
||||||
|
// We'll only add it if we get a valid self-signature over this
|
||||||
|
// userID.
|
||||||
|
current = new(Identity)
|
||||||
|
current.Name = pkt.Id
|
||||||
|
current.UserId = pkt
|
||||||
|
case *packet.Signature:
|
||||||
|
if pkt.SigType == packet.SigTypeKeyRevocation {
|
||||||
|
// These revocations won't revoke UIDs (see
|
||||||
|
// SigTypeIdentityRevocation). Handle these first,
|
||||||
|
// because key might have revocation coming from
|
||||||
|
// another key (designated revoke).
|
||||||
|
revocations = append(revocations, pkt)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are signatures by other people on this key. Let's just ignore them
|
||||||
|
// from the beginning, since they shouldn't affect our key decoding one way
|
||||||
|
// or the other.
|
||||||
|
if pkt.IssuerKeyId != nil && *pkt.IssuerKeyId != e.PrimaryKey.KeyId {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// If this is a signature made by the keyholder, and the signature has stubbed out
|
||||||
|
// critical packets, then *now* we need to bail out.
|
||||||
|
if e := pkt.StubbedOutCriticalError; e != nil {
|
||||||
|
return nil, e
|
||||||
|
}
|
||||||
|
|
||||||
|
// Next handle the case of a self-signature. According to RFC8440,
|
||||||
|
// Section 5.2.3.3, if there are several self-signatures,
|
||||||
|
// we should take the newer one. If they were both created
|
||||||
|
// at the same time, but one of them has keyflags specified and the
|
||||||
|
// other doesn't, keep the one with the keyflags. We have actually
|
||||||
|
// seen this in the wild (see the 'Yield' test in read_test.go).
|
||||||
|
// If there is a tie, and both have the same value for FlagsValid,
|
||||||
|
// then "last writer wins."
|
||||||
|
//
|
||||||
|
// HOWEVER! We have seen yet more keys in the wild (see the 'Spiros'
|
||||||
|
// test in read_test.go), in which the later self-signature is a bunch
|
||||||
|
// of junk, and doesn't even specify key flags. Does it really make
|
||||||
|
// sense to overwrite reasonable key flags with the empty set? I'm not
|
||||||
|
// sure what that would be trying to achieve, and plus GPG seems to be
|
||||||
|
// ok with this situation, and ignores the later (empty) keyflag set.
|
||||||
|
// So further tighten our overwrite rules, and only allow the later
|
||||||
|
// signature to overwrite the earlier signature if so doing won't
|
||||||
|
// trash the key flags.
|
||||||
|
if current != nil &&
|
||||||
|
(current.SelfSignature == nil ||
|
||||||
|
(!pkt.CreationTime.Before(current.SelfSignature.CreationTime) &&
|
||||||
|
(pkt.FlagsValid || !current.SelfSignature.FlagsValid))) &&
|
||||||
|
(pkt.SigType == packet.SigTypePositiveCert || pkt.SigType == packet.SigTypeGenericCert) &&
|
||||||
|
pkt.IssuerKeyId != nil &&
|
||||||
|
*pkt.IssuerKeyId == e.PrimaryKey.KeyId {
|
||||||
|
|
||||||
|
if err = e.PrimaryKey.VerifyUserIdSignature(current.Name, e.PrimaryKey, pkt); err == nil {
|
||||||
|
|
||||||
|
current.SelfSignature = pkt
|
||||||
|
|
||||||
|
// NOTE(maxtaco) 2016.01.11
|
||||||
|
// Only register an identity once we've gotten a valid self-signature.
|
||||||
|
// It's possible therefore for us to throw away `current` in the case
|
||||||
|
// no valid self-signatures were found. That's OK as long as there are
|
||||||
|
// other identies that make sense.
|
||||||
|
//
|
||||||
|
// NOTE! We might later see a revocation for this very same UID, and it
|
||||||
|
// won't be undone. We've preserved this feature from the original
|
||||||
|
// Google OpenPGP we forked from.
|
||||||
|
e.Identities[current.Name] = current
|
||||||
|
} else {
|
||||||
|
// We really should warn that there was a failure here. Not raise an error
|
||||||
|
// since this really shouldn't be a fail-stop error.
|
||||||
|
}
|
||||||
|
} else if current != nil && pkt.SigType == packet.SigTypeIdentityRevocation {
|
||||||
|
if err = e.PrimaryKey.VerifyUserIdSignature(current.Name, e.PrimaryKey, pkt); err == nil {
|
||||||
|
// Note: we are not removing the identity from
|
||||||
|
// e.Identities. Caller can always filter by Revocation
|
||||||
|
// field to ignore revoked identities.
|
||||||
|
current.Revocation = pkt
|
||||||
|
}
|
||||||
|
} else if pkt.SigType == packet.SigTypeDirectSignature {
|
||||||
|
if err = e.PrimaryKey.VerifyRevocationSignature(e.PrimaryKey, pkt); err == nil {
|
||||||
|
if desig := pkt.DesignatedRevoker; desig != nil {
|
||||||
|
// If it's a designated revoker signature, take last 8 octects
|
||||||
|
// of fingerprint as Key ID and save it to designatedRevokers
|
||||||
|
// map. We consult this map later to see if a foreign
|
||||||
|
// revocation should be added to UnverifiedRevocations.
|
||||||
|
keyID := binary.BigEndian.Uint64(desig.Fingerprint[len(desig.Fingerprint)-8:])
|
||||||
|
designatedRevokers[keyID] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else if current == nil {
|
||||||
|
// NOTE(maxtaco)
|
||||||
|
//
|
||||||
|
// See https://github.com/keybase/client/issues/2666
|
||||||
|
//
|
||||||
|
// There might have been a user attribute picture before this signature,
|
||||||
|
// in which case this is still a valid PGP key. In the future we might
|
||||||
|
// not ignore user attributes (like picture). But either way, it doesn't
|
||||||
|
// make sense to bail out here. Keep looking for other valid signatures.
|
||||||
|
//
|
||||||
|
// Used to be:
|
||||||
|
// return nil, errors.StructuralError("signature packet found before user id packet")
|
||||||
|
} else {
|
||||||
|
current.Signatures = append(current.Signatures, pkt)
|
||||||
|
}
|
||||||
|
case *packet.PrivateKey:
|
||||||
|
if pkt.IsSubkey == false {
|
||||||
|
packets.Unread(p)
|
||||||
|
break EachPacket
|
||||||
|
}
|
||||||
|
err = addSubkey(e, packets, &pkt.PublicKey, pkt)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
case *packet.PublicKey:
|
||||||
|
if pkt.IsSubkey == false {
|
||||||
|
packets.Unread(p)
|
||||||
|
break EachPacket
|
||||||
|
}
|
||||||
|
err = addSubkey(e, packets, pkt, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
// we ignore unknown packets
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(e.Identities) == 0 {
|
||||||
|
return nil, errors.StructuralError("entity without any identities")
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, revocation := range revocations {
|
||||||
|
if revocation.IssuerKeyId == nil || *revocation.IssuerKeyId == e.PrimaryKey.KeyId {
|
||||||
|
// Key revokes itself, something that we can verify.
|
||||||
|
err = e.PrimaryKey.VerifyRevocationSignature(e.PrimaryKey, revocation)
|
||||||
|
if err == nil {
|
||||||
|
e.Revocations = append(e.Revocations, revocation)
|
||||||
|
} else {
|
||||||
|
return nil, errors.StructuralError("revocation signature signed by alternate key")
|
||||||
|
}
|
||||||
|
} else if revocation.IssuerKeyId != nil {
|
||||||
|
if _, ok := designatedRevokers[*revocation.IssuerKeyId]; ok {
|
||||||
|
// Revocation is done by certified designated revoker,
|
||||||
|
// but we can't verify the revocation.
|
||||||
|
e.UnverifiedRevocations = append(e.UnverifiedRevocations, revocation)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return e, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
|
||||||
|
var subKey Subkey
|
||||||
|
subKey.PublicKey = pub
|
||||||
|
subKey.PrivateKey = priv
|
||||||
|
var lastErr error
|
||||||
|
for {
|
||||||
|
p, err := packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return errors.StructuralError("subkey signature invalid: " + err.Error())
|
||||||
|
}
|
||||||
|
sig, ok := p.(*packet.Signature)
|
||||||
|
if !ok {
|
||||||
|
// Hit a non-signature packet, so assume we're up to the next key
|
||||||
|
packets.Unread(p)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if st := sig.SigType; st != packet.SigTypeSubkeyBinding && st != packet.SigTypeSubkeyRevocation {
|
||||||
|
|
||||||
|
// Note(maxtaco):
|
||||||
|
// We used to error out here, but instead, let's fast-forward past
|
||||||
|
// packets that are in the wrong place (like misplaced 0x13 signatures)
|
||||||
|
// until we get to one that works. For a test case,
|
||||||
|
// see TestWithBadSubkeySignaturePackets.
|
||||||
|
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig)
|
||||||
|
if err != nil {
|
||||||
|
// Non valid signature, so again, no need to abandon all hope, just continue;
|
||||||
|
// make a note of the error we hit.
|
||||||
|
lastErr = errors.StructuralError("subkey signature invalid: " + err.Error())
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
switch sig.SigType {
|
||||||
|
case packet.SigTypeSubkeyBinding:
|
||||||
|
// Does the "new" sig set expiration to later date than
|
||||||
|
// "previous" sig?
|
||||||
|
if subKey.Sig == nil || subKey.Sig.ExpiresBeforeOther(sig) {
|
||||||
|
subKey.Sig = sig
|
||||||
|
}
|
||||||
|
case packet.SigTypeSubkeyRevocation:
|
||||||
|
// First writer wins
|
||||||
|
if subKey.Revocation == nil {
|
||||||
|
subKey.Revocation = sig
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if subKey.Sig != nil {
|
||||||
|
e.Subkeys = append(e.Subkeys, subKey)
|
||||||
|
} else {
|
||||||
|
if lastErr == nil {
|
||||||
|
lastErr = errors.StructuralError("Subkey wasn't signed; expected a 'binding' signature")
|
||||||
|
}
|
||||||
|
e.BadSubkeys = append(e.BadSubkeys, BadSubkey{Subkey: subKey, Err: lastErr})
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const defaultRSAKeyBits = 2048
|
||||||
|
|
||||||
|
// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
|
||||||
|
// single identity composed of the given full name, comment and email, any of
|
||||||
|
// which may be empty but must not contain any of "()<>\x00".
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
|
||||||
|
currentTime := config.Now()
|
||||||
|
|
||||||
|
bits := defaultRSAKeyBits
|
||||||
|
if config != nil && config.RSABits != 0 {
|
||||||
|
bits = config.RSABits
|
||||||
|
}
|
||||||
|
|
||||||
|
uid := packet.NewUserId(name, comment, email)
|
||||||
|
if uid == nil {
|
||||||
|
return nil, errors.InvalidArgumentError("user id field contained invalid characters")
|
||||||
|
}
|
||||||
|
signingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
e := &Entity{
|
||||||
|
PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
|
||||||
|
PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
|
||||||
|
Identities: make(map[string]*Identity),
|
||||||
|
}
|
||||||
|
isPrimaryId := true
|
||||||
|
e.Identities[uid.Id] = &Identity{
|
||||||
|
Name: uid.Name,
|
||||||
|
UserId: uid,
|
||||||
|
SelfSignature: &packet.Signature{
|
||||||
|
CreationTime: currentTime,
|
||||||
|
SigType: packet.SigTypePositiveCert,
|
||||||
|
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
IsPrimaryId: &isPrimaryId,
|
||||||
|
FlagsValid: true,
|
||||||
|
FlagSign: true,
|
||||||
|
FlagCertify: true,
|
||||||
|
IssuerKeyId: &e.PrimaryKey.KeyId,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
e.Subkeys = make([]Subkey, 1)
|
||||||
|
e.Subkeys[0] = Subkey{
|
||||||
|
PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
|
||||||
|
PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
|
||||||
|
Sig: &packet.Signature{
|
||||||
|
CreationTime: currentTime,
|
||||||
|
SigType: packet.SigTypeSubkeyBinding,
|
||||||
|
PubKeyAlgo: packet.PubKeyAlgoRSA,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
FlagsValid: true,
|
||||||
|
FlagEncryptStorage: true,
|
||||||
|
FlagEncryptCommunications: true,
|
||||||
|
IssuerKeyId: &e.PrimaryKey.KeyId,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
e.Subkeys[0].PublicKey.IsSubkey = true
|
||||||
|
e.Subkeys[0].PrivateKey.IsSubkey = true
|
||||||
|
|
||||||
|
return e, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializePrivate serializes an Entity, including private key material, to
|
||||||
|
// the given Writer. For now, it must only be used on an Entity returned from
|
||||||
|
// NewEntity.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
|
||||||
|
err = e.PrivateKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
err = ident.UserId.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if e.PrivateKey.PrivateKey != nil {
|
||||||
|
err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = ident.SelfSignature.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, subkey := range e.Subkeys {
|
||||||
|
err = subkey.PrivateKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Workaround shortcoming of SignKey(), which doesn't work to reverse-sign
|
||||||
|
// sub-signing keys. So if requested, just reuse the signatures already
|
||||||
|
// available to us (if we read this key from a keyring).
|
||||||
|
if e.PrivateKey.PrivateKey != nil && !config.ReuseSignatures() {
|
||||||
|
err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
err = subkey.Revocation.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
err = subkey.Sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize writes the public part of the given Entity to w. (No private
|
||||||
|
// key material will be output).
|
||||||
|
func (e *Entity) Serialize(w io.Writer) error {
|
||||||
|
err := e.PrimaryKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, ident := range e.Identities {
|
||||||
|
err = ident.UserId.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = ident.SelfSignature.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, sig := range ident.Signatures {
|
||||||
|
err = sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, subkey := range e.Subkeys {
|
||||||
|
err = subkey.PublicKey.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
err = subkey.Revocation.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = subkey.Sig.Serialize(w)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignIdentity adds a signature to e, from signer, attesting that identity is
|
||||||
|
// associated with e. The provided identity must already be an element of
|
||||||
|
// e.Identities and the private key of signer must have been decrypted if
|
||||||
|
// necessary.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
|
||||||
|
if signer.PrivateKey == nil {
|
||||||
|
return errors.InvalidArgumentError("signing Entity must have a private key")
|
||||||
|
}
|
||||||
|
if signer.PrivateKey.Encrypted {
|
||||||
|
return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
|
||||||
|
}
|
||||||
|
ident, ok := e.Identities[identity]
|
||||||
|
if !ok {
|
||||||
|
return errors.InvalidArgumentError("given identity string not found in Entity")
|
||||||
|
}
|
||||||
|
|
||||||
|
sig := &packet.Signature{
|
||||||
|
SigType: packet.SigTypeGenericCert,
|
||||||
|
PubKeyAlgo: signer.PrivateKey.PubKeyAlgo,
|
||||||
|
Hash: config.Hash(),
|
||||||
|
CreationTime: config.Now(),
|
||||||
|
IssuerKeyId: &signer.PrivateKey.KeyId,
|
||||||
|
}
|
||||||
|
if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ident.Signatures = append(ident.Signatures, sig)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CopySubkeyRevocations copies subkey revocations from the src Entity over
|
||||||
|
// to the receiver entity. We need this because `gpg --export-secret-key` does
|
||||||
|
// not appear to output subkey revocations. In this case we need to manually
|
||||||
|
// merge with the output of `gpg --export`.
|
||||||
|
func (e *Entity) CopySubkeyRevocations(src *Entity) {
|
||||||
|
m := make(map[[20]byte]*packet.Signature)
|
||||||
|
for _, subkey := range src.Subkeys {
|
||||||
|
if subkey.Revocation != nil {
|
||||||
|
m[subkey.PublicKey.Fingerprint] = subkey.Revocation
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for i, subkey := range e.Subkeys {
|
||||||
|
if r := m[subkey.PublicKey.Fingerprint]; r != nil {
|
||||||
|
e.Subkeys[i].Revocation = r
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckDesignatedRevokers will try to confirm any of designated
|
||||||
|
// revocation of entity. For this function to work, revocation
|
||||||
|
// issuer's key should be found in keyring. First successfully
|
||||||
|
// verified designated revocation is returned along with the key that
|
||||||
|
// verified it.
|
||||||
|
func FindVerifiedDesignatedRevoke(keyring KeyRing, entity *Entity) (*packet.Signature, *Key) {
|
||||||
|
for _, sig := range entity.UnverifiedRevocations {
|
||||||
|
if sig.IssuerKeyId == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
issuerKeyId := *sig.IssuerKeyId
|
||||||
|
issuerFingerprint := sig.IssuerFingerprint
|
||||||
|
keys := keyring.KeysByIdUsage(issuerKeyId, issuerFingerprint, packet.KeyFlagSign)
|
||||||
|
if len(keys) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
for _, key := range keys {
|
||||||
|
err := key.PublicKey.VerifyRevocationSignature(entity.PrimaryKey, sig)
|
||||||
|
if err == nil {
|
||||||
|
return sig, &key
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, nil
|
||||||
|
}
|
124
vendor/github.com/keybase/go-crypto/openpgp/packet/compressed.go
generated
vendored
Normal file
124
vendor/github.com/keybase/go-crypto/openpgp/packet/compressed.go
generated
vendored
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"compress/bzip2"
|
||||||
|
"compress/flate"
|
||||||
|
"compress/zlib"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Compressed represents a compressed OpenPGP packet. The decompressed contents
|
||||||
|
// will contain more OpenPGP packets. See RFC 4880, section 5.6.
|
||||||
|
type Compressed struct {
|
||||||
|
Body io.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
NoCompression = flate.NoCompression
|
||||||
|
BestSpeed = flate.BestSpeed
|
||||||
|
BestCompression = flate.BestCompression
|
||||||
|
DefaultCompression = flate.DefaultCompression
|
||||||
|
)
|
||||||
|
|
||||||
|
// CompressionConfig contains compressor configuration settings.
|
||||||
|
type CompressionConfig struct {
|
||||||
|
// Level is the compression level to use. It must be set to
|
||||||
|
// between -1 and 9, with -1 causing the compressor to use the
|
||||||
|
// default compression level, 0 causing the compressor to use
|
||||||
|
// no compression and 1 to 9 representing increasing (better,
|
||||||
|
// slower) compression levels. If Level is less than -1 or
|
||||||
|
// more then 9, a non-nil error will be returned during
|
||||||
|
// encryption. See the constants above for convenient common
|
||||||
|
// settings for Level.
|
||||||
|
Level int
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Compressed) parse(r io.Reader) error {
|
||||||
|
var buf [1]byte
|
||||||
|
_, err := readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch buf[0] {
|
||||||
|
case 1:
|
||||||
|
c.Body = flate.NewReader(r)
|
||||||
|
case 2:
|
||||||
|
c.Body, err = zlib.NewReader(r)
|
||||||
|
case 3:
|
||||||
|
c.Body = bzip2.NewReader(r)
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0])))
|
||||||
|
}
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// compressedWriterCloser represents the serialized compression stream
|
||||||
|
// header and the compressor. Its Close() method ensures that both the
|
||||||
|
// compressor and serialized stream header are closed. Its Write()
|
||||||
|
// method writes to the compressor.
|
||||||
|
type compressedWriteCloser struct {
|
||||||
|
sh io.Closer // Stream Header
|
||||||
|
c io.WriteCloser // Compressor
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cwc compressedWriteCloser) Write(p []byte) (int, error) {
|
||||||
|
return cwc.c.Write(p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cwc compressedWriteCloser) Close() (err error) {
|
||||||
|
err = cwc.c.Close()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return cwc.sh.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeCompressed serializes a compressed data packet to w and
|
||||||
|
// returns a WriteCloser to which the literal data packets themselves
|
||||||
|
// can be written and which MUST be closed on completion. If cc is
|
||||||
|
// nil, sensible defaults will be used to configure the compression
|
||||||
|
// algorithm.
|
||||||
|
func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) {
|
||||||
|
compressed, err := serializeStreamHeader(w, packetTypeCompressed)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = compressed.Write([]byte{uint8(algo)})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
level := DefaultCompression
|
||||||
|
if cc != nil {
|
||||||
|
level = cc.Level
|
||||||
|
}
|
||||||
|
|
||||||
|
var compressor io.WriteCloser
|
||||||
|
switch algo {
|
||||||
|
case CompressionZIP:
|
||||||
|
compressor, err = flate.NewWriter(compressed, level)
|
||||||
|
case CompressionZLIB:
|
||||||
|
compressor, err = zlib.NewWriterLevel(compressed, level)
|
||||||
|
default:
|
||||||
|
s := strconv.Itoa(int(algo))
|
||||||
|
err = errors.UnsupportedError("Unsupported compression algorithm: " + s)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
literaldata = compressedWriteCloser{compressed, compressor}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
98
vendor/github.com/keybase/go-crypto/openpgp/packet/config.go
generated
vendored
Normal file
98
vendor/github.com/keybase/go-crypto/openpgp/packet/config.go
generated
vendored
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"io"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Config collects a number of parameters along with sensible defaults.
|
||||||
|
// A nil *Config is valid and results in all default values.
|
||||||
|
type Config struct {
|
||||||
|
// Rand provides the source of entropy.
|
||||||
|
// If nil, the crypto/rand Reader is used.
|
||||||
|
Rand io.Reader
|
||||||
|
// DefaultHash is the default hash function to be used.
|
||||||
|
// If zero, SHA-256 is used.
|
||||||
|
DefaultHash crypto.Hash
|
||||||
|
// DefaultCipher is the cipher to be used.
|
||||||
|
// If zero, AES-128 is used.
|
||||||
|
DefaultCipher CipherFunction
|
||||||
|
// Time returns the current time as the number of seconds since the
|
||||||
|
// epoch. If Time is nil, time.Now is used.
|
||||||
|
Time func() time.Time
|
||||||
|
// DefaultCompressionAlgo is the compression algorithm to be
|
||||||
|
// applied to the plaintext before encryption. If zero, no
|
||||||
|
// compression is done.
|
||||||
|
DefaultCompressionAlgo CompressionAlgo
|
||||||
|
// CompressionConfig configures the compression settings.
|
||||||
|
CompressionConfig *CompressionConfig
|
||||||
|
// S2KCount is only used for symmetric encryption. It
|
||||||
|
// determines the strength of the passphrase stretching when
|
||||||
|
// the said passphrase is hashed to produce a key. S2KCount
|
||||||
|
// should be between 1024 and 65011712, inclusive. If Config
|
||||||
|
// is nil or S2KCount is 0, the value 65536 used. Not all
|
||||||
|
// values in the above range can be represented. S2KCount will
|
||||||
|
// be rounded up to the next representable value if it cannot
|
||||||
|
// be encoded exactly. When set, it is strongly encrouraged to
|
||||||
|
// use a value that is at least 65536. See RFC 4880 Section
|
||||||
|
// 3.7.1.3.
|
||||||
|
S2KCount int
|
||||||
|
// RSABits is the number of bits in new RSA keys made with NewEntity.
|
||||||
|
// If zero, then 2048 bit keys are created.
|
||||||
|
RSABits int
|
||||||
|
// ReuseSignatures tells us to reuse existing Signatures
|
||||||
|
// on serialized output.
|
||||||
|
ReuseSignaturesOnSerialize bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) Random() io.Reader {
|
||||||
|
if c == nil || c.Rand == nil {
|
||||||
|
return rand.Reader
|
||||||
|
}
|
||||||
|
return c.Rand
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) Hash() crypto.Hash {
|
||||||
|
if c == nil || uint(c.DefaultHash) == 0 {
|
||||||
|
return crypto.SHA256
|
||||||
|
}
|
||||||
|
return c.DefaultHash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) Cipher() CipherFunction {
|
||||||
|
if c == nil || uint8(c.DefaultCipher) == 0 {
|
||||||
|
return CipherAES128
|
||||||
|
}
|
||||||
|
return c.DefaultCipher
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) Now() time.Time {
|
||||||
|
if c == nil || c.Time == nil {
|
||||||
|
return time.Now()
|
||||||
|
}
|
||||||
|
return c.Time()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) Compression() CompressionAlgo {
|
||||||
|
if c == nil {
|
||||||
|
return CompressionNone
|
||||||
|
}
|
||||||
|
return c.DefaultCompressionAlgo
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) PasswordHashIterations() int {
|
||||||
|
if c == nil || c.S2KCount == 0 {
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
return c.S2KCount
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) ReuseSignatures() bool {
|
||||||
|
return c != nil && c.ReuseSignaturesOnSerialize
|
||||||
|
}
|
104
vendor/github.com/keybase/go-crypto/openpgp/packet/ecdh.go
generated
vendored
Normal file
104
vendor/github.com/keybase/go-crypto/openpgp/packet/ecdh.go
generated
vendored
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/ecdh"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ECDHKdfParams generates KDF parameters sequence for given
|
||||||
|
// PublicKey. See https://tools.ietf.org/html/rfc6637#section-8
|
||||||
|
func ECDHKdfParams(pub *PublicKey) []byte {
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
oid := pub.ec.oid
|
||||||
|
buf.WriteByte(byte(len(oid)))
|
||||||
|
buf.Write(oid)
|
||||||
|
buf.WriteByte(18) // ECDH TYPE
|
||||||
|
pub.ecdh.serialize(buf)
|
||||||
|
buf.WriteString("Anonymous Sender ")
|
||||||
|
buf.Write(pub.Fingerprint[:])
|
||||||
|
return buf.Bytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
func decryptKeyECDH(priv *PrivateKey, X, Y *big.Int, C []byte) (out []byte, err error) {
|
||||||
|
ecdhpriv, ok := priv.PrivateKey.(*ecdh.PrivateKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("bad internal ECDH key")
|
||||||
|
}
|
||||||
|
|
||||||
|
Sx := ecdhpriv.DecryptShared(X, Y)
|
||||||
|
|
||||||
|
kdfParams := ECDHKdfParams(&priv.PublicKey)
|
||||||
|
hash, ok := s2k.HashIdToHash(byte(priv.ecdh.KdfHash))
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("invalid hash id in private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
key := ecdhpriv.KDF(Sx, kdfParams, hash)
|
||||||
|
keySize := CipherFunction(priv.ecdh.KdfAlgo).KeySize()
|
||||||
|
|
||||||
|
decrypted, err := ecdh.AESKeyUnwrap(key[:keySize], C)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We have to "read ahead" to discover real length of the
|
||||||
|
// encryption key and properly unpad buffer.
|
||||||
|
cipherFunc := CipherFunction(decrypted[0])
|
||||||
|
// +3 bytes = 1-byte cipher id and checksum 2-byte checksum.
|
||||||
|
out = ecdh.UnpadBuffer(decrypted, cipherFunc.KeySize()+3)
|
||||||
|
if out == nil {
|
||||||
|
return nil, errors.InvalidArgumentError("invalid padding while ECDH")
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeEncryptedKeyECDH(w io.Writer, rand io.Reader, header [10]byte, pub *PublicKey, keyBlock []byte) error {
|
||||||
|
ecdhpub := pub.PublicKey.(*ecdh.PublicKey)
|
||||||
|
kdfParams := ECDHKdfParams(pub)
|
||||||
|
|
||||||
|
hash, ok := s2k.HashIdToHash(byte(pub.ecdh.KdfHash))
|
||||||
|
if !ok {
|
||||||
|
return errors.InvalidArgumentError("invalid hash id in private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
kdfKeySize := CipherFunction(pub.ecdh.KdfAlgo).KeySize()
|
||||||
|
Vx, Vy, C, err := ecdhpub.Encrypt(rand, kdfParams, keyBlock, hash, kdfKeySize)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
mpis, mpiBitLen := ecdh.Marshal(ecdhpub.Curve, Vx, Vy)
|
||||||
|
|
||||||
|
packetLen := len(header) /* header length in bytes */
|
||||||
|
packetLen += 2 /* mpi length in bits */ + len(mpis)
|
||||||
|
packetLen += 1 /* ciphertext size in bytes */ + len(C)
|
||||||
|
|
||||||
|
err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(header[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write([]byte{byte(mpiBitLen >> 8), byte(mpiBitLen)})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(mpis[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
w.Write([]byte{byte(len(C))})
|
||||||
|
w.Write(C[:])
|
||||||
|
return nil
|
||||||
|
}
|
226
vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go
generated
vendored
Normal file
226
vendor/github.com/keybase/go-crypto/openpgp/packet/encrypted_key.go
generated
vendored
Normal file
@ -0,0 +1,226 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/ecdh"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/elgamal"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
const encryptedKeyVersion = 3
|
||||||
|
|
||||||
|
// EncryptedKey represents a public-key encrypted session key. See RFC 4880,
|
||||||
|
// section 5.1.
|
||||||
|
type EncryptedKey struct {
|
||||||
|
KeyId uint64
|
||||||
|
Algo PublicKeyAlgorithm
|
||||||
|
CipherFunc CipherFunction // only valid after a successful Decrypt
|
||||||
|
Key []byte // only valid after a successful Decrypt
|
||||||
|
|
||||||
|
encryptedMPI1, encryptedMPI2 parsedMPI
|
||||||
|
ecdh_C []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *EncryptedKey) parse(r io.Reader) (err error) {
|
||||||
|
var buf [10]byte
|
||||||
|
_, err = readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] != encryptedKeyVersion {
|
||||||
|
return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0])))
|
||||||
|
}
|
||||||
|
e.KeyId = binary.BigEndian.Uint64(buf[1:9])
|
||||||
|
e.Algo = PublicKeyAlgorithm(buf[9])
|
||||||
|
switch e.Algo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r)
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = readFull(r, buf[:1]) // read C len (1 byte)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
e.ecdh_C = make([]byte, int(buf[0]))
|
||||||
|
_, err = readFull(r, e.ecdh_C)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = consumeAll(r)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func checksumKeyMaterial(key []byte) uint16 {
|
||||||
|
var checksum uint16
|
||||||
|
for _, v := range key {
|
||||||
|
checksum += uint16(v)
|
||||||
|
}
|
||||||
|
return checksum
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt decrypts an encrypted session key with the given private key. The
|
||||||
|
// private key must have been decrypted first.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
|
||||||
|
var err error
|
||||||
|
var b []byte
|
||||||
|
|
||||||
|
// TODO(agl): use session key decryption routines here to avoid
|
||||||
|
// padding oracle attacks.
|
||||||
|
switch priv.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
b, err = rsa.DecryptPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), e.encryptedMPI1.bytes)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes)
|
||||||
|
c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes)
|
||||||
|
b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2)
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
// Note: Unmarshal checks if point is on the curve.
|
||||||
|
c1, c2 := ecdh.Unmarshal(priv.PrivateKey.(*ecdh.PrivateKey).Curve, e.encryptedMPI1.bytes)
|
||||||
|
if c1 == nil {
|
||||||
|
return errors.InvalidArgumentError("failed to parse EC point for encryption key")
|
||||||
|
}
|
||||||
|
b, err = decryptKeyECDH(priv, c1, c2, e.ecdh_C)
|
||||||
|
default:
|
||||||
|
err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
e.CipherFunc = CipherFunction(b[0])
|
||||||
|
e.Key = b[1 : len(b)-2]
|
||||||
|
expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1])
|
||||||
|
checksum := checksumKeyMaterial(e.Key)
|
||||||
|
if checksum != expectedChecksum {
|
||||||
|
return errors.StructuralError("EncryptedKey checksum incorrect")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize writes the encrypted key packet, e, to w.
|
||||||
|
func (e *EncryptedKey) Serialize(w io.Writer) error {
|
||||||
|
var mpiLen int
|
||||||
|
switch e.Algo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
mpiLen = 2 + len(e.encryptedMPI1.bytes)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes)
|
||||||
|
default:
|
||||||
|
return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo)))
|
||||||
|
}
|
||||||
|
|
||||||
|
serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen)
|
||||||
|
|
||||||
|
w.Write([]byte{encryptedKeyVersion})
|
||||||
|
binary.Write(w, binary.BigEndian, e.KeyId)
|
||||||
|
w.Write([]byte{byte(e.Algo)})
|
||||||
|
|
||||||
|
switch e.Algo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
writeMPIs(w, e.encryptedMPI1)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2)
|
||||||
|
default:
|
||||||
|
panic("internal error")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeEncryptedKey serializes an encrypted key packet to w that contains
|
||||||
|
// key, encrypted to pub.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error {
|
||||||
|
var buf [10]byte
|
||||||
|
buf[0] = encryptedKeyVersion
|
||||||
|
binary.BigEndian.PutUint64(buf[1:9], pub.KeyId)
|
||||||
|
buf[9] = byte(pub.PubKeyAlgo)
|
||||||
|
|
||||||
|
keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */)
|
||||||
|
keyBlock[0] = byte(cipherFunc)
|
||||||
|
copy(keyBlock[1:], key)
|
||||||
|
checksum := checksumKeyMaterial(key)
|
||||||
|
keyBlock[1+len(key)] = byte(checksum >> 8)
|
||||||
|
keyBlock[1+len(key)+1] = byte(checksum)
|
||||||
|
|
||||||
|
switch pub.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock)
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
return serializeEncryptedKeyECDH(w, config.Random(), buf, pub, keyBlock)
|
||||||
|
case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly:
|
||||||
|
return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
|
||||||
|
return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error {
|
||||||
|
cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock)
|
||||||
|
if err != nil {
|
||||||
|
return errors.InvalidArgumentError("RSA encryption failed: " + err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText)
|
||||||
|
|
||||||
|
err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = w.Write(header[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return writeMPI(w, 8*uint16(len(cipherText)), cipherText)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error {
|
||||||
|
c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock)
|
||||||
|
if err != nil {
|
||||||
|
return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
packetLen := 10 /* header length */
|
||||||
|
packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8
|
||||||
|
packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8
|
||||||
|
|
||||||
|
err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = w.Write(header[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = writeBig(w, c1)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return writeBig(w, c2)
|
||||||
|
}
|
89
vendor/github.com/keybase/go-crypto/openpgp/packet/literal.go
generated
vendored
Normal file
89
vendor/github.com/keybase/go-crypto/openpgp/packet/literal.go
generated
vendored
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
// LiteralData represents an encrypted file. See RFC 4880, section 5.9.
|
||||||
|
type LiteralData struct {
|
||||||
|
IsBinary bool
|
||||||
|
FileName string
|
||||||
|
Time uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined.
|
||||||
|
Body io.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
// ForEyesOnly returns whether the contents of the LiteralData have been marked
|
||||||
|
// as especially sensitive.
|
||||||
|
func (l *LiteralData) ForEyesOnly() bool {
|
||||||
|
return l.FileName == "_CONSOLE"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *LiteralData) parse(r io.Reader) (err error) {
|
||||||
|
var buf [256]byte
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:2])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
l.IsBinary = buf[0] == 'b'
|
||||||
|
fileNameLen := int(buf[1])
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:fileNameLen])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
l.FileName = string(buf[:fileNameLen])
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:4])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
l.Time = binary.BigEndian.Uint32(buf[:4])
|
||||||
|
l.Body = r
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeLiteral serializes a literal data packet to w and returns a
|
||||||
|
// WriteCloser to which the data itself can be written and which MUST be closed
|
||||||
|
// on completion. The fileName is truncated to 255 bytes.
|
||||||
|
func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) {
|
||||||
|
var buf [4]byte
|
||||||
|
buf[0] = 't'
|
||||||
|
if isBinary {
|
||||||
|
buf[0] = 'b'
|
||||||
|
}
|
||||||
|
if len(fileName) > 255 {
|
||||||
|
fileName = fileName[:255]
|
||||||
|
}
|
||||||
|
buf[1] = byte(len(fileName))
|
||||||
|
|
||||||
|
inner, err := serializeStreamHeader(w, packetTypeLiteralData)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = inner.Write(buf[:2])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = inner.Write([]byte(fileName))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
binary.BigEndian.PutUint32(buf[:], time)
|
||||||
|
_, err = inner.Write(buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
plaintext = inner
|
||||||
|
return
|
||||||
|
}
|
143
vendor/github.com/keybase/go-crypto/openpgp/packet/ocfb.go
generated
vendored
Normal file
143
vendor/github.com/keybase/go-crypto/openpgp/packet/ocfb.go
generated
vendored
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
// Copyright 2010 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
)
|
||||||
|
|
||||||
|
type ocfbEncrypter struct {
|
||||||
|
b cipher.Block
|
||||||
|
fre []byte
|
||||||
|
outUsed int
|
||||||
|
}
|
||||||
|
|
||||||
|
// An OCFBResyncOption determines if the "resynchronization step" of OCFB is
|
||||||
|
// performed.
|
||||||
|
type OCFBResyncOption bool
|
||||||
|
|
||||||
|
const (
|
||||||
|
OCFBResync OCFBResyncOption = true
|
||||||
|
OCFBNoResync OCFBResyncOption = false
|
||||||
|
)
|
||||||
|
|
||||||
|
// NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's
|
||||||
|
// cipher feedback mode using the given cipher.Block, and an initial amount of
|
||||||
|
// ciphertext. randData must be random bytes and be the same length as the
|
||||||
|
// cipher.Block's block size. Resync determines if the "resynchronization step"
|
||||||
|
// from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on
|
||||||
|
// this point.
|
||||||
|
func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) {
|
||||||
|
blockSize := block.BlockSize()
|
||||||
|
if len(randData) != blockSize {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
x := &ocfbEncrypter{
|
||||||
|
b: block,
|
||||||
|
fre: make([]byte, blockSize),
|
||||||
|
outUsed: 0,
|
||||||
|
}
|
||||||
|
prefix := make([]byte, blockSize+2)
|
||||||
|
|
||||||
|
block.Encrypt(x.fre, x.fre)
|
||||||
|
for i := 0; i < blockSize; i++ {
|
||||||
|
prefix[i] = randData[i] ^ x.fre[i]
|
||||||
|
}
|
||||||
|
|
||||||
|
block.Encrypt(x.fre, prefix[:blockSize])
|
||||||
|
prefix[blockSize] = x.fre[0] ^ randData[blockSize-2]
|
||||||
|
prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1]
|
||||||
|
|
||||||
|
if resync {
|
||||||
|
block.Encrypt(x.fre, prefix[2:])
|
||||||
|
} else {
|
||||||
|
x.fre[0] = prefix[blockSize]
|
||||||
|
x.fre[1] = prefix[blockSize+1]
|
||||||
|
x.outUsed = 2
|
||||||
|
}
|
||||||
|
return x, prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) {
|
||||||
|
for i := 0; i < len(src); i++ {
|
||||||
|
if x.outUsed == len(x.fre) {
|
||||||
|
x.b.Encrypt(x.fre, x.fre)
|
||||||
|
x.outUsed = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
x.fre[x.outUsed] ^= src[i]
|
||||||
|
dst[i] = x.fre[x.outUsed]
|
||||||
|
x.outUsed++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type ocfbDecrypter struct {
|
||||||
|
b cipher.Block
|
||||||
|
fre []byte
|
||||||
|
outUsed int
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's
|
||||||
|
// cipher feedback mode using the given cipher.Block. Prefix must be the first
|
||||||
|
// blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's
|
||||||
|
// block size. If an incorrect key is detected then nil is returned. On
|
||||||
|
// successful exit, blockSize+2 bytes of decrypted data are written into
|
||||||
|
// prefix. Resync determines if the "resynchronization step" from RFC 4880,
|
||||||
|
// 13.9 step 7 is performed. Different parts of OpenPGP vary on this point.
|
||||||
|
func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream {
|
||||||
|
blockSize := block.BlockSize()
|
||||||
|
if len(prefix) != blockSize+2 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
x := &ocfbDecrypter{
|
||||||
|
b: block,
|
||||||
|
fre: make([]byte, blockSize),
|
||||||
|
outUsed: 0,
|
||||||
|
}
|
||||||
|
prefixCopy := make([]byte, len(prefix))
|
||||||
|
copy(prefixCopy, prefix)
|
||||||
|
|
||||||
|
block.Encrypt(x.fre, x.fre)
|
||||||
|
for i := 0; i < blockSize; i++ {
|
||||||
|
prefixCopy[i] ^= x.fre[i]
|
||||||
|
}
|
||||||
|
|
||||||
|
block.Encrypt(x.fre, prefix[:blockSize])
|
||||||
|
prefixCopy[blockSize] ^= x.fre[0]
|
||||||
|
prefixCopy[blockSize+1] ^= x.fre[1]
|
||||||
|
|
||||||
|
if prefixCopy[blockSize-2] != prefixCopy[blockSize] ||
|
||||||
|
prefixCopy[blockSize-1] != prefixCopy[blockSize+1] {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if resync {
|
||||||
|
block.Encrypt(x.fre, prefix[2:])
|
||||||
|
} else {
|
||||||
|
x.fre[0] = prefix[blockSize]
|
||||||
|
x.fre[1] = prefix[blockSize+1]
|
||||||
|
x.outUsed = 2
|
||||||
|
}
|
||||||
|
copy(prefix, prefixCopy)
|
||||||
|
return x
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) {
|
||||||
|
for i := 0; i < len(src); i++ {
|
||||||
|
if x.outUsed == len(x.fre) {
|
||||||
|
x.b.Encrypt(x.fre, x.fre)
|
||||||
|
x.outUsed = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
c := src[i]
|
||||||
|
dst[i] = x.fre[x.outUsed] ^ src[i]
|
||||||
|
x.fre[x.outUsed] = c
|
||||||
|
x.outUsed++
|
||||||
|
}
|
||||||
|
}
|
74
vendor/github.com/keybase/go-crypto/openpgp/packet/one_pass_signature.go
generated
vendored
Normal file
74
vendor/github.com/keybase/go-crypto/openpgp/packet/one_pass_signature.go
generated
vendored
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"encoding/binary"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// OnePassSignature represents a one-pass signature packet. See RFC 4880,
|
||||||
|
// section 5.4.
|
||||||
|
type OnePassSignature struct {
|
||||||
|
SigType SignatureType
|
||||||
|
Hash crypto.Hash
|
||||||
|
PubKeyAlgo PublicKeyAlgorithm
|
||||||
|
KeyId uint64
|
||||||
|
IsLast bool
|
||||||
|
}
|
||||||
|
|
||||||
|
const onePassSignatureVersion = 3
|
||||||
|
|
||||||
|
func (ops *OnePassSignature) parse(r io.Reader) (err error) {
|
||||||
|
var buf [13]byte
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] != onePassSignatureVersion {
|
||||||
|
err = errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0])))
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
ops.Hash, ok = s2k.HashIdToHash(buf[2])
|
||||||
|
if !ok {
|
||||||
|
return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2])))
|
||||||
|
}
|
||||||
|
|
||||||
|
ops.SigType = SignatureType(buf[1])
|
||||||
|
ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3])
|
||||||
|
ops.KeyId = binary.BigEndian.Uint64(buf[4:12])
|
||||||
|
ops.IsLast = buf[12] != 0
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals the given OnePassSignature to w.
|
||||||
|
func (ops *OnePassSignature) Serialize(w io.Writer) error {
|
||||||
|
var buf [13]byte
|
||||||
|
buf[0] = onePassSignatureVersion
|
||||||
|
buf[1] = uint8(ops.SigType)
|
||||||
|
var ok bool
|
||||||
|
buf[2], ok = s2k.HashToHashId(ops.Hash)
|
||||||
|
if !ok {
|
||||||
|
return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash)))
|
||||||
|
}
|
||||||
|
buf[3] = uint8(ops.PubKeyAlgo)
|
||||||
|
binary.BigEndian.PutUint64(buf[4:12], ops.KeyId)
|
||||||
|
if ops.IsLast {
|
||||||
|
buf[12] = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := serializeHeader(w, packetTypeOnePassSignature, len(buf)); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err := w.Write(buf[:])
|
||||||
|
return err
|
||||||
|
}
|
162
vendor/github.com/keybase/go-crypto/openpgp/packet/opaque.go
generated
vendored
Normal file
162
vendor/github.com/keybase/go-crypto/openpgp/packet/opaque.go
generated
vendored
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is
|
||||||
|
// useful for splitting and storing the original packet contents separately,
|
||||||
|
// handling unsupported packet types or accessing parts of the packet not yet
|
||||||
|
// implemented by this package.
|
||||||
|
type OpaquePacket struct {
|
||||||
|
// Packet type
|
||||||
|
Tag uint8
|
||||||
|
// Reason why the packet was parsed opaquely
|
||||||
|
Reason error
|
||||||
|
// Binary contents of the packet data
|
||||||
|
Contents []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (op *OpaquePacket) parse(r io.Reader) (err error) {
|
||||||
|
op.Contents, err = ioutil.ReadAll(r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals the packet to a writer in its original form, including
|
||||||
|
// the packet header.
|
||||||
|
func (op *OpaquePacket) Serialize(w io.Writer) (err error) {
|
||||||
|
err = serializeHeader(w, packetType(op.Tag), len(op.Contents))
|
||||||
|
if err == nil {
|
||||||
|
_, err = w.Write(op.Contents)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse attempts to parse the opaque contents into a structure supported by
|
||||||
|
// this package. If the packet is not known then the result will be another
|
||||||
|
// OpaquePacket.
|
||||||
|
func (op *OpaquePacket) Parse() (p Packet, err error) {
|
||||||
|
hdr := bytes.NewBuffer(nil)
|
||||||
|
err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents))
|
||||||
|
if err != nil {
|
||||||
|
op.Reason = err
|
||||||
|
return op, err
|
||||||
|
}
|
||||||
|
p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents)))
|
||||||
|
if err != nil {
|
||||||
|
op.Reason = err
|
||||||
|
p = op
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// OpaqueReader reads OpaquePackets from an io.Reader.
|
||||||
|
type OpaqueReader struct {
|
||||||
|
r io.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewOpaqueReader(r io.Reader) *OpaqueReader {
|
||||||
|
return &OpaqueReader{r: r}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read the next OpaquePacket.
|
||||||
|
func (or *OpaqueReader) Next() (op *OpaquePacket, err error) {
|
||||||
|
tag, _, contents, err := readHeader(or.r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
op = &OpaquePacket{Tag: uint8(tag), Reason: err}
|
||||||
|
err = op.parse(contents)
|
||||||
|
if err != nil {
|
||||||
|
consumeAll(contents)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// OpaqueSubpacket represents an unparsed OpenPGP subpacket,
|
||||||
|
// as found in signature and user attribute packets.
|
||||||
|
type OpaqueSubpacket struct {
|
||||||
|
SubType uint8
|
||||||
|
Contents []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from
|
||||||
|
// their byte representation.
|
||||||
|
func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) {
|
||||||
|
var (
|
||||||
|
subHeaderLen int
|
||||||
|
subPacket *OpaqueSubpacket
|
||||||
|
)
|
||||||
|
for len(contents) > 0 {
|
||||||
|
subHeaderLen, subPacket, err = nextSubpacket(contents)
|
||||||
|
if err != nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
result = append(result, subPacket)
|
||||||
|
contents = contents[subHeaderLen+len(subPacket.Contents):]
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) {
|
||||||
|
// RFC 4880, section 5.2.3.1
|
||||||
|
var subLen uint32
|
||||||
|
if len(contents) < 1 {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
subPacket = &OpaqueSubpacket{}
|
||||||
|
switch {
|
||||||
|
case contents[0] < 192:
|
||||||
|
subHeaderLen = 2 // 1 length byte, 1 subtype byte
|
||||||
|
if len(contents) < subHeaderLen {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
subLen = uint32(contents[0])
|
||||||
|
contents = contents[1:]
|
||||||
|
case contents[0] < 255:
|
||||||
|
subHeaderLen = 3 // 2 length bytes, 1 subtype
|
||||||
|
if len(contents) < subHeaderLen {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192
|
||||||
|
contents = contents[2:]
|
||||||
|
default:
|
||||||
|
subHeaderLen = 6 // 5 length bytes, 1 subtype
|
||||||
|
if len(contents) < subHeaderLen {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
subLen = uint32(contents[1])<<24 |
|
||||||
|
uint32(contents[2])<<16 |
|
||||||
|
uint32(contents[3])<<8 |
|
||||||
|
uint32(contents[4])
|
||||||
|
contents = contents[5:]
|
||||||
|
}
|
||||||
|
if subLen > uint32(len(contents)) || subLen == 0 {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
subPacket.SubType = contents[0]
|
||||||
|
subPacket.Contents = contents[1:subLen]
|
||||||
|
return
|
||||||
|
Truncated:
|
||||||
|
err = errors.StructuralError("subpacket truncated")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) {
|
||||||
|
buf := make([]byte, 6)
|
||||||
|
n := serializeSubpacketLength(buf, len(osp.Contents)+1)
|
||||||
|
buf[n] = osp.SubType
|
||||||
|
if _, err = w.Write(buf[:n+1]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = w.Write(osp.Contents)
|
||||||
|
return
|
||||||
|
}
|
563
vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go
generated
vendored
Normal file
563
vendor/github.com/keybase/go-crypto/openpgp/packet/packet.go
generated
vendored
Normal file
@ -0,0 +1,563 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package packet implements parsing and serialization of OpenPGP packets, as
|
||||||
|
// specified in RFC 4880.
|
||||||
|
package packet // import "github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bufio"
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/des"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/cast5"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// readFull is the same as io.ReadFull except that reading zero bytes returns
|
||||||
|
// ErrUnexpectedEOF rather than EOF.
|
||||||
|
func readFull(r io.Reader, buf []byte) (n int, err error) {
|
||||||
|
n, err = io.ReadFull(r, buf)
|
||||||
|
if err == io.EOF {
|
||||||
|
err = io.ErrUnexpectedEOF
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2.
|
||||||
|
func readLength(r io.Reader) (length int64, isPartial bool, err error) {
|
||||||
|
var buf [4]byte
|
||||||
|
_, err = readFull(r, buf[:1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
switch {
|
||||||
|
case buf[0] < 192:
|
||||||
|
length = int64(buf[0])
|
||||||
|
case buf[0] < 224:
|
||||||
|
length = int64(buf[0]-192) << 8
|
||||||
|
_, err = readFull(r, buf[0:1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
length += int64(buf[0]) + 192
|
||||||
|
case buf[0] < 255:
|
||||||
|
length = int64(1) << (buf[0] & 0x1f)
|
||||||
|
isPartial = true
|
||||||
|
default:
|
||||||
|
_, err = readFull(r, buf[0:4])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
length = int64(buf[0])<<24 |
|
||||||
|
int64(buf[1])<<16 |
|
||||||
|
int64(buf[2])<<8 |
|
||||||
|
int64(buf[3])
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths.
|
||||||
|
// The continuation lengths are parsed and removed from the stream and EOF is
|
||||||
|
// returned at the end of the packet. See RFC 4880, section 4.2.2.4.
|
||||||
|
type partialLengthReader struct {
|
||||||
|
r io.Reader
|
||||||
|
remaining int64
|
||||||
|
isPartial bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *partialLengthReader) Read(p []byte) (n int, err error) {
|
||||||
|
for r.remaining == 0 {
|
||||||
|
if !r.isPartial {
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
r.remaining, r.isPartial, err = readLength(r.r)
|
||||||
|
if err != nil {
|
||||||
|
return 0, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
toRead := int64(len(p))
|
||||||
|
if toRead > r.remaining {
|
||||||
|
toRead = r.remaining
|
||||||
|
}
|
||||||
|
|
||||||
|
n, err = r.r.Read(p[:int(toRead)])
|
||||||
|
r.remaining -= int64(n)
|
||||||
|
if n < int(toRead) && err == io.EOF {
|
||||||
|
err = io.ErrUnexpectedEOF
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// partialLengthWriter writes a stream of data using OpenPGP partial lengths.
|
||||||
|
// See RFC 4880, section 4.2.2.4.
|
||||||
|
type partialLengthWriter struct {
|
||||||
|
w io.WriteCloser
|
||||||
|
lengthByte [1]byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *partialLengthWriter) Write(p []byte) (n int, err error) {
|
||||||
|
for len(p) > 0 {
|
||||||
|
for power := uint(14); power < 32; power-- {
|
||||||
|
l := 1 << power
|
||||||
|
if len(p) >= l {
|
||||||
|
w.lengthByte[0] = 224 + uint8(power)
|
||||||
|
_, err = w.w.Write(w.lengthByte[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var m int
|
||||||
|
m, err = w.w.Write(p[:l])
|
||||||
|
n += m
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
p = p[l:]
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *partialLengthWriter) Close() error {
|
||||||
|
w.lengthByte[0] = 0
|
||||||
|
_, err := w.w.Write(w.lengthByte[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return w.w.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the
|
||||||
|
// underlying Reader returns EOF before the limit has been reached.
|
||||||
|
type spanReader struct {
|
||||||
|
r io.Reader
|
||||||
|
n int64
|
||||||
|
}
|
||||||
|
|
||||||
|
func (l *spanReader) Read(p []byte) (n int, err error) {
|
||||||
|
if l.n <= 0 {
|
||||||
|
return 0, io.EOF
|
||||||
|
}
|
||||||
|
if int64(len(p)) > l.n {
|
||||||
|
p = p[0:l.n]
|
||||||
|
}
|
||||||
|
n, err = l.r.Read(p)
|
||||||
|
l.n -= int64(n)
|
||||||
|
if l.n > 0 && err == io.EOF {
|
||||||
|
err = io.ErrUnexpectedEOF
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// readHeader parses a packet header and returns an io.Reader which will return
|
||||||
|
// the contents of the packet. See RFC 4880, section 4.2.
|
||||||
|
func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) {
|
||||||
|
var buf [4]byte
|
||||||
|
_, err = io.ReadFull(r, buf[:1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0]&0x80 == 0 {
|
||||||
|
err = errors.StructuralError("tag byte does not have MSB set")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0]&0x40 == 0 {
|
||||||
|
// Old format packet
|
||||||
|
tag = packetType((buf[0] & 0x3f) >> 2)
|
||||||
|
lengthType := buf[0] & 3
|
||||||
|
if lengthType == 3 {
|
||||||
|
length = -1
|
||||||
|
contents = r
|
||||||
|
return
|
||||||
|
}
|
||||||
|
lengthBytes := 1 << lengthType
|
||||||
|
_, err = readFull(r, buf[0:lengthBytes])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for i := 0; i < lengthBytes; i++ {
|
||||||
|
length <<= 8
|
||||||
|
length |= int64(buf[i])
|
||||||
|
}
|
||||||
|
contents = &spanReader{r, length}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// New format packet
|
||||||
|
tag = packetType(buf[0] & 0x3f)
|
||||||
|
length, isPartial, err := readLength(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if isPartial {
|
||||||
|
contents = &partialLengthReader{
|
||||||
|
remaining: length,
|
||||||
|
isPartial: true,
|
||||||
|
r: r,
|
||||||
|
}
|
||||||
|
length = -1
|
||||||
|
} else {
|
||||||
|
contents = &spanReader{r, length}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section
|
||||||
|
// 4.2.
|
||||||
|
func serializeHeader(w io.Writer, ptype packetType, length int) (err error) {
|
||||||
|
var buf [6]byte
|
||||||
|
var n int
|
||||||
|
|
||||||
|
buf[0] = 0x80 | 0x40 | byte(ptype)
|
||||||
|
if length < 192 {
|
||||||
|
buf[1] = byte(length)
|
||||||
|
n = 2
|
||||||
|
} else if length < 8384 {
|
||||||
|
length -= 192
|
||||||
|
buf[1] = 192 + byte(length>>8)
|
||||||
|
buf[2] = byte(length)
|
||||||
|
n = 3
|
||||||
|
} else {
|
||||||
|
buf[1] = 255
|
||||||
|
buf[2] = byte(length >> 24)
|
||||||
|
buf[3] = byte(length >> 16)
|
||||||
|
buf[4] = byte(length >> 8)
|
||||||
|
buf[5] = byte(length)
|
||||||
|
n = 6
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(buf[:n])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeStreamHeader writes an OpenPGP packet header to w where the
|
||||||
|
// length of the packet is unknown. It returns a io.WriteCloser which can be
|
||||||
|
// used to write the contents of the packet. See RFC 4880, section 4.2.
|
||||||
|
func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) {
|
||||||
|
var buf [1]byte
|
||||||
|
buf[0] = 0x80 | 0x40 | byte(ptype)
|
||||||
|
_, err = w.Write(buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
out = &partialLengthWriter{w: w}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Packet represents an OpenPGP packet. Users are expected to try casting
|
||||||
|
// instances of this interface to specific packet types.
|
||||||
|
type Packet interface {
|
||||||
|
parse(io.Reader) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// consumeAll reads from the given Reader until error, returning the number of
|
||||||
|
// bytes read.
|
||||||
|
func consumeAll(r io.Reader) (n int64, err error) {
|
||||||
|
var m int
|
||||||
|
var buf [1024]byte
|
||||||
|
|
||||||
|
for {
|
||||||
|
m, err = r.Read(buf[:])
|
||||||
|
n += int64(m)
|
||||||
|
if err == io.EOF {
|
||||||
|
err = nil
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// packetType represents the numeric ids of the different OpenPGP packet types. See
|
||||||
|
// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2
|
||||||
|
type packetType uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
packetTypeEncryptedKey packetType = 1
|
||||||
|
packetTypeSignature packetType = 2
|
||||||
|
packetTypeSymmetricKeyEncrypted packetType = 3
|
||||||
|
packetTypeOnePassSignature packetType = 4
|
||||||
|
packetTypePrivateKey packetType = 5
|
||||||
|
packetTypePublicKey packetType = 6
|
||||||
|
packetTypePrivateSubkey packetType = 7
|
||||||
|
packetTypeCompressed packetType = 8
|
||||||
|
packetTypeSymmetricallyEncrypted packetType = 9
|
||||||
|
packetTypeLiteralData packetType = 11
|
||||||
|
packetTypeUserId packetType = 13
|
||||||
|
packetTypePublicSubkey packetType = 14
|
||||||
|
packetTypeUserAttribute packetType = 17
|
||||||
|
packetTypeSymmetricallyEncryptedMDC packetType = 18
|
||||||
|
)
|
||||||
|
|
||||||
|
// peekVersion detects the version of a public key packet about to
|
||||||
|
// be read. A bufio.Reader at the original position of the io.Reader
|
||||||
|
// is returned.
|
||||||
|
func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) {
|
||||||
|
bufr = bufio.NewReader(r)
|
||||||
|
var verBuf []byte
|
||||||
|
if verBuf, err = bufr.Peek(1); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ver = verBuf[0]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read reads a single OpenPGP packet from the given io.Reader. If there is an
|
||||||
|
// error parsing a packet, the whole packet is consumed from the input.
|
||||||
|
func Read(r io.Reader) (p Packet, err error) {
|
||||||
|
tag, _, contents, err := readHeader(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch tag {
|
||||||
|
case packetTypeEncryptedKey:
|
||||||
|
p = new(EncryptedKey)
|
||||||
|
case packetTypeSignature:
|
||||||
|
var version byte
|
||||||
|
// Detect signature version
|
||||||
|
if contents, version, err = peekVersion(contents); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if version < 4 {
|
||||||
|
p = new(SignatureV3)
|
||||||
|
} else {
|
||||||
|
p = new(Signature)
|
||||||
|
}
|
||||||
|
case packetTypeSymmetricKeyEncrypted:
|
||||||
|
p = new(SymmetricKeyEncrypted)
|
||||||
|
case packetTypeOnePassSignature:
|
||||||
|
p = new(OnePassSignature)
|
||||||
|
case packetTypePrivateKey, packetTypePrivateSubkey:
|
||||||
|
pk := new(PrivateKey)
|
||||||
|
if tag == packetTypePrivateSubkey {
|
||||||
|
pk.IsSubkey = true
|
||||||
|
}
|
||||||
|
p = pk
|
||||||
|
case packetTypePublicKey, packetTypePublicSubkey:
|
||||||
|
var version byte
|
||||||
|
if contents, version, err = peekVersion(contents); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
isSubkey := tag == packetTypePublicSubkey
|
||||||
|
if version < 4 {
|
||||||
|
p = &PublicKeyV3{IsSubkey: isSubkey}
|
||||||
|
} else {
|
||||||
|
p = &PublicKey{IsSubkey: isSubkey}
|
||||||
|
}
|
||||||
|
case packetTypeCompressed:
|
||||||
|
p = new(Compressed)
|
||||||
|
case packetTypeSymmetricallyEncrypted:
|
||||||
|
p = new(SymmetricallyEncrypted)
|
||||||
|
case packetTypeLiteralData:
|
||||||
|
p = new(LiteralData)
|
||||||
|
case packetTypeUserId:
|
||||||
|
p = new(UserId)
|
||||||
|
case packetTypeUserAttribute:
|
||||||
|
p = new(UserAttribute)
|
||||||
|
case packetTypeSymmetricallyEncryptedMDC:
|
||||||
|
se := new(SymmetricallyEncrypted)
|
||||||
|
se.MDC = true
|
||||||
|
p = se
|
||||||
|
default:
|
||||||
|
err = errors.UnknownPacketTypeError(tag)
|
||||||
|
}
|
||||||
|
if p != nil {
|
||||||
|
err = p.parse(contents)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
consumeAll(contents)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignatureType represents the different semantic meanings of an OpenPGP
|
||||||
|
// signature. See RFC 4880, section 5.2.1.
|
||||||
|
type SignatureType uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
SigTypeBinary SignatureType = 0
|
||||||
|
SigTypeText = 1
|
||||||
|
SigTypeGenericCert = 0x10
|
||||||
|
SigTypePersonaCert = 0x11
|
||||||
|
SigTypeCasualCert = 0x12
|
||||||
|
SigTypePositiveCert = 0x13
|
||||||
|
SigTypeSubkeyBinding = 0x18
|
||||||
|
SigTypePrimaryKeyBinding = 0x19
|
||||||
|
SigTypeDirectSignature = 0x1F
|
||||||
|
SigTypeKeyRevocation = 0x20
|
||||||
|
SigTypeSubkeyRevocation = 0x28
|
||||||
|
SigTypeIdentityRevocation = 0x30
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKeyAlgorithm represents the different public key system specified for
|
||||||
|
// OpenPGP. See
|
||||||
|
// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12
|
||||||
|
type PublicKeyAlgorithm uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
PubKeyAlgoRSA PublicKeyAlgorithm = 1
|
||||||
|
PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
|
||||||
|
PubKeyAlgoRSASignOnly PublicKeyAlgorithm = 3
|
||||||
|
PubKeyAlgoElGamal PublicKeyAlgorithm = 16
|
||||||
|
PubKeyAlgoDSA PublicKeyAlgorithm = 17
|
||||||
|
// RFC 6637, Section 5.
|
||||||
|
PubKeyAlgoECDH PublicKeyAlgorithm = 18
|
||||||
|
PubKeyAlgoECDSA PublicKeyAlgorithm = 19
|
||||||
|
// RFC -1
|
||||||
|
PubKeyAlgoEdDSA PublicKeyAlgorithm = 22
|
||||||
|
)
|
||||||
|
|
||||||
|
// CanEncrypt returns true if it's possible to encrypt a message to a public
|
||||||
|
// key of the given type.
|
||||||
|
func (pka PublicKeyAlgorithm) CanEncrypt() bool {
|
||||||
|
switch pka {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// CanSign returns true if it's possible for a public key of the given type to
|
||||||
|
// sign a message.
|
||||||
|
func (pka PublicKeyAlgorithm) CanSign() bool {
|
||||||
|
switch pka {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA, PubKeyAlgoEdDSA:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// CipherFunction represents the different block ciphers specified for OpenPGP. See
|
||||||
|
// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
|
||||||
|
type CipherFunction uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
Cipher3DES CipherFunction = 2
|
||||||
|
CipherCAST5 CipherFunction = 3
|
||||||
|
CipherAES128 CipherFunction = 7
|
||||||
|
CipherAES192 CipherFunction = 8
|
||||||
|
CipherAES256 CipherFunction = 9
|
||||||
|
)
|
||||||
|
|
||||||
|
// KeySize returns the key size, in bytes, of cipher.
|
||||||
|
func (cipher CipherFunction) KeySize() int {
|
||||||
|
switch cipher {
|
||||||
|
case Cipher3DES:
|
||||||
|
return 24
|
||||||
|
case CipherCAST5:
|
||||||
|
return cast5.KeySize
|
||||||
|
case CipherAES128:
|
||||||
|
return 16
|
||||||
|
case CipherAES192:
|
||||||
|
return 24
|
||||||
|
case CipherAES256:
|
||||||
|
return 32
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
// blockSize returns the block size, in bytes, of cipher.
|
||||||
|
func (cipher CipherFunction) blockSize() int {
|
||||||
|
switch cipher {
|
||||||
|
case Cipher3DES:
|
||||||
|
return des.BlockSize
|
||||||
|
case CipherCAST5:
|
||||||
|
return 8
|
||||||
|
case CipherAES128, CipherAES192, CipherAES256:
|
||||||
|
return 16
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
// new returns a fresh instance of the given cipher.
|
||||||
|
func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
|
||||||
|
switch cipher {
|
||||||
|
case Cipher3DES:
|
||||||
|
block, _ = des.NewTripleDESCipher(key)
|
||||||
|
case CipherCAST5:
|
||||||
|
block, _ = cast5.NewCipher(key)
|
||||||
|
case CipherAES128, CipherAES192, CipherAES256:
|
||||||
|
block, _ = aes.NewCipher(key)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// readMPI reads a big integer from r. The bit length returned is the bit
|
||||||
|
// length that was specified in r. This is preserved so that the integer can be
|
||||||
|
// reserialized exactly.
|
||||||
|
func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) {
|
||||||
|
var buf [2]byte
|
||||||
|
_, err = readFull(r, buf[0:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
bitLength = uint16(buf[0])<<8 | uint16(buf[1])
|
||||||
|
numBytes := (int(bitLength) + 7) / 8
|
||||||
|
mpi = make([]byte, numBytes)
|
||||||
|
_, err = readFull(r, mpi)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// mpiLength returns the length of the given *big.Int when serialized as an
|
||||||
|
// MPI.
|
||||||
|
func mpiLength(n *big.Int) (mpiLengthInBytes int) {
|
||||||
|
mpiLengthInBytes = 2 /* MPI length */
|
||||||
|
mpiLengthInBytes += (n.BitLen() + 7) / 8
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeMPI serializes a big integer to w.
|
||||||
|
func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) {
|
||||||
|
_, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)})
|
||||||
|
if err == nil {
|
||||||
|
_, err = w.Write(mpiBytes)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func WritePaddedBigInt(w io.Writer, length int, X *big.Int) (n int, err error) {
|
||||||
|
bytes := X.Bytes()
|
||||||
|
n1, err := w.Write(make([]byte, length-len(bytes)))
|
||||||
|
if err != nil {
|
||||||
|
return n1, err
|
||||||
|
}
|
||||||
|
n2, err := w.Write(bytes)
|
||||||
|
if err != nil {
|
||||||
|
return n2, err
|
||||||
|
}
|
||||||
|
return (n1 + n2), err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Minimum number of bytes to fit the curve coordinates. All
|
||||||
|
// coordinates have to be 0-padded to this length.
|
||||||
|
func mpiPointByteLength(curve elliptic.Curve) int {
|
||||||
|
return (curve.Params().P.BitLen() + 7) / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeBig serializes a *big.Int to w.
|
||||||
|
func writeBig(w io.Writer, i *big.Int) error {
|
||||||
|
return writeMPI(w, uint16(i.BitLen()), i.Bytes())
|
||||||
|
}
|
||||||
|
|
||||||
|
// CompressionAlgo Represents the different compression algorithms
|
||||||
|
// supported by OpenPGP (except for BZIP2, which is not currently
|
||||||
|
// supported). See Section 9.3 of RFC 4880.
|
||||||
|
type CompressionAlgo uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
CompressionNone CompressionAlgo = 0
|
||||||
|
CompressionZIP CompressionAlgo = 1
|
||||||
|
CompressionZLIB CompressionAlgo = 2
|
||||||
|
)
|
550
vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go
generated
vendored
Normal file
550
vendor/github.com/keybase/go-crypto/openpgp/packet/private_key.go
generated
vendored
Normal file
@ -0,0 +1,550 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/dsa"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/sha1"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"math/big"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/ed25519"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/ecdh"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/elgamal"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PrivateKey represents a possibly encrypted private key. See RFC 4880,
|
||||||
|
// section 5.5.3.
|
||||||
|
type PrivateKey struct {
|
||||||
|
PublicKey
|
||||||
|
Encrypted bool // if true then the private key is unavailable until Decrypt has been called.
|
||||||
|
encryptedData []byte
|
||||||
|
cipher CipherFunction
|
||||||
|
s2k func(out, in []byte)
|
||||||
|
PrivateKey interface{} // An *rsa.PrivateKey or *dsa.PrivateKey.
|
||||||
|
sha1Checksum bool
|
||||||
|
iv []byte
|
||||||
|
s2kHeader []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type EdDSAPrivateKey struct {
|
||||||
|
PrivateKey
|
||||||
|
seed parsedMPI
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *EdDSAPrivateKey) Sign(digest []byte) (R, S []byte, err error) {
|
||||||
|
r := bytes.NewReader(e.seed.bytes)
|
||||||
|
publicKey, privateKey, err := ed25519.GenerateKey(r)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !bytes.Equal(publicKey, e.PublicKey.edk.p.bytes[1:]) { // [1:] because [0] is 0x40 mpi header
|
||||||
|
return nil, nil, errors.UnsupportedError("EdDSA: Private key does not match public key.")
|
||||||
|
}
|
||||||
|
|
||||||
|
sig := ed25519.Sign(privateKey, digest)
|
||||||
|
|
||||||
|
sigLen := ed25519.SignatureSize / 2
|
||||||
|
return sig[:sigLen], sig[sigLen:], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewRSAPrivateKey(currentTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
|
||||||
|
pk := new(PrivateKey)
|
||||||
|
pk.PublicKey = *NewRSAPublicKey(currentTime, &priv.PublicKey)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewDSAPrivateKey(currentTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
|
||||||
|
pk := new(PrivateKey)
|
||||||
|
pk.PublicKey = *NewDSAPublicKey(currentTime, &priv.PublicKey)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewElGamalPrivateKey(currentTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
|
||||||
|
pk := new(PrivateKey)
|
||||||
|
pk.PublicKey = *NewElGamalPublicKey(currentTime, &priv.PublicKey)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
|
||||||
|
pk := new(PrivateKey)
|
||||||
|
pk.PublicKey = *NewECDSAPublicKey(currentTime, &priv.PublicKey)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parse(r io.Reader) (err error) {
|
||||||
|
err = (&pk.PublicKey).parse(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var buf [1]byte
|
||||||
|
_, err = readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
s2kType := buf[0]
|
||||||
|
|
||||||
|
switch s2kType {
|
||||||
|
case 0:
|
||||||
|
pk.s2k = nil
|
||||||
|
pk.Encrypted = false
|
||||||
|
case 254, 255:
|
||||||
|
_, err = readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.cipher = CipherFunction(buf[0])
|
||||||
|
pk.Encrypted = true
|
||||||
|
pk.s2k, err = s2k.Parse(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if s2kType == 254 {
|
||||||
|
pk.sha1Checksum = true
|
||||||
|
}
|
||||||
|
// S2K == nil implies that we got a "GNU Dummy" S2K. For instance,
|
||||||
|
// because our master secret key is on a USB key in a vault somewhere.
|
||||||
|
// In that case, there is no further data to consume here.
|
||||||
|
if pk.s2k == nil {
|
||||||
|
pk.Encrypted = false
|
||||||
|
return
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return errors.UnsupportedError("deprecated s2k function in private key")
|
||||||
|
}
|
||||||
|
if pk.Encrypted {
|
||||||
|
blockSize := pk.cipher.blockSize()
|
||||||
|
if blockSize == 0 {
|
||||||
|
return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher)))
|
||||||
|
}
|
||||||
|
pk.iv = make([]byte, blockSize)
|
||||||
|
_, err = readFull(r, pk.iv)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.encryptedData, err = ioutil.ReadAll(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if !pk.Encrypted {
|
||||||
|
return pk.parsePrivateKey(pk.encryptedData)
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func mod64kHash(d []byte) uint16 {
|
||||||
|
var h uint16
|
||||||
|
for _, b := range d {
|
||||||
|
h += uint16(b)
|
||||||
|
}
|
||||||
|
return h
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt is the counterpart to the Decrypt() method below. It encrypts
|
||||||
|
// the private key with the provided passphrase. If config is nil, then
|
||||||
|
// the standard, and sensible, defaults apply.
|
||||||
|
//
|
||||||
|
// A key will be derived from the given passphrase using S2K Specifier
|
||||||
|
// Type 3 (Iterated + Salted, see RFC-4880 Sec. 3.7.1.3). This choice
|
||||||
|
// is hardcoded in s2k.Serialize(). S2KCount is hardcoded to 0, which is
|
||||||
|
// equivalent to 65536. And the hash algorithm for key-derivation can be
|
||||||
|
// set with config. The encrypted PrivateKey, using the algorithm specified
|
||||||
|
// in config (if provided), is written out to the encryptedData member.
|
||||||
|
// When Serialize() is called, this encryptedData member will be
|
||||||
|
// serialized, using S2K Usage value of 254, and thus SHA1 checksum.
|
||||||
|
func (pk *PrivateKey) Encrypt(passphrase []byte, config *Config) (err error) {
|
||||||
|
if pk.PrivateKey == nil {
|
||||||
|
return errors.InvalidArgumentError("there is no private key to encrypt")
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.sha1Checksum = true
|
||||||
|
pk.cipher = config.Cipher()
|
||||||
|
s2kConfig := s2k.Config{
|
||||||
|
Hash: config.Hash(),
|
||||||
|
S2KCount: 0,
|
||||||
|
}
|
||||||
|
s2kBuf := bytes.NewBuffer(nil)
|
||||||
|
derivedKey := make([]byte, pk.cipher.KeySize())
|
||||||
|
err = s2k.Serialize(s2kBuf, derivedKey, config.Random(), passphrase, &s2kConfig)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.s2kHeader = s2kBuf.Bytes()
|
||||||
|
// No good way to set pk.s2k but to call s2k.Parse(),
|
||||||
|
// even though we have all the information here, but
|
||||||
|
// most of the functions needed are private to s2k.
|
||||||
|
pk.s2k, err = s2k.Parse(s2kBuf)
|
||||||
|
pk.iv = make([]byte, pk.cipher.blockSize())
|
||||||
|
if _, err = config.Random().Read(pk.iv); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
privateKeyBuf := bytes.NewBuffer(nil)
|
||||||
|
if err = pk.serializePrivateKey(privateKeyBuf); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
checksum := sha1.Sum(privateKeyBuf.Bytes())
|
||||||
|
if _, err = privateKeyBuf.Write(checksum[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
pkData := privateKeyBuf.Bytes()
|
||||||
|
block := pk.cipher.new(derivedKey)
|
||||||
|
pk.encryptedData = make([]byte, len(pkData))
|
||||||
|
cfb := cipher.NewCFBEncrypter(block, pk.iv)
|
||||||
|
cfb.XORKeyStream(pk.encryptedData, pkData)
|
||||||
|
pk.Encrypted = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) Serialize(w io.Writer) (err error) {
|
||||||
|
buf := bytes.NewBuffer(nil)
|
||||||
|
err = pk.PublicKey.serializeWithoutHeaders(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
privateKeyBuf := bytes.NewBuffer(nil)
|
||||||
|
|
||||||
|
if pk.PrivateKey == nil {
|
||||||
|
_, err = buf.Write([]byte{
|
||||||
|
254, // SHA-1 Convention
|
||||||
|
9, // Encryption scheme (AES256)
|
||||||
|
101, // GNU Extensions
|
||||||
|
2, // Hash value (SHA1)
|
||||||
|
'G', 'N', 'U', // "GNU" as a string
|
||||||
|
1, // Extension type 1001 (minus 1000)
|
||||||
|
})
|
||||||
|
} else if pk.Encrypted {
|
||||||
|
_, err = buf.Write([]byte{
|
||||||
|
254, // SHA-1 Convention
|
||||||
|
byte(pk.cipher), // Encryption scheme
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err = buf.Write(pk.s2kHeader); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err = buf.Write(pk.iv); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if _, err = privateKeyBuf.Write(pk.encryptedData); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
buf.WriteByte(0 /* no encryption */)
|
||||||
|
if err = pk.serializePrivateKey(privateKeyBuf); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ptype := packetTypePrivateKey
|
||||||
|
contents := buf.Bytes()
|
||||||
|
privateKeyBytes := privateKeyBuf.Bytes()
|
||||||
|
if pk.IsSubkey {
|
||||||
|
ptype = packetTypePrivateSubkey
|
||||||
|
}
|
||||||
|
totalLen := len(contents) + len(privateKeyBytes)
|
||||||
|
if !pk.Encrypted {
|
||||||
|
totalLen += 2
|
||||||
|
}
|
||||||
|
err = serializeHeader(w, ptype, totalLen)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = w.Write(contents)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = w.Write(privateKeyBytes)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(privateKeyBytes) > 0 && !pk.Encrypted {
|
||||||
|
checksum := mod64kHash(privateKeyBytes)
|
||||||
|
var checksumBytes [2]byte
|
||||||
|
checksumBytes[0] = byte(checksum >> 8)
|
||||||
|
checksumBytes[1] = byte(checksum)
|
||||||
|
_, err = w.Write(checksumBytes[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) serializePrivateKey(w io.Writer) (err error) {
|
||||||
|
switch priv := pk.PrivateKey.(type) {
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
err = serializeRSAPrivateKey(w, priv)
|
||||||
|
case *dsa.PrivateKey:
|
||||||
|
err = serializeDSAPrivateKey(w, priv)
|
||||||
|
case *elgamal.PrivateKey:
|
||||||
|
err = serializeElGamalPrivateKey(w, priv)
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
err = serializeECDSAPrivateKey(w, priv)
|
||||||
|
case *ecdh.PrivateKey:
|
||||||
|
err = serializeECDHPrivateKey(w, priv)
|
||||||
|
case *EdDSAPrivateKey:
|
||||||
|
err = serializeEdDSAPrivateKey(w, priv)
|
||||||
|
default:
|
||||||
|
err = errors.InvalidArgumentError("unknown private key type")
|
||||||
|
}
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error {
|
||||||
|
err := writeBig(w, priv.D)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = writeBig(w, priv.Primes[1])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = writeBig(w, priv.Primes[0])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return writeBig(w, priv.Precomputed.Qinv)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error {
|
||||||
|
return writeBig(w, priv.X)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error {
|
||||||
|
return writeBig(w, priv.X)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error {
|
||||||
|
return writeBig(w, priv.D)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeECDHPrivateKey(w io.Writer, priv *ecdh.PrivateKey) error {
|
||||||
|
return writeBig(w, priv.X)
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializeEdDSAPrivateKey(w io.Writer, priv *EdDSAPrivateKey) error {
|
||||||
|
return writeMPI(w, priv.seed.bitLength, priv.seed.bytes)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt decrypts an encrypted private key using a passphrase.
|
||||||
|
func (pk *PrivateKey) Decrypt(passphrase []byte) error {
|
||||||
|
if !pk.Encrypted {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
// For GNU Dummy S2K, there's no key here, so don't do anything.
|
||||||
|
if pk.s2k == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
key := make([]byte, pk.cipher.KeySize())
|
||||||
|
pk.s2k(key, passphrase)
|
||||||
|
block := pk.cipher.new(key)
|
||||||
|
cfb := cipher.NewCFBDecrypter(block, pk.iv)
|
||||||
|
|
||||||
|
data := make([]byte, len(pk.encryptedData))
|
||||||
|
cfb.XORKeyStream(data, pk.encryptedData)
|
||||||
|
|
||||||
|
if pk.sha1Checksum {
|
||||||
|
if len(data) < sha1.Size {
|
||||||
|
return errors.StructuralError("truncated private key data")
|
||||||
|
}
|
||||||
|
h := sha1.New()
|
||||||
|
h.Write(data[:len(data)-sha1.Size])
|
||||||
|
sum := h.Sum(nil)
|
||||||
|
if !bytes.Equal(sum, data[len(data)-sha1.Size:]) {
|
||||||
|
return errors.StructuralError("private key checksum failure")
|
||||||
|
}
|
||||||
|
data = data[:len(data)-sha1.Size]
|
||||||
|
} else {
|
||||||
|
if len(data) < 2 {
|
||||||
|
return errors.StructuralError("truncated private key data")
|
||||||
|
}
|
||||||
|
var sum uint16
|
||||||
|
for i := 0; i < len(data)-2; i++ {
|
||||||
|
sum += uint16(data[i])
|
||||||
|
}
|
||||||
|
if data[len(data)-2] != uint8(sum>>8) ||
|
||||||
|
data[len(data)-1] != uint8(sum) {
|
||||||
|
return errors.StructuralError("private key checksum failure")
|
||||||
|
}
|
||||||
|
data = data[:len(data)-2]
|
||||||
|
}
|
||||||
|
|
||||||
|
return pk.parsePrivateKey(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) {
|
||||||
|
switch pk.PublicKey.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly:
|
||||||
|
return pk.parseRSAPrivateKey(data)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
return pk.parseDSAPrivateKey(data)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
return pk.parseElGamalPrivateKey(data)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
return pk.parseECDSAPrivateKey(data)
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
return pk.parseECDHPrivateKey(data)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
return pk.parseEdDSAPrivateKey(data)
|
||||||
|
}
|
||||||
|
panic("impossible")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) {
|
||||||
|
rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey)
|
||||||
|
rsaPriv := new(rsa.PrivateKey)
|
||||||
|
rsaPriv.PublicKey = *rsaPub
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
d, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
p, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
q, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
rsaPriv.D = new(big.Int).SetBytes(d)
|
||||||
|
rsaPriv.Primes = make([]*big.Int, 2)
|
||||||
|
rsaPriv.Primes[0] = new(big.Int).SetBytes(p)
|
||||||
|
rsaPriv.Primes[1] = new(big.Int).SetBytes(q)
|
||||||
|
if err := rsaPriv.Validate(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
rsaPriv.Precompute()
|
||||||
|
pk.PrivateKey = rsaPriv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) {
|
||||||
|
dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey)
|
||||||
|
dsaPriv := new(dsa.PrivateKey)
|
||||||
|
dsaPriv.PublicKey = *dsaPub
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
x, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
dsaPriv.X = new(big.Int).SetBytes(x)
|
||||||
|
pk.PrivateKey = dsaPriv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) {
|
||||||
|
pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey)
|
||||||
|
priv := new(elgamal.PrivateKey)
|
||||||
|
priv.PublicKey = *pub
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
x, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
priv.X = new(big.Int).SetBytes(x)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseECDHPrivateKey(data []byte) (err error) {
|
||||||
|
pub := pk.PublicKey.PublicKey.(*ecdh.PublicKey)
|
||||||
|
priv := new(ecdh.PrivateKey)
|
||||||
|
priv.PublicKey = *pub
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
d, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
priv.X = new(big.Int).SetBytes(d)
|
||||||
|
pk.PrivateKey = priv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) {
|
||||||
|
ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey)
|
||||||
|
ecdsaPriv := new(ecdsa.PrivateKey)
|
||||||
|
ecdsaPriv.PublicKey = *ecdsaPub
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
d, _, err := readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
ecdsaPriv.D = new(big.Int).SetBytes(d)
|
||||||
|
pk.PrivateKey = ecdsaPriv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PrivateKey) parseEdDSAPrivateKey(data []byte) (err error) {
|
||||||
|
eddsaPriv := new(EdDSAPrivateKey)
|
||||||
|
eddsaPriv.PublicKey = pk.PublicKey
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(data)
|
||||||
|
eddsaPriv.seed.bytes, eddsaPriv.seed.bitLength, err = readMPI(buf)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if bLen := len(eddsaPriv.seed.bytes); bLen != 32 { // 32 bytes private part of ed25519 key.
|
||||||
|
return errors.UnsupportedError(fmt.Sprintf("Unexpected EdDSA private key length: %d", bLen))
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.PrivateKey = eddsaPriv
|
||||||
|
pk.Encrypted = false
|
||||||
|
pk.encryptedData = nil
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
930
vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go
generated
vendored
Normal file
930
vendor/github.com/keybase/go-crypto/openpgp/packet/public_key.go
generated
vendored
Normal file
@ -0,0 +1,930 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"crypto/dsa"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/sha1"
|
||||||
|
_ "crypto/sha256"
|
||||||
|
_ "crypto/sha512"
|
||||||
|
"encoding/binary"
|
||||||
|
"fmt"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/brainpool"
|
||||||
|
"github.com/keybase/go-crypto/curve25519"
|
||||||
|
"github.com/keybase/go-crypto/ed25519"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/ecdh"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/elgamal"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
// NIST curve P-256
|
||||||
|
oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}
|
||||||
|
// NIST curve P-384
|
||||||
|
oidCurveP384 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x22}
|
||||||
|
// NIST curve P-521
|
||||||
|
oidCurveP521 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x23}
|
||||||
|
// Brainpool curve P-256r1
|
||||||
|
oidCurveP256r1 []byte = []byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}
|
||||||
|
// Brainpool curve P-384r1
|
||||||
|
oidCurveP384r1 []byte = []byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}
|
||||||
|
// Brainpool curve P-512r1
|
||||||
|
oidCurveP512r1 []byte = []byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}
|
||||||
|
// EdDSA
|
||||||
|
oidEdDSA []byte = []byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}
|
||||||
|
// cv25519
|
||||||
|
oidCurve25519 []byte = []byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}
|
||||||
|
)
|
||||||
|
|
||||||
|
const maxOIDLength = 10
|
||||||
|
|
||||||
|
// ecdsaKey stores the algorithm-specific fields for ECDSA keys.
|
||||||
|
// as defined in RFC 6637, Section 9.
|
||||||
|
type ecdsaKey struct {
|
||||||
|
// oid contains the OID byte sequence identifying the elliptic curve used
|
||||||
|
oid []byte
|
||||||
|
// p contains the elliptic curve point that represents the public key
|
||||||
|
p parsedMPI
|
||||||
|
}
|
||||||
|
|
||||||
|
type edDSAkey struct {
|
||||||
|
ecdsaKey
|
||||||
|
}
|
||||||
|
|
||||||
|
func copyFrontFill(dst, src []byte, length int) int {
|
||||||
|
if srcLen := len(src); srcLen < length {
|
||||||
|
return copy(dst[length-srcLen:], src[:])
|
||||||
|
} else {
|
||||||
|
return copy(dst[:], src[:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *edDSAkey) Verify(payload []byte, r parsedMPI, s parsedMPI) bool {
|
||||||
|
const halfSigSize = ed25519.SignatureSize / 2
|
||||||
|
var sig [ed25519.SignatureSize]byte
|
||||||
|
|
||||||
|
// NOTE: The first byte is 0x40 - MPI header
|
||||||
|
// TODO: Maybe clean the code up and use 0x40 as a header when
|
||||||
|
// reading and keep only actual number in p field. Find out how
|
||||||
|
// other MPIs are stored.
|
||||||
|
key := e.p.bytes[1:]
|
||||||
|
|
||||||
|
// Note: it may happen that R + S do not form 64-byte signature buffer that
|
||||||
|
// ed25519 expects, but because we copy it over to an array of exact size,
|
||||||
|
// we will always pass correctly sized slice to Verify. Slice too short
|
||||||
|
// would make ed25519 panic().
|
||||||
|
copyFrontFill(sig[:halfSigSize], r.bytes, halfSigSize)
|
||||||
|
copyFrontFill(sig[halfSigSize:], s.bytes, halfSigSize)
|
||||||
|
|
||||||
|
return ed25519.Verify(key, payload, sig[:])
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseOID reads the OID for the curve as defined in RFC 6637, Section 9.
|
||||||
|
func parseOID(r io.Reader) (oid []byte, err error) {
|
||||||
|
buf := make([]byte, maxOIDLength)
|
||||||
|
if _, err = readFull(r, buf[:1]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
oidLen := buf[0]
|
||||||
|
if int(oidLen) > len(buf) {
|
||||||
|
err = errors.UnsupportedError("invalid oid length: " + strconv.Itoa(int(oidLen)))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
oid = buf[:oidLen]
|
||||||
|
_, err = readFull(r, oid)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdsaKey) parse(r io.Reader) (err error) {
|
||||||
|
if f.oid, err = parseOID(r); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
f.p.bytes, f.p.bitLength, err = readMPI(r)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdsaKey) serialize(w io.Writer) (err error) {
|
||||||
|
buf := make([]byte, maxOIDLength+1)
|
||||||
|
buf[0] = byte(len(f.oid))
|
||||||
|
copy(buf[1:], f.oid)
|
||||||
|
if _, err = w.Write(buf[:len(f.oid)+1]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return writeMPIs(w, f.p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func getCurveByOid(oid []byte) elliptic.Curve {
|
||||||
|
switch {
|
||||||
|
case bytes.Equal(oid, oidCurveP256):
|
||||||
|
return elliptic.P256()
|
||||||
|
case bytes.Equal(oid, oidCurveP384):
|
||||||
|
return elliptic.P384()
|
||||||
|
case bytes.Equal(oid, oidCurveP521):
|
||||||
|
return elliptic.P521()
|
||||||
|
case bytes.Equal(oid, oidCurveP256r1):
|
||||||
|
return brainpool.P256r1()
|
||||||
|
case bytes.Equal(oid, oidCurveP384r1):
|
||||||
|
return brainpool.P384r1()
|
||||||
|
case bytes.Equal(oid, oidCurveP512r1):
|
||||||
|
return brainpool.P512r1()
|
||||||
|
case bytes.Equal(oid, oidCurve25519):
|
||||||
|
return curve25519.Cv25519()
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdsaKey) newECDSA() (*ecdsa.PublicKey, error) {
|
||||||
|
var c = getCurveByOid(f.oid)
|
||||||
|
// Curve25519 should not be used in ECDSA.
|
||||||
|
if c == nil || bytes.Equal(f.oid, oidCurve25519) {
|
||||||
|
return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid))
|
||||||
|
}
|
||||||
|
// Note: Unmarshal already checks if point is on curve.
|
||||||
|
x, y := elliptic.Unmarshal(c, f.p.bytes)
|
||||||
|
if x == nil {
|
||||||
|
return nil, errors.UnsupportedError("failed to parse EC point")
|
||||||
|
}
|
||||||
|
return &ecdsa.PublicKey{Curve: c, X: x, Y: y}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdsaKey) newECDH() (*ecdh.PublicKey, error) {
|
||||||
|
var c = getCurveByOid(f.oid)
|
||||||
|
if c == nil {
|
||||||
|
return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid))
|
||||||
|
}
|
||||||
|
// ecdh.Unmarshal handles unmarshaling for all curve types. It
|
||||||
|
// also checks if point is on curve.
|
||||||
|
x, y := ecdh.Unmarshal(c, f.p.bytes)
|
||||||
|
if x == nil {
|
||||||
|
return nil, errors.UnsupportedError("failed to parse EC point")
|
||||||
|
}
|
||||||
|
return &ecdh.PublicKey{Curve: c, X: x, Y: y}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdsaKey) byteLen() int {
|
||||||
|
return 1 + len(f.oid) + 2 + len(f.p.bytes)
|
||||||
|
}
|
||||||
|
|
||||||
|
type kdfHashFunction byte
|
||||||
|
type kdfAlgorithm byte
|
||||||
|
|
||||||
|
// ecdhKdf stores key derivation function parameters
|
||||||
|
// used for ECDH encryption. See RFC 6637, Section 9.
|
||||||
|
type ecdhKdf struct {
|
||||||
|
KdfHash kdfHashFunction
|
||||||
|
KdfAlgo kdfAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdhKdf) parse(r io.Reader) (err error) {
|
||||||
|
buf := make([]byte, 1)
|
||||||
|
if _, err = readFull(r, buf); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
kdfLen := int(buf[0])
|
||||||
|
if kdfLen < 3 {
|
||||||
|
return errors.UnsupportedError("Unsupported ECDH KDF length: " + strconv.Itoa(kdfLen))
|
||||||
|
}
|
||||||
|
buf = make([]byte, kdfLen)
|
||||||
|
if _, err = readFull(r, buf); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
reserved := int(buf[0])
|
||||||
|
f.KdfHash = kdfHashFunction(buf[1])
|
||||||
|
f.KdfAlgo = kdfAlgorithm(buf[2])
|
||||||
|
if reserved != 0x01 {
|
||||||
|
return errors.UnsupportedError("Unsupported KDF reserved field: " + strconv.Itoa(reserved))
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdhKdf) serialize(w io.Writer) (err error) {
|
||||||
|
buf := make([]byte, 4)
|
||||||
|
// See RFC 6637, Section 9, Algorithm-Specific Fields for ECDH keys.
|
||||||
|
buf[0] = byte(0x03) // Length of the following fields
|
||||||
|
buf[1] = byte(0x01) // Reserved for future extensions, must be 1 for now
|
||||||
|
buf[2] = byte(f.KdfHash)
|
||||||
|
buf[3] = byte(f.KdfAlgo)
|
||||||
|
_, err = w.Write(buf[:])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *ecdhKdf) byteLen() int {
|
||||||
|
return 4
|
||||||
|
}
|
||||||
|
|
||||||
|
// PublicKey represents an OpenPGP public key. See RFC 4880, section 5.5.2.
|
||||||
|
type PublicKey struct {
|
||||||
|
CreationTime time.Time
|
||||||
|
PubKeyAlgo PublicKeyAlgorithm
|
||||||
|
PublicKey interface{} // *rsa.PublicKey, *dsa.PublicKey or *ecdsa.PublicKey
|
||||||
|
Fingerprint [20]byte
|
||||||
|
KeyId uint64
|
||||||
|
IsSubkey bool
|
||||||
|
|
||||||
|
n, e, p, q, g, y parsedMPI
|
||||||
|
|
||||||
|
// RFC 6637 fields
|
||||||
|
ec *ecdsaKey
|
||||||
|
ecdh *ecdhKdf
|
||||||
|
|
||||||
|
// EdDSA fields (no RFC available), uses ecdsa scaffolding
|
||||||
|
edk *edDSAkey
|
||||||
|
}
|
||||||
|
|
||||||
|
// signingKey provides a convenient abstraction over signature verification
|
||||||
|
// for v3 and v4 public keys.
|
||||||
|
type signingKey interface {
|
||||||
|
SerializeSignaturePrefix(io.Writer)
|
||||||
|
serializeWithoutHeaders(io.Writer) error
|
||||||
|
}
|
||||||
|
|
||||||
|
func FromBig(n *big.Int) parsedMPI {
|
||||||
|
return parsedMPI{
|
||||||
|
bytes: n.Bytes(),
|
||||||
|
bitLength: uint16(n.BitLen()),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func FromBytes(bytes []byte) parsedMPI {
|
||||||
|
return parsedMPI{
|
||||||
|
bytes: bytes,
|
||||||
|
bitLength: uint16(8 * len(bytes)),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewRSAPublicKey returns a PublicKey that wraps the given rsa.PublicKey.
|
||||||
|
func NewRSAPublicKey(creationTime time.Time, pub *rsa.PublicKey) *PublicKey {
|
||||||
|
pk := &PublicKey{
|
||||||
|
CreationTime: creationTime,
|
||||||
|
PubKeyAlgo: PubKeyAlgoRSA,
|
||||||
|
PublicKey: pub,
|
||||||
|
n: FromBig(pub.N),
|
||||||
|
e: FromBig(big.NewInt(int64(pub.E))),
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDSAPublicKey returns a PublicKey that wraps the given dsa.PublicKey.
|
||||||
|
func NewDSAPublicKey(creationTime time.Time, pub *dsa.PublicKey) *PublicKey {
|
||||||
|
pk := &PublicKey{
|
||||||
|
CreationTime: creationTime,
|
||||||
|
PubKeyAlgo: PubKeyAlgoDSA,
|
||||||
|
PublicKey: pub,
|
||||||
|
p: FromBig(pub.P),
|
||||||
|
q: FromBig(pub.Q),
|
||||||
|
g: FromBig(pub.G),
|
||||||
|
y: FromBig(pub.Y),
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
// check EdDSA public key material.
|
||||||
|
// There is currently no RFC for it, but it doesn't mean it's not
|
||||||
|
// implemented or in use.
|
||||||
|
func (e *edDSAkey) check() error {
|
||||||
|
if !bytes.Equal(e.oid, oidEdDSA) {
|
||||||
|
return errors.UnsupportedError(fmt.Sprintf("Bad OID for EdDSA key: %v", e.oid))
|
||||||
|
}
|
||||||
|
if bLen := len(e.p.bytes); bLen != 33 { // 32 bytes for ed25519 key and 1 byte for 0x40 header
|
||||||
|
return errors.UnsupportedError(fmt.Sprintf("Unexpected EdDSA public key length: %d", bLen))
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewElGamalPublicKey returns a PublicKey that wraps the given elgamal.PublicKey.
|
||||||
|
func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *PublicKey {
|
||||||
|
pk := &PublicKey{
|
||||||
|
CreationTime: creationTime,
|
||||||
|
PubKeyAlgo: PubKeyAlgoElGamal,
|
||||||
|
PublicKey: pub,
|
||||||
|
p: FromBig(pub.P),
|
||||||
|
g: FromBig(pub.G),
|
||||||
|
y: FromBig(pub.Y),
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey {
|
||||||
|
pk := &PublicKey{
|
||||||
|
CreationTime: creationTime,
|
||||||
|
PubKeyAlgo: PubKeyAlgoECDSA,
|
||||||
|
PublicKey: pub,
|
||||||
|
ec: new(ecdsaKey),
|
||||||
|
}
|
||||||
|
switch pub.Curve {
|
||||||
|
case elliptic.P256():
|
||||||
|
pk.ec.oid = oidCurveP256
|
||||||
|
case elliptic.P384():
|
||||||
|
pk.ec.oid = oidCurveP384
|
||||||
|
case elliptic.P521():
|
||||||
|
pk.ec.oid = oidCurveP521
|
||||||
|
case brainpool.P256r1():
|
||||||
|
pk.ec.oid = oidCurveP256r1
|
||||||
|
case brainpool.P384r1():
|
||||||
|
pk.ec.oid = oidCurveP384r1
|
||||||
|
case brainpool.P512r1():
|
||||||
|
pk.ec.oid = oidCurveP512r1
|
||||||
|
}
|
||||||
|
pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
|
||||||
|
pk.ec.p.bitLength = uint16(8 * len(pk.ec.p.bytes))
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKey) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.5.2
|
||||||
|
var buf [6]byte
|
||||||
|
_, err = readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] != 4 {
|
||||||
|
return errors.UnsupportedError("public key version")
|
||||||
|
}
|
||||||
|
pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
|
||||||
|
pk.PubKeyAlgo = PublicKeyAlgorithm(buf[5])
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
err = pk.parseRSA(r)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
err = pk.parseDSA(r)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
err = pk.parseElGamal(r)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
pk.edk = new(edDSAkey)
|
||||||
|
if err = pk.edk.parse(r); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = pk.edk.check()
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
pk.ec = new(ecdsaKey)
|
||||||
|
if err = pk.ec.parse(r); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
pk.PublicKey, err = pk.ec.newECDSA()
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
pk.ec = new(ecdsaKey)
|
||||||
|
if err = pk.ec.parse(r); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.ecdh = new(ecdhKdf)
|
||||||
|
if err = pk.ecdh.parse(r); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.PublicKey, err = pk.ec.newECDH()
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKey) setFingerPrintAndKeyId() {
|
||||||
|
// RFC 4880, section 12.2
|
||||||
|
fingerPrint := sha1.New()
|
||||||
|
pk.SerializeSignaturePrefix(fingerPrint)
|
||||||
|
pk.serializeWithoutHeaders(fingerPrint)
|
||||||
|
copy(pk.Fingerprint[:], fingerPrint.Sum(nil))
|
||||||
|
pk.KeyId = binary.BigEndian.Uint64(pk.Fingerprint[12:20])
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
|
||||||
|
// section 5.5.2.
|
||||||
|
func (pk *PublicKey) parseRSA(r io.Reader) (err error) {
|
||||||
|
pk.n.bytes, pk.n.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.e.bytes, pk.e.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(pk.e.bytes) > 7 {
|
||||||
|
err = errors.UnsupportedError("large public exponent")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
rsa := &rsa.PublicKey{
|
||||||
|
N: new(big.Int).SetBytes(pk.n.bytes),
|
||||||
|
E: 0,
|
||||||
|
}
|
||||||
|
for i := 0; i < len(pk.e.bytes); i++ {
|
||||||
|
rsa.E <<= 8
|
||||||
|
rsa.E |= int64(pk.e.bytes[i])
|
||||||
|
}
|
||||||
|
pk.PublicKey = rsa
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseDSA parses DSA public key material from the given Reader. See RFC 4880,
|
||||||
|
// section 5.5.2.
|
||||||
|
func (pk *PublicKey) parseDSA(r io.Reader) (err error) {
|
||||||
|
pk.p.bytes, pk.p.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.q.bytes, pk.q.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.g.bytes, pk.g.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.y.bytes, pk.y.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
dsa := new(dsa.PublicKey)
|
||||||
|
dsa.P = new(big.Int).SetBytes(pk.p.bytes)
|
||||||
|
dsa.Q = new(big.Int).SetBytes(pk.q.bytes)
|
||||||
|
dsa.G = new(big.Int).SetBytes(pk.g.bytes)
|
||||||
|
dsa.Y = new(big.Int).SetBytes(pk.y.bytes)
|
||||||
|
pk.PublicKey = dsa
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseElGamal parses ElGamal public key material from the given Reader. See
|
||||||
|
// RFC 4880, section 5.5.2.
|
||||||
|
func (pk *PublicKey) parseElGamal(r io.Reader) (err error) {
|
||||||
|
pk.p.bytes, pk.p.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.g.bytes, pk.g.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pk.y.bytes, pk.y.bitLength, err = readMPI(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
elgamal := new(elgamal.PublicKey)
|
||||||
|
elgamal.P = new(big.Int).SetBytes(pk.p.bytes)
|
||||||
|
elgamal.G = new(big.Int).SetBytes(pk.g.bytes)
|
||||||
|
elgamal.Y = new(big.Int).SetBytes(pk.y.bytes)
|
||||||
|
pk.PublicKey = elgamal
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
|
||||||
|
// The prefix is used when calculating a signature over this public key. See
|
||||||
|
// RFC 4880, section 5.2.4.
|
||||||
|
func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) {
|
||||||
|
var pLength uint16
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
pLength += 2 + uint16(len(pk.n.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.e.bytes))
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
pLength += 2 + uint16(len(pk.p.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.q.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.g.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.y.bytes))
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
pLength += 2 + uint16(len(pk.p.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.g.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.y.bytes))
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
pLength += uint16(pk.ec.byteLen())
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
pLength += uint16(pk.ec.byteLen())
|
||||||
|
pLength += uint16(pk.ecdh.byteLen())
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
pLength += uint16(pk.edk.byteLen())
|
||||||
|
default:
|
||||||
|
panic("unknown public key algorithm")
|
||||||
|
}
|
||||||
|
pLength += 6
|
||||||
|
h.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKey) Serialize(w io.Writer) (err error) {
|
||||||
|
length := 6 // 6 byte header
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
length += 2 + len(pk.n.bytes)
|
||||||
|
length += 2 + len(pk.e.bytes)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
length += 2 + len(pk.p.bytes)
|
||||||
|
length += 2 + len(pk.q.bytes)
|
||||||
|
length += 2 + len(pk.g.bytes)
|
||||||
|
length += 2 + len(pk.y.bytes)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
length += 2 + len(pk.p.bytes)
|
||||||
|
length += 2 + len(pk.g.bytes)
|
||||||
|
length += 2 + len(pk.y.bytes)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
length += pk.ec.byteLen()
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
length += pk.ec.byteLen()
|
||||||
|
length += pk.ecdh.byteLen()
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
length += pk.edk.byteLen()
|
||||||
|
default:
|
||||||
|
panic("unknown public key algorithm")
|
||||||
|
}
|
||||||
|
|
||||||
|
packetType := packetTypePublicKey
|
||||||
|
if pk.IsSubkey {
|
||||||
|
packetType = packetTypePublicSubkey
|
||||||
|
}
|
||||||
|
err = serializeHeader(w, packetType, length)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return pk.serializeWithoutHeaders(w)
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeWithoutHeaders marshals the PublicKey to w in the form of an
|
||||||
|
// OpenPGP public key packet, not including the packet header.
|
||||||
|
func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) {
|
||||||
|
var buf [6]byte
|
||||||
|
buf[0] = 4
|
||||||
|
t := uint32(pk.CreationTime.Unix())
|
||||||
|
buf[1] = byte(t >> 24)
|
||||||
|
buf[2] = byte(t >> 16)
|
||||||
|
buf[3] = byte(t >> 8)
|
||||||
|
buf[4] = byte(t)
|
||||||
|
buf[5] = byte(pk.PubKeyAlgo)
|
||||||
|
|
||||||
|
_, err = w.Write(buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
return writeMPIs(w, pk.n, pk.e)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
return writeMPIs(w, pk.p, pk.q, pk.g, pk.y)
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
return writeMPIs(w, pk.p, pk.g, pk.y)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
return pk.ec.serialize(w)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
return pk.edk.serialize(w)
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
if err = pk.ec.serialize(w); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return pk.ecdh.serialize(w)
|
||||||
|
}
|
||||||
|
return errors.InvalidArgumentError("bad public-key algorithm")
|
||||||
|
}
|
||||||
|
|
||||||
|
// CanSign returns true iff this public key can generate signatures
|
||||||
|
func (pk *PublicKey) CanSign() bool {
|
||||||
|
return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly && pk.PubKeyAlgo != PubKeyAlgoElGamal
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySignature returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, of the data hashed into signed. signed is mutated by this call.
|
||||||
|
func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err error) {
|
||||||
|
if !pk.CanSign() {
|
||||||
|
return errors.InvalidArgumentError("public key cannot generate signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
signed.Write(sig.HashSuffix)
|
||||||
|
hashBytes := signed.Sum(nil)
|
||||||
|
|
||||||
|
// NOTE(maxtaco) 2016-08-22
|
||||||
|
//
|
||||||
|
// We used to do this:
|
||||||
|
//
|
||||||
|
// if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
|
||||||
|
// return errors.SignatureError("hash tag doesn't match")
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// But don't do anything in this case. Some GPGs generate bad
|
||||||
|
// 2-byte hash prefixes, but GPG also doesn't seem to care on
|
||||||
|
// import. See BrentMaxwell's key. I think it's safe to disable
|
||||||
|
// this check!
|
||||||
|
|
||||||
|
if pk.PubKeyAlgo != sig.PubKeyAlgo {
|
||||||
|
return errors.InvalidArgumentError("public key and signature use different algorithms")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey)
|
||||||
|
err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes)
|
||||||
|
if err != nil {
|
||||||
|
return errors.SignatureError("RSA verification failure")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
dsaPublicKey, _ := pk.PublicKey.(*dsa.PublicKey)
|
||||||
|
// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
|
||||||
|
subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
|
||||||
|
if len(hashBytes) > subgroupSize {
|
||||||
|
hashBytes = hashBytes[:subgroupSize]
|
||||||
|
}
|
||||||
|
if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
|
||||||
|
return errors.SignatureError("DSA verification failure")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey)
|
||||||
|
if !ecdsa.Verify(ecdsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.ECDSASigR.bytes), new(big.Int).SetBytes(sig.ECDSASigS.bytes)) {
|
||||||
|
return errors.SignatureError("ECDSA verification failure")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
if !pk.edk.Verify(hashBytes, sig.EdDSASigR, sig.EdDSASigS) {
|
||||||
|
return errors.SignatureError("EdDSA verification failure")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
default:
|
||||||
|
return errors.SignatureError("Unsupported public key algorithm used in signature")
|
||||||
|
}
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, of the data hashed into signed. signed is mutated by this call.
|
||||||
|
func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
|
||||||
|
if !pk.CanSign() {
|
||||||
|
return errors.InvalidArgumentError("public key cannot generate signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
suffix := make([]byte, 5)
|
||||||
|
suffix[0] = byte(sig.SigType)
|
||||||
|
binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
|
||||||
|
signed.Write(suffix)
|
||||||
|
hashBytes := signed.Sum(nil)
|
||||||
|
|
||||||
|
if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
|
||||||
|
return errors.SignatureError("hash tag doesn't match")
|
||||||
|
}
|
||||||
|
|
||||||
|
if pk.PubKeyAlgo != sig.PubKeyAlgo {
|
||||||
|
return errors.InvalidArgumentError("public key and signature use different algorithms")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
rsaPublicKey := pk.PublicKey.(*rsa.PublicKey)
|
||||||
|
if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
|
||||||
|
return errors.SignatureError("RSA verification failure")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
dsaPublicKey := pk.PublicKey.(*dsa.PublicKey)
|
||||||
|
// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
|
||||||
|
subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8
|
||||||
|
if len(hashBytes) > subgroupSize {
|
||||||
|
hashBytes = hashBytes[:subgroupSize]
|
||||||
|
}
|
||||||
|
if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) {
|
||||||
|
return errors.SignatureError("DSA verification failure")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
default:
|
||||||
|
panic("shouldn't happen")
|
||||||
|
}
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// keySignatureHash returns a Hash of the message that needs to be signed for
|
||||||
|
// pk to assert a subkey relationship to signed.
|
||||||
|
func keySignatureHash(pk, signed signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
|
||||||
|
if !hashFunc.Available() {
|
||||||
|
return nil, errors.UnsupportedError("hash function")
|
||||||
|
}
|
||||||
|
h = hashFunc.New()
|
||||||
|
|
||||||
|
updateKeySignatureHash(pk, signed, h)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// updateKeySignatureHash does the actual hash updates for keySignatureHash.
|
||||||
|
func updateKeySignatureHash(pk, signed signingKey, h hash.Hash) {
|
||||||
|
// RFC 4880, section 5.2.4
|
||||||
|
pk.SerializeSignaturePrefix(h)
|
||||||
|
pk.serializeWithoutHeaders(h)
|
||||||
|
signed.SerializeSignaturePrefix(h)
|
||||||
|
signed.serializeWithoutHeaders(h)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyKeySignature returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, of signed.
|
||||||
|
func (pk *PublicKey) VerifyKeySignature(signed *PublicKey, sig *Signature) error {
|
||||||
|
h, err := keySignatureHash(pk, signed, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err = pk.VerifySignature(h, sig); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if sig.FlagSign {
|
||||||
|
|
||||||
|
// BUG(maxtaco)
|
||||||
|
//
|
||||||
|
// We should check for more than FlagsSign here, because if
|
||||||
|
// you read keys.go, we can sometimes use signing subkeys even if they're
|
||||||
|
// not explicitly flagged as such. However, so doing fails lots of currently
|
||||||
|
// working tests, so I'm not going to do much here.
|
||||||
|
//
|
||||||
|
// In other words, we should have this disjunction in the condition above:
|
||||||
|
//
|
||||||
|
// || (!sig.FlagsValid && pk.PubKeyAlgo.CanSign()) {
|
||||||
|
//
|
||||||
|
|
||||||
|
// Signing subkeys must be cross-signed. See
|
||||||
|
// https://www.gnupg.org/faq/subkey-cross-certify.html.
|
||||||
|
if sig.EmbeddedSignature == nil {
|
||||||
|
return errors.StructuralError("signing subkey is missing cross-signature")
|
||||||
|
}
|
||||||
|
// Verify the cross-signature. This is calculated over the same
|
||||||
|
// data as the main signature, so we cannot just recursively
|
||||||
|
// call signed.VerifyKeySignature(...)
|
||||||
|
if h, err = keySignatureHash(pk, signed, sig.EmbeddedSignature.Hash); err != nil {
|
||||||
|
return errors.StructuralError("error while hashing for cross-signature: " + err.Error())
|
||||||
|
}
|
||||||
|
if err := signed.VerifySignature(h, sig.EmbeddedSignature); err != nil {
|
||||||
|
return errors.StructuralError("error while verifying cross-signature: " + err.Error())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func keyRevocationHash(pk signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
|
||||||
|
if !hashFunc.Available() {
|
||||||
|
return nil, errors.UnsupportedError("hash function")
|
||||||
|
}
|
||||||
|
h = hashFunc.New()
|
||||||
|
|
||||||
|
// RFC 4880, section 5.2.4
|
||||||
|
pk.SerializeSignaturePrefix(h)
|
||||||
|
pk.serializeWithoutHeaders(h)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyRevocationSignature returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key.
|
||||||
|
func (pk *PublicKey) VerifyRevocationSignature(revokedKey *PublicKey, sig *Signature) (err error) {
|
||||||
|
h, err := keyRevocationHash(revokedKey, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return pk.VerifySignature(h, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
type teeHash struct {
|
||||||
|
h hash.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t teeHash) Write(b []byte) (n int, err error) {
|
||||||
|
fmt.Printf("hash -> %s %+v\n", string(b), b)
|
||||||
|
return t.h.Write(b)
|
||||||
|
}
|
||||||
|
func (t teeHash) Sum(b []byte) []byte { return t.h.Sum(b) }
|
||||||
|
func (t teeHash) Reset() { t.h.Reset() }
|
||||||
|
func (t teeHash) Size() int { return t.h.Size() }
|
||||||
|
func (t teeHash) BlockSize() int { return t.h.BlockSize() }
|
||||||
|
|
||||||
|
// userIdSignatureHash returns a Hash of the message that needs to be signed
|
||||||
|
// to assert that pk is a valid key for id.
|
||||||
|
func userIdSignatureHash(id string, pk *PublicKey, hashFunc crypto.Hash) (h hash.Hash, err error) {
|
||||||
|
if !hashFunc.Available() {
|
||||||
|
return nil, errors.UnsupportedError("hash function")
|
||||||
|
}
|
||||||
|
h = hashFunc.New()
|
||||||
|
|
||||||
|
updateUserIdSignatureHash(id, pk, h)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// updateUserIdSignatureHash does the actual hash updates for
|
||||||
|
// userIdSignatureHash.
|
||||||
|
func updateUserIdSignatureHash(id string, pk *PublicKey, h hash.Hash) {
|
||||||
|
// RFC 4880, section 5.2.4
|
||||||
|
pk.SerializeSignaturePrefix(h)
|
||||||
|
pk.serializeWithoutHeaders(h)
|
||||||
|
|
||||||
|
var buf [5]byte
|
||||||
|
buf[0] = 0xb4
|
||||||
|
buf[1] = byte(len(id) >> 24)
|
||||||
|
buf[2] = byte(len(id) >> 16)
|
||||||
|
buf[3] = byte(len(id) >> 8)
|
||||||
|
buf[4] = byte(len(id))
|
||||||
|
h.Write(buf[:])
|
||||||
|
h.Write([]byte(id))
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyUserIdSignature returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, that id is the identity of pub.
|
||||||
|
func (pk *PublicKey) VerifyUserIdSignature(id string, pub *PublicKey, sig *Signature) (err error) {
|
||||||
|
h, err := userIdSignatureHash(id, pub, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return pk.VerifySignature(h, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, that id is the identity of pub.
|
||||||
|
func (pk *PublicKey) VerifyUserIdSignatureV3(id string, pub *PublicKey, sig *SignatureV3) (err error) {
|
||||||
|
h, err := userIdSignatureV3Hash(id, pub, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return pk.VerifySignatureV3(h, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyIdString returns the public key's fingerprint in capital hex
|
||||||
|
// (e.g. "6C7EE1B8621CC013").
|
||||||
|
func (pk *PublicKey) KeyIdString() string {
|
||||||
|
return fmt.Sprintf("%X", pk.Fingerprint[12:20])
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyIdShortString returns the short form of public key's fingerprint
|
||||||
|
// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
|
||||||
|
func (pk *PublicKey) KeyIdShortString() string {
|
||||||
|
return fmt.Sprintf("%X", pk.Fingerprint[16:20])
|
||||||
|
}
|
||||||
|
|
||||||
|
// A parsedMPI is used to store the contents of a big integer, along with the
|
||||||
|
// bit length that was specified in the original input. This allows the MPI to
|
||||||
|
// be reserialized exactly.
|
||||||
|
type parsedMPI struct {
|
||||||
|
bytes []byte
|
||||||
|
bitLength uint16
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeMPIs is a utility function for serializing several big integers to the
|
||||||
|
// given Writer.
|
||||||
|
func writeMPIs(w io.Writer, mpis ...parsedMPI) (err error) {
|
||||||
|
for _, mpi := range mpis {
|
||||||
|
err = writeMPI(w, mpi.bitLength, mpi.bytes)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// BitLength returns the bit length for the given public key. Used for
|
||||||
|
// displaying key information, actual buffers and BigInts inside may
|
||||||
|
// have non-matching different size if the key is invalid.
|
||||||
|
func (pk *PublicKey) BitLength() (bitLength uint16, err error) {
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
bitLength = pk.n.bitLength
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
bitLength = pk.p.bitLength
|
||||||
|
case PubKeyAlgoElGamal:
|
||||||
|
bitLength = pk.p.bitLength
|
||||||
|
case PubKeyAlgoECDH:
|
||||||
|
ecdhPublicKey := pk.PublicKey.(*ecdh.PublicKey)
|
||||||
|
bitLength = uint16(ecdhPublicKey.Curve.Params().BitSize)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey)
|
||||||
|
bitLength = uint16(ecdsaPublicKey.Curve.Params().BitSize)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
// EdDSA only support ed25519 curves right now, just return
|
||||||
|
// the length. Also, we don't have any PublicKey.Curve object
|
||||||
|
// to look the size up from.
|
||||||
|
bitLength = 256
|
||||||
|
default:
|
||||||
|
err = errors.InvalidArgumentError("bad public-key algorithm")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
280
vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go
generated
vendored
Normal file
280
vendor/github.com/keybase/go-crypto/openpgp/packet/public_key_v3.go
generated
vendored
Normal file
@ -0,0 +1,280 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/md5"
|
||||||
|
"encoding/binary"
|
||||||
|
"fmt"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PublicKeyV3 represents older, version 3 public keys. These keys are less secure and
|
||||||
|
// should not be used for signing or encrypting. They are supported here only for
|
||||||
|
// parsing version 3 key material and validating signatures.
|
||||||
|
// See RFC 4880, section 5.5.2.
|
||||||
|
type PublicKeyV3 struct {
|
||||||
|
CreationTime time.Time
|
||||||
|
DaysToExpire uint16
|
||||||
|
PubKeyAlgo PublicKeyAlgorithm
|
||||||
|
PublicKey *rsa.PublicKey
|
||||||
|
Fingerprint [16]byte
|
||||||
|
KeyId uint64
|
||||||
|
IsSubkey bool
|
||||||
|
|
||||||
|
n, e parsedMPI
|
||||||
|
}
|
||||||
|
|
||||||
|
// newRSAPublicKeyV3 returns a PublicKey that wraps the given rsa.PublicKey.
|
||||||
|
// Included here for testing purposes only. RFC 4880, section 5.5.2:
|
||||||
|
// "an implementation MUST NOT generate a V3 key, but MAY accept it."
|
||||||
|
func newRSAPublicKeyV3(creationTime time.Time, pub *rsa.PublicKey) *PublicKeyV3 {
|
||||||
|
pk := &PublicKeyV3{
|
||||||
|
CreationTime: creationTime,
|
||||||
|
PublicKey: pub,
|
||||||
|
n: FromBig(pub.N),
|
||||||
|
e: FromBig(big.NewInt(int64(pub.E))),
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return pk
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKeyV3) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.5.2
|
||||||
|
var buf [8]byte
|
||||||
|
if _, err = readFull(r, buf[:]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] < 2 || buf[0] > 3 {
|
||||||
|
return errors.UnsupportedError("public key version")
|
||||||
|
}
|
||||||
|
pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0)
|
||||||
|
pk.DaysToExpire = binary.BigEndian.Uint16(buf[5:7])
|
||||||
|
pk.PubKeyAlgo = PublicKeyAlgorithm(buf[7])
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
err = pk.parseRSA(r)
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
pk.setFingerPrintAndKeyId()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKeyV3) setFingerPrintAndKeyId() {
|
||||||
|
// RFC 4880, section 12.2
|
||||||
|
fingerPrint := md5.New()
|
||||||
|
fingerPrint.Write(pk.n.bytes)
|
||||||
|
fingerPrint.Write(pk.e.bytes)
|
||||||
|
fingerPrint.Sum(pk.Fingerprint[:0])
|
||||||
|
pk.KeyId = binary.BigEndian.Uint64(pk.n.bytes[len(pk.n.bytes)-8:])
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseRSA parses RSA public key material from the given Reader. See RFC 4880,
|
||||||
|
// section 5.5.2.
|
||||||
|
func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) {
|
||||||
|
if pk.n.bytes, pk.n.bitLength, err = readMPI(r); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if pk.e.bytes, pk.e.bitLength, err = readMPI(r); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// RFC 4880 Section 12.2 requires the low 8 bytes of the
|
||||||
|
// modulus to form the key id.
|
||||||
|
if len(pk.n.bytes) < 8 {
|
||||||
|
return errors.StructuralError("v3 public key modulus is too short")
|
||||||
|
}
|
||||||
|
if len(pk.e.bytes) > 7 {
|
||||||
|
err = errors.UnsupportedError("large public exponent")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)}
|
||||||
|
for i := 0; i < len(pk.e.bytes); i++ {
|
||||||
|
rsa.E <<= 8
|
||||||
|
rsa.E |= int64(pk.e.bytes[i])
|
||||||
|
}
|
||||||
|
pk.PublicKey = rsa
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeSignaturePrefix writes the prefix for this public key to the given Writer.
|
||||||
|
// The prefix is used when calculating a signature over this public key. See
|
||||||
|
// RFC 4880, section 5.2.4.
|
||||||
|
func (pk *PublicKeyV3) SerializeSignaturePrefix(w io.Writer) {
|
||||||
|
var pLength uint16
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
pLength += 2 + uint16(len(pk.n.bytes))
|
||||||
|
pLength += 2 + uint16(len(pk.e.bytes))
|
||||||
|
default:
|
||||||
|
panic("unknown public key algorithm")
|
||||||
|
}
|
||||||
|
pLength += 6
|
||||||
|
w.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (pk *PublicKeyV3) Serialize(w io.Writer) (err error) {
|
||||||
|
length := 8 // 8 byte header
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
length += 2 + len(pk.n.bytes)
|
||||||
|
length += 2 + len(pk.e.bytes)
|
||||||
|
default:
|
||||||
|
panic("unknown public key algorithm")
|
||||||
|
}
|
||||||
|
|
||||||
|
packetType := packetTypePublicKey
|
||||||
|
if pk.IsSubkey {
|
||||||
|
packetType = packetTypePublicSubkey
|
||||||
|
}
|
||||||
|
if err = serializeHeader(w, packetType, length); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return pk.serializeWithoutHeaders(w)
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeWithoutHeaders marshals the PublicKey to w in the form of an
|
||||||
|
// OpenPGP public key packet, not including the packet header.
|
||||||
|
func (pk *PublicKeyV3) serializeWithoutHeaders(w io.Writer) (err error) {
|
||||||
|
var buf [8]byte
|
||||||
|
// Version 3
|
||||||
|
buf[0] = 3
|
||||||
|
// Creation time
|
||||||
|
t := uint32(pk.CreationTime.Unix())
|
||||||
|
buf[1] = byte(t >> 24)
|
||||||
|
buf[2] = byte(t >> 16)
|
||||||
|
buf[3] = byte(t >> 8)
|
||||||
|
buf[4] = byte(t)
|
||||||
|
// Days to expire
|
||||||
|
buf[5] = byte(pk.DaysToExpire >> 8)
|
||||||
|
buf[6] = byte(pk.DaysToExpire)
|
||||||
|
// Public key algorithm
|
||||||
|
buf[7] = byte(pk.PubKeyAlgo)
|
||||||
|
|
||||||
|
if _, err = w.Write(buf[:]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
return writeMPIs(w, pk.n, pk.e)
|
||||||
|
}
|
||||||
|
return errors.InvalidArgumentError("bad public-key algorithm")
|
||||||
|
}
|
||||||
|
|
||||||
|
// CanSign returns true iff this public key can generate signatures
|
||||||
|
func (pk *PublicKeyV3) CanSign() bool {
|
||||||
|
return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySignatureV3 returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, of the data hashed into signed. signed is mutated by this call.
|
||||||
|
func (pk *PublicKeyV3) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) {
|
||||||
|
if !pk.CanSign() {
|
||||||
|
return errors.InvalidArgumentError("public key cannot generate signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
suffix := make([]byte, 5)
|
||||||
|
suffix[0] = byte(sig.SigType)
|
||||||
|
binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix()))
|
||||||
|
signed.Write(suffix)
|
||||||
|
hashBytes := signed.Sum(nil)
|
||||||
|
|
||||||
|
if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] {
|
||||||
|
return errors.SignatureError("hash tag doesn't match")
|
||||||
|
}
|
||||||
|
|
||||||
|
if pk.PubKeyAlgo != sig.PubKeyAlgo {
|
||||||
|
return errors.InvalidArgumentError("public key and signature use different algorithms")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
if err = rsa.VerifyPKCS1v15(pk.PublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil {
|
||||||
|
return errors.SignatureError("RSA verification failure")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
default:
|
||||||
|
// V3 public keys only support RSA.
|
||||||
|
panic("shouldn't happen")
|
||||||
|
}
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, that id is the identity of pub.
|
||||||
|
func (pk *PublicKeyV3) VerifyUserIdSignatureV3(id string, pub *PublicKeyV3, sig *SignatureV3) (err error) {
|
||||||
|
h, err := userIdSignatureV3Hash(id, pk, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return pk.VerifySignatureV3(h, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyKeySignatureV3 returns nil iff sig is a valid signature, made by this
|
||||||
|
// public key, of signed.
|
||||||
|
func (pk *PublicKeyV3) VerifyKeySignatureV3(signed *PublicKeyV3, sig *SignatureV3) (err error) {
|
||||||
|
h, err := keySignatureHash(pk, signed, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return pk.VerifySignatureV3(h, sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// userIdSignatureV3Hash returns a Hash of the message that needs to be signed
|
||||||
|
// to assert that pk is a valid key for id.
|
||||||
|
func userIdSignatureV3Hash(id string, pk signingKey, hfn crypto.Hash) (h hash.Hash, err error) {
|
||||||
|
if !hfn.Available() {
|
||||||
|
return nil, errors.UnsupportedError("hash function")
|
||||||
|
}
|
||||||
|
h = hfn.New()
|
||||||
|
|
||||||
|
// RFC 4880, section 5.2.4
|
||||||
|
pk.SerializeSignaturePrefix(h)
|
||||||
|
pk.serializeWithoutHeaders(h)
|
||||||
|
|
||||||
|
h.Write([]byte(id))
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyIdString returns the public key's fingerprint in capital hex
|
||||||
|
// (e.g. "6C7EE1B8621CC013").
|
||||||
|
func (pk *PublicKeyV3) KeyIdString() string {
|
||||||
|
return fmt.Sprintf("%X", pk.KeyId)
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyIdShortString returns the short form of public key's fingerprint
|
||||||
|
// in capital hex, as shown by gpg --list-keys (e.g. "621CC013").
|
||||||
|
func (pk *PublicKeyV3) KeyIdShortString() string {
|
||||||
|
return fmt.Sprintf("%X", pk.KeyId&0xFFFFFFFF)
|
||||||
|
}
|
||||||
|
|
||||||
|
// BitLength returns the bit length for the given public key.
|
||||||
|
func (pk *PublicKeyV3) BitLength() (bitLength uint16, err error) {
|
||||||
|
switch pk.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly:
|
||||||
|
bitLength = pk.n.bitLength
|
||||||
|
default:
|
||||||
|
err = errors.InvalidArgumentError("bad public-key algorithm")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
76
vendor/github.com/keybase/go-crypto/openpgp/packet/reader.go
generated
vendored
Normal file
76
vendor/github.com/keybase/go-crypto/openpgp/packet/reader.go
generated
vendored
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Reader reads packets from an io.Reader and allows packets to be 'unread' so
|
||||||
|
// that they result from the next call to Next.
|
||||||
|
type Reader struct {
|
||||||
|
q []Packet
|
||||||
|
readers []io.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
// New io.Readers are pushed when a compressed or encrypted packet is processed
|
||||||
|
// and recursively treated as a new source of packets. However, a carefully
|
||||||
|
// crafted packet can trigger an infinite recursive sequence of packets. See
|
||||||
|
// http://mumble.net/~campbell/misc/pgp-quine
|
||||||
|
// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402
|
||||||
|
// This constant limits the number of recursive packets that may be pushed.
|
||||||
|
const maxReaders = 32
|
||||||
|
|
||||||
|
// Next returns the most recently unread Packet, or reads another packet from
|
||||||
|
// the top-most io.Reader. Unknown packet types are skipped.
|
||||||
|
func (r *Reader) Next() (p Packet, err error) {
|
||||||
|
if len(r.q) > 0 {
|
||||||
|
p = r.q[len(r.q)-1]
|
||||||
|
r.q = r.q[:len(r.q)-1]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for len(r.readers) > 0 {
|
||||||
|
p, err = Read(r.readers[len(r.readers)-1])
|
||||||
|
if err == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err == io.EOF {
|
||||||
|
r.readers = r.readers[:len(r.readers)-1]
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if _, ok := err.(errors.UnknownPacketTypeError); !ok {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil, io.EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
// Push causes the Reader to start reading from a new io.Reader. When an EOF
|
||||||
|
// error is seen from the new io.Reader, it is popped and the Reader continues
|
||||||
|
// to read from the next most recent io.Reader. Push returns a StructuralError
|
||||||
|
// if pushing the reader would exceed the maximum recursion level, otherwise it
|
||||||
|
// returns nil.
|
||||||
|
func (r *Reader) Push(reader io.Reader) (err error) {
|
||||||
|
if len(r.readers) >= maxReaders {
|
||||||
|
return errors.StructuralError("too many layers of packets")
|
||||||
|
}
|
||||||
|
r.readers = append(r.readers, reader)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unread causes the given Packet to be returned from the next call to Next.
|
||||||
|
func (r *Reader) Unread(p Packet) {
|
||||||
|
r.q = append(r.q, p)
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewReader(r io.Reader) *Reader {
|
||||||
|
return &Reader{
|
||||||
|
q: nil,
|
||||||
|
readers: []io.Reader{r},
|
||||||
|
}
|
||||||
|
}
|
882
vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go
generated
vendored
Normal file
882
vendor/github.com/keybase/go-crypto/openpgp/packet/signature.go
generated
vendored
Normal file
@ -0,0 +1,882 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"crypto/dsa"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"encoding/binary"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
"github.com/keybase/go-crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// See RFC 4880, section 5.2.3.21 for details.
|
||||||
|
KeyFlagCertify = 1 << iota
|
||||||
|
KeyFlagSign
|
||||||
|
KeyFlagEncryptCommunications
|
||||||
|
KeyFlagEncryptStorage
|
||||||
|
)
|
||||||
|
|
||||||
|
// Signer can be implemented by application code to do actual signing.
|
||||||
|
type Signer interface {
|
||||||
|
hash.Hash
|
||||||
|
Sign(sig *Signature) error
|
||||||
|
KeyId() uint64
|
||||||
|
PublicKeyAlgo() PublicKeyAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
|
// RevocationKey represents designated revoker packet. See RFC 4880
|
||||||
|
// section 5.2.3.15 for details.
|
||||||
|
type RevocationKey struct {
|
||||||
|
Class byte
|
||||||
|
PublicKeyAlgo PublicKeyAlgorithm
|
||||||
|
Fingerprint []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyFlagBits holds boolean whether any usage flags were provided in
|
||||||
|
// the signature and BitField with KeyFlag* flags.
|
||||||
|
type KeyFlagBits struct {
|
||||||
|
Valid bool
|
||||||
|
BitField byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signature represents a signature. See RFC 4880, section 5.2.
|
||||||
|
type Signature struct {
|
||||||
|
SigType SignatureType
|
||||||
|
PubKeyAlgo PublicKeyAlgorithm
|
||||||
|
Hash crypto.Hash
|
||||||
|
|
||||||
|
// HashSuffix is extra data that is hashed in after the signed data.
|
||||||
|
HashSuffix []byte
|
||||||
|
// HashTag contains the first two bytes of the hash for fast rejection
|
||||||
|
// of bad signed data.
|
||||||
|
HashTag [2]byte
|
||||||
|
CreationTime time.Time
|
||||||
|
|
||||||
|
RSASignature parsedMPI
|
||||||
|
DSASigR, DSASigS parsedMPI
|
||||||
|
ECDSASigR, ECDSASigS parsedMPI
|
||||||
|
EdDSASigR, EdDSASigS parsedMPI
|
||||||
|
|
||||||
|
// rawSubpackets contains the unparsed subpackets, in order.
|
||||||
|
rawSubpackets []outputSubpacket
|
||||||
|
|
||||||
|
// The following are optional so are nil when not included in the
|
||||||
|
// signature.
|
||||||
|
|
||||||
|
SigLifetimeSecs, KeyLifetimeSecs *uint32
|
||||||
|
PreferredSymmetric, PreferredHash, PreferredCompression []uint8
|
||||||
|
PreferredKeyServer string
|
||||||
|
IssuerKeyId *uint64
|
||||||
|
IsPrimaryId *bool
|
||||||
|
IssuerFingerprint []byte
|
||||||
|
|
||||||
|
// FlagsValid is set if any flags were given. See RFC 4880, section
|
||||||
|
// 5.2.3.21 for details.
|
||||||
|
FlagsValid bool
|
||||||
|
FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool
|
||||||
|
|
||||||
|
// RevocationReason is set if this signature has been revoked.
|
||||||
|
// See RFC 4880, section 5.2.3.23 for details.
|
||||||
|
RevocationReason *uint8
|
||||||
|
RevocationReasonText string
|
||||||
|
|
||||||
|
// PolicyURI is optional. See RFC 4880, Section 5.2.3.20 for details
|
||||||
|
PolicyURI string
|
||||||
|
|
||||||
|
// Regex is a regex that can match a PGP UID. See RFC 4880, 5.2.3.14 for details
|
||||||
|
Regex string
|
||||||
|
|
||||||
|
// MDC is set if this signature has a feature packet that indicates
|
||||||
|
// support for MDC subpackets.
|
||||||
|
MDC bool
|
||||||
|
|
||||||
|
// EmbeddedSignature, if non-nil, is a signature of the parent key, by
|
||||||
|
// this key. This prevents an attacker from claiming another's signing
|
||||||
|
// subkey as their own.
|
||||||
|
EmbeddedSignature *Signature
|
||||||
|
|
||||||
|
// StubbedOutCriticalError is not fail-stop, since it shouldn't break key parsing
|
||||||
|
// when appearing in WoT-style cross signatures. But it should prevent a signature
|
||||||
|
// from being applied to a primary or subkey.
|
||||||
|
StubbedOutCriticalError error
|
||||||
|
|
||||||
|
// DesignaterRevoker will be present if this signature certifies a
|
||||||
|
// designated revoking key id (3rd party key that can sign
|
||||||
|
// revocation for this key).
|
||||||
|
DesignatedRevoker *RevocationKey
|
||||||
|
|
||||||
|
outSubpackets []outputSubpacket
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sig *Signature) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.2.3
|
||||||
|
var buf [5]byte
|
||||||
|
_, err = readFull(r, buf[:1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] != 4 {
|
||||||
|
err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:5])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.SigType = SignatureType(buf[0])
|
||||||
|
sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1])
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA, PubKeyAlgoEdDSA:
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
sig.Hash, ok = s2k.HashIdToHash(buf[2])
|
||||||
|
if !ok {
|
||||||
|
return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
|
||||||
|
}
|
||||||
|
|
||||||
|
hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4])
|
||||||
|
l := 6 + hashedSubpacketsLength
|
||||||
|
sig.HashSuffix = make([]byte, l+6)
|
||||||
|
sig.HashSuffix[0] = 4
|
||||||
|
copy(sig.HashSuffix[1:], buf[:5])
|
||||||
|
hashedSubpackets := sig.HashSuffix[6:l]
|
||||||
|
_, err = readFull(r, hashedSubpackets)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// See RFC 4880, section 5.2.4
|
||||||
|
trailer := sig.HashSuffix[l:]
|
||||||
|
trailer[0] = 4
|
||||||
|
trailer[1] = 0xff
|
||||||
|
trailer[2] = uint8(l >> 24)
|
||||||
|
trailer[3] = uint8(l >> 16)
|
||||||
|
trailer[4] = uint8(l >> 8)
|
||||||
|
trailer[5] = uint8(l)
|
||||||
|
|
||||||
|
err = parseSignatureSubpackets(sig, hashedSubpackets, true)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = readFull(r, buf[:2])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1])
|
||||||
|
unhashedSubpackets := make([]byte, unhashedSubpacketsLength)
|
||||||
|
_, err = readFull(r, unhashedSubpackets)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = parseSignatureSubpackets(sig, unhashedSubpackets, false)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = readFull(r, sig.HashTag[:2])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r)
|
||||||
|
if err == nil {
|
||||||
|
sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
|
||||||
|
}
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
sig.EdDSASigR.bytes, sig.EdDSASigR.bitLength, err = readMPI(r)
|
||||||
|
if err == nil {
|
||||||
|
sig.EdDSASigS.bytes, sig.EdDSASigS.bitLength, err = readMPI(r)
|
||||||
|
}
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r)
|
||||||
|
if err == nil {
|
||||||
|
sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseSignatureSubpackets parses subpackets of the main signature packet. See
|
||||||
|
// RFC 4880, section 5.2.3.1.
|
||||||
|
func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) {
|
||||||
|
for len(subpackets) > 0 {
|
||||||
|
subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if sig.CreationTime.IsZero() {
|
||||||
|
err = errors.StructuralError("no creation time in signature")
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
type signatureSubpacketType uint8
|
||||||
|
|
||||||
|
const (
|
||||||
|
creationTimeSubpacket signatureSubpacketType = 2
|
||||||
|
signatureExpirationSubpacket signatureSubpacketType = 3
|
||||||
|
regularExpressionSubpacket signatureSubpacketType = 6
|
||||||
|
keyExpirationSubpacket signatureSubpacketType = 9
|
||||||
|
prefSymmetricAlgosSubpacket signatureSubpacketType = 11
|
||||||
|
revocationKey signatureSubpacketType = 12
|
||||||
|
issuerSubpacket signatureSubpacketType = 16
|
||||||
|
prefHashAlgosSubpacket signatureSubpacketType = 21
|
||||||
|
prefCompressionSubpacket signatureSubpacketType = 22
|
||||||
|
prefKeyServerSubpacket signatureSubpacketType = 24
|
||||||
|
primaryUserIdSubpacket signatureSubpacketType = 25
|
||||||
|
policyURISubpacket signatureSubpacketType = 26
|
||||||
|
keyFlagsSubpacket signatureSubpacketType = 27
|
||||||
|
reasonForRevocationSubpacket signatureSubpacketType = 29
|
||||||
|
featuresSubpacket signatureSubpacketType = 30
|
||||||
|
embeddedSignatureSubpacket signatureSubpacketType = 32
|
||||||
|
issuerFingerprint signatureSubpacketType = 33
|
||||||
|
)
|
||||||
|
|
||||||
|
// parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1.
|
||||||
|
func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) {
|
||||||
|
// RFC 4880, section 5.2.3.1
|
||||||
|
var (
|
||||||
|
length uint32
|
||||||
|
packetType signatureSubpacketType
|
||||||
|
isCritical bool
|
||||||
|
)
|
||||||
|
switch {
|
||||||
|
case subpacket[0] < 192:
|
||||||
|
length = uint32(subpacket[0])
|
||||||
|
subpacket = subpacket[1:]
|
||||||
|
case subpacket[0] < 255:
|
||||||
|
if len(subpacket) < 2 {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192
|
||||||
|
subpacket = subpacket[2:]
|
||||||
|
default:
|
||||||
|
if len(subpacket) < 5 {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
length = uint32(subpacket[1])<<24 |
|
||||||
|
uint32(subpacket[2])<<16 |
|
||||||
|
uint32(subpacket[3])<<8 |
|
||||||
|
uint32(subpacket[4])
|
||||||
|
subpacket = subpacket[5:]
|
||||||
|
}
|
||||||
|
if length > uint32(len(subpacket)) {
|
||||||
|
goto Truncated
|
||||||
|
}
|
||||||
|
rest = subpacket[length:]
|
||||||
|
subpacket = subpacket[:length]
|
||||||
|
if len(subpacket) == 0 {
|
||||||
|
err = errors.StructuralError("zero length signature subpacket")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
packetType = signatureSubpacketType(subpacket[0] & 0x7f)
|
||||||
|
isCritical = subpacket[0]&0x80 == 0x80
|
||||||
|
subpacket = subpacket[1:]
|
||||||
|
sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket})
|
||||||
|
switch packetType {
|
||||||
|
case creationTimeSubpacket:
|
||||||
|
if !isHashed {
|
||||||
|
err = errors.StructuralError("signature creation time in non-hashed area")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) != 4 {
|
||||||
|
err = errors.StructuralError("signature creation time not four bytes")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
t := binary.BigEndian.Uint32(subpacket)
|
||||||
|
sig.CreationTime = time.Unix(int64(t), 0)
|
||||||
|
case signatureExpirationSubpacket:
|
||||||
|
// Signature expiration time, section 5.2.3.10
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) != 4 {
|
||||||
|
err = errors.StructuralError("expiration subpacket with bad length")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.SigLifetimeSecs = new(uint32)
|
||||||
|
*sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket)
|
||||||
|
case keyExpirationSubpacket:
|
||||||
|
// Key expiration time, section 5.2.3.6
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) != 4 {
|
||||||
|
err = errors.StructuralError("key expiration subpacket with bad length")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.KeyLifetimeSecs = new(uint32)
|
||||||
|
*sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket)
|
||||||
|
case prefSymmetricAlgosSubpacket:
|
||||||
|
// Preferred symmetric algorithms, section 5.2.3.7
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.PreferredSymmetric = make([]byte, len(subpacket))
|
||||||
|
copy(sig.PreferredSymmetric, subpacket)
|
||||||
|
case issuerSubpacket:
|
||||||
|
// Issuer, section 5.2.3.5
|
||||||
|
if len(subpacket) != 8 {
|
||||||
|
err = errors.StructuralError("issuer subpacket with bad length")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.IssuerKeyId = new(uint64)
|
||||||
|
*sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket)
|
||||||
|
case prefHashAlgosSubpacket:
|
||||||
|
// Preferred hash algorithms, section 5.2.3.8
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.PreferredHash = make([]byte, len(subpacket))
|
||||||
|
copy(sig.PreferredHash, subpacket)
|
||||||
|
case prefCompressionSubpacket:
|
||||||
|
// Preferred compression algorithms, section 5.2.3.9
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.PreferredCompression = make([]byte, len(subpacket))
|
||||||
|
copy(sig.PreferredCompression, subpacket)
|
||||||
|
case primaryUserIdSubpacket:
|
||||||
|
// Primary User ID, section 5.2.3.19
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) != 1 {
|
||||||
|
err = errors.StructuralError("primary user id subpacket with bad length")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.IsPrimaryId = new(bool)
|
||||||
|
if subpacket[0] > 0 {
|
||||||
|
*sig.IsPrimaryId = true
|
||||||
|
}
|
||||||
|
case keyFlagsSubpacket:
|
||||||
|
// Key flags, section 5.2.3.21
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) == 0 {
|
||||||
|
err = errors.StructuralError("empty key flags subpacket")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if subpacket[0] != 0 {
|
||||||
|
sig.FlagsValid = true
|
||||||
|
if subpacket[0]&KeyFlagCertify != 0 {
|
||||||
|
sig.FlagCertify = true
|
||||||
|
}
|
||||||
|
if subpacket[0]&KeyFlagSign != 0 {
|
||||||
|
sig.FlagSign = true
|
||||||
|
}
|
||||||
|
if subpacket[0]&KeyFlagEncryptCommunications != 0 {
|
||||||
|
sig.FlagEncryptCommunications = true
|
||||||
|
}
|
||||||
|
if subpacket[0]&KeyFlagEncryptStorage != 0 {
|
||||||
|
sig.FlagEncryptStorage = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case reasonForRevocationSubpacket:
|
||||||
|
// Reason For Revocation, section 5.2.3.23
|
||||||
|
if !isHashed {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(subpacket) == 0 {
|
||||||
|
err = errors.StructuralError("empty revocation reason subpacket")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.RevocationReason = new(uint8)
|
||||||
|
*sig.RevocationReason = subpacket[0]
|
||||||
|
sig.RevocationReasonText = string(subpacket[1:])
|
||||||
|
case featuresSubpacket:
|
||||||
|
// Features subpacket, section 5.2.3.24 specifies a very general
|
||||||
|
// mechanism for OpenPGP implementations to signal support for new
|
||||||
|
// features. In practice, the subpacket is used exclusively to
|
||||||
|
// indicate support for MDC-protected encryption.
|
||||||
|
sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1
|
||||||
|
case embeddedSignatureSubpacket:
|
||||||
|
// Only usage is in signatures that cross-certify
|
||||||
|
// signing subkeys. section 5.2.3.26 describes the
|
||||||
|
// format, with its usage described in section 11.1
|
||||||
|
if sig.EmbeddedSignature != nil {
|
||||||
|
err = errors.StructuralError("Cannot have multiple embedded signatures")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.EmbeddedSignature = new(Signature)
|
||||||
|
// Embedded signatures are required to be v4 signatures see
|
||||||
|
// section 12.1. However, we only parse v4 signatures in this
|
||||||
|
// file anyway.
|
||||||
|
if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding {
|
||||||
|
return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType)))
|
||||||
|
}
|
||||||
|
case policyURISubpacket:
|
||||||
|
// See RFC 4880, Section 5.2.3.20
|
||||||
|
sig.PolicyURI = string(subpacket[:])
|
||||||
|
case regularExpressionSubpacket:
|
||||||
|
sig.Regex = string(subpacket[:])
|
||||||
|
if isCritical {
|
||||||
|
sig.StubbedOutCriticalError = errors.UnsupportedError("regex support is stubbed out")
|
||||||
|
}
|
||||||
|
case prefKeyServerSubpacket:
|
||||||
|
sig.PreferredKeyServer = string(subpacket[:])
|
||||||
|
case issuerFingerprint:
|
||||||
|
// The first byte is how many bytes the fingerprint is, but we'll just
|
||||||
|
// read until the end of the subpacket, so we'll ignore it.
|
||||||
|
sig.IssuerFingerprint = append([]byte{}, subpacket[1:]...)
|
||||||
|
case revocationKey:
|
||||||
|
// Authorizes the specified key to issue revocation signatures
|
||||||
|
// for a key.
|
||||||
|
|
||||||
|
// TODO: Class octet must have bit 0x80 set. If the bit 0x40
|
||||||
|
// is set, then this means that the revocation information is
|
||||||
|
// sensitive.
|
||||||
|
sig.DesignatedRevoker = &RevocationKey{
|
||||||
|
Class: subpacket[0],
|
||||||
|
PublicKeyAlgo: PublicKeyAlgorithm(subpacket[1]),
|
||||||
|
Fingerprint: append([]byte{}, subpacket[2:]...),
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
if isCritical {
|
||||||
|
err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType)))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
|
||||||
|
Truncated:
|
||||||
|
err = errors.StructuralError("signature subpacket truncated")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// subpacketLengthLength returns the length, in bytes, of an encoded length value.
|
||||||
|
func subpacketLengthLength(length int) int {
|
||||||
|
if length < 192 {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
if length < 16320 {
|
||||||
|
return 2
|
||||||
|
}
|
||||||
|
return 5
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeSubpacketLength marshals the given length into to.
|
||||||
|
func serializeSubpacketLength(to []byte, length int) int {
|
||||||
|
// RFC 4880, Section 4.2.2.
|
||||||
|
if length < 192 {
|
||||||
|
to[0] = byte(length)
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
if length < 16320 {
|
||||||
|
length -= 192
|
||||||
|
to[0] = byte((length >> 8) + 192)
|
||||||
|
to[1] = byte(length)
|
||||||
|
return 2
|
||||||
|
}
|
||||||
|
to[0] = 255
|
||||||
|
to[1] = byte(length >> 24)
|
||||||
|
to[2] = byte(length >> 16)
|
||||||
|
to[3] = byte(length >> 8)
|
||||||
|
to[4] = byte(length)
|
||||||
|
return 5
|
||||||
|
}
|
||||||
|
|
||||||
|
// subpacketsLength returns the serialized length, in bytes, of the given
|
||||||
|
// subpackets.
|
||||||
|
func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) {
|
||||||
|
for _, subpacket := range subpackets {
|
||||||
|
if subpacket.hashed == hashed {
|
||||||
|
length += subpacketLengthLength(len(subpacket.contents) + 1)
|
||||||
|
length += 1 // type byte
|
||||||
|
length += len(subpacket.contents)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// serializeSubpackets marshals the given subpackets into to.
|
||||||
|
func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) {
|
||||||
|
for _, subpacket := range subpackets {
|
||||||
|
if subpacket.hashed == hashed {
|
||||||
|
n := serializeSubpacketLength(to, len(subpacket.contents)+1)
|
||||||
|
to[n] = byte(subpacket.subpacketType)
|
||||||
|
to = to[1+n:]
|
||||||
|
n = copy(to, subpacket.contents)
|
||||||
|
to = to[n:]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// KeyExpired returns whether sig is a self-signature of a key that has
|
||||||
|
// expired.
|
||||||
|
func (sig *Signature) KeyExpired(currentTime time.Time) bool {
|
||||||
|
if sig.KeyLifetimeSecs == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second)
|
||||||
|
return currentTime.After(expiry)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExpiresBeforeOther checks if other signature has expiration at
|
||||||
|
// later date than sig.
|
||||||
|
func (sig *Signature) ExpiresBeforeOther(other *Signature) bool {
|
||||||
|
if sig.KeyLifetimeSecs == nil {
|
||||||
|
// This sig never expires, or has infinitely long expiration
|
||||||
|
// time.
|
||||||
|
return false
|
||||||
|
} else if other.KeyLifetimeSecs == nil {
|
||||||
|
// This sig expires at some non-infinite point, but the other
|
||||||
|
// sig never expires.
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
getExpiryDate := func(s *Signature) time.Time {
|
||||||
|
return s.CreationTime.Add(time.Duration(*s.KeyLifetimeSecs) * time.Second)
|
||||||
|
}
|
||||||
|
|
||||||
|
return getExpiryDate(other).After(getExpiryDate(sig))
|
||||||
|
}
|
||||||
|
|
||||||
|
// buildHashSuffix constructs the HashSuffix member of sig in preparation for signing.
|
||||||
|
func (sig *Signature) buildHashSuffix() (err error) {
|
||||||
|
hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true)
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
l := 6 + hashedSubpacketsLen
|
||||||
|
sig.HashSuffix = make([]byte, l+6)
|
||||||
|
sig.HashSuffix[0] = 4
|
||||||
|
sig.HashSuffix[1] = uint8(sig.SigType)
|
||||||
|
sig.HashSuffix[2] = uint8(sig.PubKeyAlgo)
|
||||||
|
sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash)
|
||||||
|
if !ok {
|
||||||
|
sig.HashSuffix = nil
|
||||||
|
return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash)))
|
||||||
|
}
|
||||||
|
sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8)
|
||||||
|
sig.HashSuffix[5] = byte(hashedSubpacketsLen)
|
||||||
|
serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true)
|
||||||
|
trailer := sig.HashSuffix[l:]
|
||||||
|
trailer[0] = 4
|
||||||
|
trailer[1] = 0xff
|
||||||
|
trailer[2] = byte(l >> 24)
|
||||||
|
trailer[3] = byte(l >> 16)
|
||||||
|
trailer[4] = byte(l >> 8)
|
||||||
|
trailer[5] = byte(l)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) {
|
||||||
|
err = sig.buildHashSuffix()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
h.Write(sig.HashSuffix)
|
||||||
|
digest = h.Sum(nil)
|
||||||
|
copy(sig.HashTag[:], digest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs a message with a private key. The hash, h, must contain
|
||||||
|
// the hash of the message to be signed and will be mutated by this function.
|
||||||
|
// On success, the signature is stored in sig. Call Serialize to write it out.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) {
|
||||||
|
signer, hashIsSigner := h.(Signer)
|
||||||
|
|
||||||
|
if !hashIsSigner && (priv == nil || priv.PrivateKey == nil) {
|
||||||
|
err = errors.InvalidArgumentError("attempting to sign with nil PrivateKey")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
sig.outSubpackets = sig.buildSubpackets()
|
||||||
|
digest, err := sig.signPrepareHash(h)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if hashIsSigner {
|
||||||
|
err = signer.Sign(sig)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch priv.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
sig.RSASignature.bytes, err = rsa.SignPKCS1v15(config.Random(), priv.PrivateKey.(*rsa.PrivateKey), sig.Hash, digest)
|
||||||
|
sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes))
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
dsaPriv := priv.PrivateKey.(*dsa.PrivateKey)
|
||||||
|
|
||||||
|
// Need to truncate hashBytes to match FIPS 186-3 section 4.6.
|
||||||
|
subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8
|
||||||
|
if len(digest) > subgroupSize {
|
||||||
|
digest = digest[:subgroupSize]
|
||||||
|
}
|
||||||
|
r, s, err := dsa.Sign(config.Random(), dsaPriv, digest)
|
||||||
|
if err == nil {
|
||||||
|
sig.DSASigR.bytes = r.Bytes()
|
||||||
|
sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes))
|
||||||
|
sig.DSASigS.bytes = s.Bytes()
|
||||||
|
sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes))
|
||||||
|
}
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
r, s, err := ecdsa.Sign(config.Random(), priv.PrivateKey.(*ecdsa.PrivateKey), digest)
|
||||||
|
if err == nil {
|
||||||
|
sig.ECDSASigR = FromBig(r)
|
||||||
|
sig.ECDSASigS = FromBig(s)
|
||||||
|
}
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
r, s, err := priv.PrivateKey.(*EdDSAPrivateKey).Sign(digest)
|
||||||
|
if err == nil {
|
||||||
|
sig.EdDSASigR = FromBytes(r)
|
||||||
|
sig.EdDSASigS = FromBytes(s)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo)))
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignUserId computes a signature from priv, asserting that pub is a valid
|
||||||
|
// key for the identity id. On success, the signature is stored in sig. Call
|
||||||
|
// Serialize to write it out.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error {
|
||||||
|
h, err := userIdSignatureHash(id, pub, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return sig.Sign(h, priv, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignUserIdWithSigner computes a signature from priv, asserting that pub is a
|
||||||
|
// valid key for the identity id. On success, the signature is stored in sig.
|
||||||
|
// Call Serialize to write it out.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (sig *Signature) SignUserIdWithSigner(id string, pub *PublicKey, s Signer, config *Config) error {
|
||||||
|
updateUserIdSignatureHash(id, pub, s)
|
||||||
|
|
||||||
|
return sig.Sign(s, nil, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignKey computes a signature from priv, asserting that pub is a subkey. On
|
||||||
|
// success, the signature is stored in sig. Call Serialize to write it out.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error {
|
||||||
|
h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return sig.Sign(h, priv, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignKeyWithSigner computes a signature using s, asserting that
|
||||||
|
// signeePubKey is a subkey. On success, the signature is stored in sig. Call
|
||||||
|
// Serialize to write it out. If config is nil, sensible defaults will be used.
|
||||||
|
func (sig *Signature) SignKeyWithSigner(signeePubKey *PublicKey, signerPubKey *PublicKey, s Signer, config *Config) error {
|
||||||
|
updateKeySignatureHash(signerPubKey, signeePubKey, s)
|
||||||
|
|
||||||
|
return sig.Sign(s, nil, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
|
||||||
|
// called first.
|
||||||
|
func (sig *Signature) Serialize(w io.Writer) (err error) {
|
||||||
|
if len(sig.outSubpackets) == 0 {
|
||||||
|
sig.outSubpackets = sig.rawSubpackets
|
||||||
|
}
|
||||||
|
if sig.RSASignature.bytes == nil &&
|
||||||
|
sig.DSASigR.bytes == nil &&
|
||||||
|
sig.ECDSASigR.bytes == nil &&
|
||||||
|
sig.EdDSASigR.bytes == nil {
|
||||||
|
return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
|
||||||
|
}
|
||||||
|
|
||||||
|
sigLength := 0
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
sigLength = 2 + len(sig.RSASignature.bytes)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
sigLength = 2 + len(sig.DSASigR.bytes)
|
||||||
|
sigLength += 2 + len(sig.DSASigS.bytes)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
sigLength = 2 + len(sig.EdDSASigR.bytes)
|
||||||
|
sigLength += 2 + len(sig.EdDSASigS.bytes)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
sigLength = 2 + len(sig.ECDSASigR.bytes)
|
||||||
|
sigLength += 2 + len(sig.ECDSASigS.bytes)
|
||||||
|
default:
|
||||||
|
panic("impossible")
|
||||||
|
}
|
||||||
|
|
||||||
|
unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false)
|
||||||
|
length := len(sig.HashSuffix) - 6 /* trailer not included */ +
|
||||||
|
2 /* length of unhashed subpackets */ + unhashedSubpacketsLen +
|
||||||
|
2 /* hash tag */ + sigLength
|
||||||
|
err = serializeHeader(w, packetTypeSignature, length)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen)
|
||||||
|
unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8)
|
||||||
|
unhashedSubpackets[1] = byte(unhashedSubpacketsLen)
|
||||||
|
serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false)
|
||||||
|
|
||||||
|
_, err = w.Write(unhashedSubpackets)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = w.Write(sig.HashTag[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
err = writeMPIs(w, sig.RSASignature)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
|
||||||
|
case PubKeyAlgoEdDSA:
|
||||||
|
err = writeMPIs(w, sig.EdDSASigR, sig.EdDSASigS)
|
||||||
|
case PubKeyAlgoECDSA:
|
||||||
|
err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS)
|
||||||
|
default:
|
||||||
|
panic("impossible")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// outputSubpacket represents a subpacket to be marshaled.
|
||||||
|
type outputSubpacket struct {
|
||||||
|
hashed bool // true if this subpacket is in the hashed area.
|
||||||
|
subpacketType signatureSubpacketType
|
||||||
|
isCritical bool
|
||||||
|
contents []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) {
|
||||||
|
creationTime := make([]byte, 4)
|
||||||
|
binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix()))
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime})
|
||||||
|
|
||||||
|
if sig.IssuerKeyId != nil {
|
||||||
|
keyId := make([]byte, 8)
|
||||||
|
binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId)
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId})
|
||||||
|
}
|
||||||
|
|
||||||
|
if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 {
|
||||||
|
sigLifetime := make([]byte, 4)
|
||||||
|
binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs)
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Key flags may only appear in self-signatures or certification signatures.
|
||||||
|
|
||||||
|
if sig.FlagsValid {
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{sig.GetKeyFlags().BitField}})
|
||||||
|
}
|
||||||
|
|
||||||
|
// The following subpackets may only appear in self-signatures
|
||||||
|
|
||||||
|
if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 {
|
||||||
|
keyLifetime := make([]byte, 4)
|
||||||
|
binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs)
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime})
|
||||||
|
}
|
||||||
|
|
||||||
|
if sig.IsPrimaryId != nil && *sig.IsPrimaryId {
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}})
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig.PreferredSymmetric) > 0 {
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric})
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig.PreferredHash) > 0 {
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash})
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig.PreferredCompression) > 0 {
|
||||||
|
subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression})
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sig *Signature) GetKeyFlags() (ret KeyFlagBits) {
|
||||||
|
if !sig.FlagsValid {
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
ret.Valid = true
|
||||||
|
if sig.FlagCertify {
|
||||||
|
ret.BitField |= KeyFlagCertify
|
||||||
|
}
|
||||||
|
if sig.FlagSign {
|
||||||
|
ret.BitField |= KeyFlagSign
|
||||||
|
}
|
||||||
|
if sig.FlagEncryptCommunications {
|
||||||
|
ret.BitField |= KeyFlagEncryptCommunications
|
||||||
|
}
|
||||||
|
if sig.FlagEncryptStorage {
|
||||||
|
ret.BitField |= KeyFlagEncryptStorage
|
||||||
|
}
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *KeyFlagBits) HasFlagCertify() bool {
|
||||||
|
return f.BitField&KeyFlagCertify != 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *KeyFlagBits) HasFlagSign() bool {
|
||||||
|
return f.BitField&KeyFlagSign != 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *KeyFlagBits) HasFlagEncryptCommunications() bool {
|
||||||
|
return f.BitField&KeyFlagEncryptCommunications != 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *KeyFlagBits) HasFlagEncryptStorage() bool {
|
||||||
|
return f.BitField&KeyFlagEncryptStorage != 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *KeyFlagBits) Merge(other KeyFlagBits) {
|
||||||
|
if other.Valid {
|
||||||
|
f.Valid = true
|
||||||
|
f.BitField |= other.BitField
|
||||||
|
}
|
||||||
|
}
|
146
vendor/github.com/keybase/go-crypto/openpgp/packet/signature_v3.go
generated
vendored
Normal file
146
vendor/github.com/keybase/go-crypto/openpgp/packet/signature_v3.go
generated
vendored
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"encoding/binary"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SignatureV3 represents older version 3 signatures. These signatures are less secure
|
||||||
|
// than version 4 and should not be used to create new signatures. They are included
|
||||||
|
// here for backwards compatibility to read and validate with older key material.
|
||||||
|
// See RFC 4880, section 5.2.2.
|
||||||
|
type SignatureV3 struct {
|
||||||
|
SigType SignatureType
|
||||||
|
CreationTime time.Time
|
||||||
|
IssuerKeyId uint64
|
||||||
|
PubKeyAlgo PublicKeyAlgorithm
|
||||||
|
Hash crypto.Hash
|
||||||
|
HashTag [2]byte
|
||||||
|
|
||||||
|
RSASignature parsedMPI
|
||||||
|
DSASigR, DSASigS parsedMPI
|
||||||
|
}
|
||||||
|
|
||||||
|
func (sig *SignatureV3) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.2.2
|
||||||
|
var buf [8]byte
|
||||||
|
if _, err = readFull(r, buf[:1]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] < 2 || buf[0] > 3 {
|
||||||
|
err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0])))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if _, err = readFull(r, buf[:1]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if buf[0] != 5 {
|
||||||
|
err = errors.UnsupportedError(
|
||||||
|
"invalid hashed material length " + strconv.Itoa(int(buf[0])))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read hashed material: signature type + creation time
|
||||||
|
if _, err = readFull(r, buf[:5]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.SigType = SignatureType(buf[0])
|
||||||
|
t := binary.BigEndian.Uint32(buf[1:5])
|
||||||
|
sig.CreationTime = time.Unix(int64(t), 0)
|
||||||
|
|
||||||
|
// Eight-octet Key ID of signer.
|
||||||
|
if _, err = readFull(r, buf[:8]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.IssuerKeyId = binary.BigEndian.Uint64(buf[:])
|
||||||
|
|
||||||
|
// Public-key and hash algorithm
|
||||||
|
if _, err = readFull(r, buf[:2]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.PubKeyAlgo = PublicKeyAlgorithm(buf[0])
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA:
|
||||||
|
default:
|
||||||
|
err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo)))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var ok bool
|
||||||
|
if sig.Hash, ok = s2k.HashIdToHash(buf[1]); !ok {
|
||||||
|
return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2])))
|
||||||
|
}
|
||||||
|
|
||||||
|
// Two-octet field holding left 16 bits of signed hash value.
|
||||||
|
if _, err = readFull(r, sig.HashTag[:2]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
if sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r)
|
||||||
|
default:
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been
|
||||||
|
// called first.
|
||||||
|
func (sig *SignatureV3) Serialize(w io.Writer) (err error) {
|
||||||
|
buf := make([]byte, 8)
|
||||||
|
|
||||||
|
// Write the sig type and creation time
|
||||||
|
buf[0] = byte(sig.SigType)
|
||||||
|
binary.BigEndian.PutUint32(buf[1:5], uint32(sig.CreationTime.Unix()))
|
||||||
|
if _, err = w.Write(buf[:5]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write the issuer long key ID
|
||||||
|
binary.BigEndian.PutUint64(buf[:8], sig.IssuerKeyId)
|
||||||
|
if _, err = w.Write(buf[:8]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write public key algorithm, hash ID, and hash value
|
||||||
|
buf[0] = byte(sig.PubKeyAlgo)
|
||||||
|
hashId, ok := s2k.HashToHashId(sig.Hash)
|
||||||
|
if !ok {
|
||||||
|
return errors.UnsupportedError(fmt.Sprintf("hash function %v", sig.Hash))
|
||||||
|
}
|
||||||
|
buf[1] = hashId
|
||||||
|
copy(buf[2:4], sig.HashTag[:])
|
||||||
|
if _, err = w.Write(buf[:4]); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil {
|
||||||
|
return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch sig.PubKeyAlgo {
|
||||||
|
case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly:
|
||||||
|
err = writeMPIs(w, sig.RSASignature)
|
||||||
|
case PubKeyAlgoDSA:
|
||||||
|
err = writeMPIs(w, sig.DSASigR, sig.DSASigS)
|
||||||
|
default:
|
||||||
|
panic("impossible")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
158
vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go
generated
vendored
Normal file
158
vendor/github.com/keybase/go-crypto/openpgp/packet/symmetric_key_encrypted.go
generated
vendored
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// This is the largest session key that we'll support. Since no 512-bit cipher
|
||||||
|
// has even been seriously used, this is comfortably large.
|
||||||
|
const maxSessionKeySizeInBytes = 64
|
||||||
|
|
||||||
|
// SymmetricKeyEncrypted represents a passphrase protected session key. See RFC
|
||||||
|
// 4880, section 5.3.
|
||||||
|
type SymmetricKeyEncrypted struct {
|
||||||
|
CipherFunc CipherFunction
|
||||||
|
s2k func(out, in []byte)
|
||||||
|
encryptedKey []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
const symmetricKeyEncryptedVersion = 4
|
||||||
|
|
||||||
|
func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
|
||||||
|
// RFC 4880, section 5.3.
|
||||||
|
var buf [2]byte
|
||||||
|
if _, err := readFull(r, buf[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if buf[0] != symmetricKeyEncryptedVersion {
|
||||||
|
return errors.UnsupportedError("SymmetricKeyEncrypted version")
|
||||||
|
}
|
||||||
|
ske.CipherFunc = CipherFunction(buf[1])
|
||||||
|
|
||||||
|
if ske.CipherFunc.KeySize() == 0 {
|
||||||
|
return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1])))
|
||||||
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
ske.s2k, err = s2k.Parse(r)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if ske.s2k == nil {
|
||||||
|
return errors.UnsupportedError("can't use dummy S2K for symmetric key encryption")
|
||||||
|
}
|
||||||
|
|
||||||
|
encryptedKey := make([]byte, maxSessionKeySizeInBytes)
|
||||||
|
// The session key may follow. We just have to try and read to find
|
||||||
|
// out. If it exists then we limit it to maxSessionKeySizeInBytes.
|
||||||
|
n, err := readFull(r, encryptedKey)
|
||||||
|
if err != nil && err != io.ErrUnexpectedEOF {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if n != 0 {
|
||||||
|
if n == maxSessionKeySizeInBytes {
|
||||||
|
return errors.UnsupportedError("oversized encrypted session key")
|
||||||
|
}
|
||||||
|
ske.encryptedKey = encryptedKey[:n]
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt attempts to decrypt an encrypted session key and returns the key and
|
||||||
|
// the cipher to use when decrypting a subsequent Symmetrically Encrypted Data
|
||||||
|
// packet.
|
||||||
|
func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) {
|
||||||
|
key := make([]byte, ske.CipherFunc.KeySize())
|
||||||
|
ske.s2k(key, passphrase)
|
||||||
|
|
||||||
|
if len(ske.encryptedKey) == 0 {
|
||||||
|
return key, ske.CipherFunc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// the IV is all zeros
|
||||||
|
iv := make([]byte, ske.CipherFunc.blockSize())
|
||||||
|
c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv)
|
||||||
|
plaintextKey := make([]byte, len(ske.encryptedKey))
|
||||||
|
c.XORKeyStream(plaintextKey, ske.encryptedKey)
|
||||||
|
cipherFunc := CipherFunction(plaintextKey[0])
|
||||||
|
if cipherFunc.blockSize() == 0 {
|
||||||
|
return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
|
||||||
|
}
|
||||||
|
plaintextKey = plaintextKey[1:]
|
||||||
|
if l := len(plaintextKey); l == 0 || l%cipherFunc.blockSize() != 0 {
|
||||||
|
return nil, cipherFunc, errors.StructuralError("length of decrypted key not a multiple of block size")
|
||||||
|
}
|
||||||
|
|
||||||
|
return plaintextKey, cipherFunc, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The
|
||||||
|
// packet contains a random session key, encrypted by a key derived from the
|
||||||
|
// given passphrase. The session key is returned and must be passed to
|
||||||
|
// SerializeSymmetricallyEncrypted.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) {
|
||||||
|
cipherFunc := config.Cipher()
|
||||||
|
keySize := cipherFunc.KeySize()
|
||||||
|
if keySize == 0 {
|
||||||
|
return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc)))
|
||||||
|
}
|
||||||
|
|
||||||
|
s2kBuf := new(bytes.Buffer)
|
||||||
|
keyEncryptingKey := make([]byte, keySize)
|
||||||
|
// s2k.Serialize salts and stretches the passphrase, and writes the
|
||||||
|
// resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf.
|
||||||
|
err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s2kBytes := s2kBuf.Bytes()
|
||||||
|
|
||||||
|
packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize
|
||||||
|
err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var buf [2]byte
|
||||||
|
buf[0] = symmetricKeyEncryptedVersion
|
||||||
|
buf[1] = byte(cipherFunc)
|
||||||
|
_, err = w.Write(buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = w.Write(s2kBytes)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
sessionKey := make([]byte, keySize)
|
||||||
|
_, err = io.ReadFull(config.Random(), sessionKey)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
iv := make([]byte, cipherFunc.blockSize())
|
||||||
|
c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv)
|
||||||
|
encryptedCipherAndKey := make([]byte, keySize+1)
|
||||||
|
c.XORKeyStream(encryptedCipherAndKey, buf[1:])
|
||||||
|
c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey)
|
||||||
|
_, err = w.Write(encryptedCipherAndKey)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
key = sessionKey
|
||||||
|
return
|
||||||
|
}
|
291
vendor/github.com/keybase/go-crypto/openpgp/packet/symmetrically_encrypted.go
generated
vendored
Normal file
291
vendor/github.com/keybase/go-crypto/openpgp/packet/symmetrically_encrypted.go
generated
vendored
Normal file
@ -0,0 +1,291 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/sha1"
|
||||||
|
"crypto/subtle"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
|
||||||
|
// encrypted contents will consist of more OpenPGP packets. See RFC 4880,
|
||||||
|
// sections 5.7 and 5.13.
|
||||||
|
type SymmetricallyEncrypted struct {
|
||||||
|
MDC bool // true iff this is a type 18 packet and thus has an embedded MAC.
|
||||||
|
contents io.Reader
|
||||||
|
prefix []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
const symmetricallyEncryptedVersion = 1
|
||||||
|
|
||||||
|
func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
|
||||||
|
if se.MDC {
|
||||||
|
// See RFC 4880, section 5.13.
|
||||||
|
var buf [1]byte
|
||||||
|
_, err := readFull(r, buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if buf[0] != symmetricallyEncryptedVersion {
|
||||||
|
return errors.UnsupportedError("unknown SymmetricallyEncrypted version")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
se.contents = r
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt returns a ReadCloser, from which the decrypted contents of the
|
||||||
|
// packet can be read. An incorrect key can, with high probability, be detected
|
||||||
|
// immediately and this will result in a KeyIncorrect error being returned.
|
||||||
|
func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
|
||||||
|
keySize := c.KeySize()
|
||||||
|
if keySize == 0 {
|
||||||
|
return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c)))
|
||||||
|
}
|
||||||
|
if len(key) != keySize {
|
||||||
|
return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
|
||||||
|
}
|
||||||
|
|
||||||
|
if se.prefix == nil {
|
||||||
|
se.prefix = make([]byte, c.blockSize()+2)
|
||||||
|
_, err := readFull(se.contents, se.prefix)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
} else if len(se.prefix) != c.blockSize()+2 {
|
||||||
|
return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
|
||||||
|
}
|
||||||
|
|
||||||
|
ocfbResync := OCFBResync
|
||||||
|
if se.MDC {
|
||||||
|
// MDC packets use a different form of OCFB mode.
|
||||||
|
ocfbResync = OCFBNoResync
|
||||||
|
}
|
||||||
|
|
||||||
|
s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
|
||||||
|
if s == nil {
|
||||||
|
return nil, errors.ErrKeyIncorrect
|
||||||
|
}
|
||||||
|
|
||||||
|
plaintext := cipher.StreamReader{S: s, R: se.contents}
|
||||||
|
|
||||||
|
if se.MDC {
|
||||||
|
// MDC packets have an embedded hash that we need to check.
|
||||||
|
h := sha1.New()
|
||||||
|
h.Write(se.prefix)
|
||||||
|
return &seMDCReader{in: plaintext, h: h}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
|
||||||
|
return seReader{plaintext}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// seReader wraps an io.Reader with a no-op Close method.
|
||||||
|
type seReader struct {
|
||||||
|
in io.Reader
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ser seReader) Read(buf []byte) (int, error) {
|
||||||
|
return ser.in.Read(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ser seReader) Close() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size
|
||||||
|
|
||||||
|
// An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold
|
||||||
|
// of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an
|
||||||
|
// MDC packet containing a hash of the previous contents which is checked
|
||||||
|
// against the running hash. See RFC 4880, section 5.13.
|
||||||
|
type seMDCReader struct {
|
||||||
|
in io.Reader
|
||||||
|
h hash.Hash
|
||||||
|
trailer [mdcTrailerSize]byte
|
||||||
|
scratch [mdcTrailerSize]byte
|
||||||
|
trailerUsed int
|
||||||
|
error bool
|
||||||
|
eof bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ser *seMDCReader) Read(buf []byte) (n int, err error) {
|
||||||
|
if ser.error {
|
||||||
|
err = io.ErrUnexpectedEOF
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ser.eof {
|
||||||
|
err = io.EOF
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we haven't yet filled the trailer buffer then we must do that
|
||||||
|
// first.
|
||||||
|
for ser.trailerUsed < mdcTrailerSize {
|
||||||
|
n, err = ser.in.Read(ser.trailer[ser.trailerUsed:])
|
||||||
|
ser.trailerUsed += n
|
||||||
|
if err == io.EOF {
|
||||||
|
if ser.trailerUsed != mdcTrailerSize {
|
||||||
|
n = 0
|
||||||
|
err = io.ErrUnexpectedEOF
|
||||||
|
ser.error = true
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ser.eof = true
|
||||||
|
n = 0
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
n = 0
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If it's a short read then we read into a temporary buffer and shift
|
||||||
|
// the data into the caller's buffer.
|
||||||
|
if len(buf) <= mdcTrailerSize {
|
||||||
|
n, err = readFull(ser.in, ser.scratch[:len(buf)])
|
||||||
|
copy(buf, ser.trailer[:n])
|
||||||
|
ser.h.Write(buf[:n])
|
||||||
|
copy(ser.trailer[:], ser.trailer[n:])
|
||||||
|
copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:])
|
||||||
|
if n < len(buf) {
|
||||||
|
ser.eof = true
|
||||||
|
err = io.EOF
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
n, err = ser.in.Read(buf[mdcTrailerSize:])
|
||||||
|
copy(buf, ser.trailer[:])
|
||||||
|
ser.h.Write(buf[:n])
|
||||||
|
copy(ser.trailer[:], buf[n:])
|
||||||
|
|
||||||
|
if err == io.EOF {
|
||||||
|
ser.eof = true
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is a new-format packet tag byte for a type 19 (MDC) packet.
|
||||||
|
const mdcPacketTagByte = byte(0x80) | 0x40 | 19
|
||||||
|
|
||||||
|
func (ser *seMDCReader) Close() error {
|
||||||
|
if ser.error {
|
||||||
|
return errors.SignatureError("error during reading")
|
||||||
|
}
|
||||||
|
|
||||||
|
for !ser.eof {
|
||||||
|
// We haven't seen EOF so we need to read to the end
|
||||||
|
var buf [1024]byte
|
||||||
|
_, err := ser.Read(buf[:])
|
||||||
|
if err == io.EOF {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return errors.SignatureError("error during reading")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size {
|
||||||
|
return errors.SignatureError("MDC packet not found")
|
||||||
|
}
|
||||||
|
ser.h.Write(ser.trailer[:2])
|
||||||
|
|
||||||
|
final := ser.h.Sum(nil)
|
||||||
|
if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 {
|
||||||
|
return errors.SignatureError("hash mismatch")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// An seMDCWriter writes through to an io.WriteCloser while maintains a running
|
||||||
|
// hash of the data written. On close, it emits an MDC packet containing the
|
||||||
|
// running hash.
|
||||||
|
type seMDCWriter struct {
|
||||||
|
w io.WriteCloser
|
||||||
|
h hash.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *seMDCWriter) Write(buf []byte) (n int, err error) {
|
||||||
|
w.h.Write(buf)
|
||||||
|
return w.w.Write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w *seMDCWriter) Close() (err error) {
|
||||||
|
var buf [mdcTrailerSize]byte
|
||||||
|
|
||||||
|
buf[0] = mdcPacketTagByte
|
||||||
|
buf[1] = sha1.Size
|
||||||
|
w.h.Write(buf[:2])
|
||||||
|
digest := w.h.Sum(nil)
|
||||||
|
copy(buf[2:], digest)
|
||||||
|
|
||||||
|
_, err = w.w.Write(buf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return w.w.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
|
||||||
|
type noOpCloser struct {
|
||||||
|
w io.Writer
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c noOpCloser) Write(data []byte) (n int, err error) {
|
||||||
|
return c.w.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c noOpCloser) Close() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet
|
||||||
|
// to w and returns a WriteCloser to which the to-be-encrypted packets can be
|
||||||
|
// written.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) {
|
||||||
|
if c.KeySize() != len(key) {
|
||||||
|
return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length")
|
||||||
|
}
|
||||||
|
writeCloser := noOpCloser{w}
|
||||||
|
ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
block := c.new(key)
|
||||||
|
blockSize := block.BlockSize()
|
||||||
|
iv := make([]byte, blockSize)
|
||||||
|
_, err = config.Random().Read(iv)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
|
||||||
|
_, err = ciphertext.Write(prefix)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
plaintext := cipher.StreamWriter{S: s, W: ciphertext}
|
||||||
|
|
||||||
|
h := sha1.New()
|
||||||
|
h.Write(iv)
|
||||||
|
h.Write(iv[blockSize-2:])
|
||||||
|
contents = &seMDCWriter{w: plaintext, h: h}
|
||||||
|
return
|
||||||
|
}
|
91
vendor/github.com/keybase/go-crypto/openpgp/packet/userattribute.go
generated
vendored
Normal file
91
vendor/github.com/keybase/go-crypto/openpgp/packet/userattribute.go
generated
vendored
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"image"
|
||||||
|
"image/jpeg"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
)
|
||||||
|
|
||||||
|
const UserAttrImageSubpacket = 1
|
||||||
|
|
||||||
|
// UserAttribute is capable of storing other types of data about a user
|
||||||
|
// beyond name, email and a text comment. In practice, user attributes are typically used
|
||||||
|
// to store a signed thumbnail photo JPEG image of the user.
|
||||||
|
// See RFC 4880, section 5.12.
|
||||||
|
type UserAttribute struct {
|
||||||
|
Contents []*OpaqueSubpacket
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewUserAttributePhoto creates a user attribute packet
|
||||||
|
// containing the given images.
|
||||||
|
func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) {
|
||||||
|
uat = new(UserAttribute)
|
||||||
|
for _, photo := range photos {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
// RFC 4880, Section 5.12.1.
|
||||||
|
data := []byte{
|
||||||
|
0x10, 0x00, // Little-endian image header length (16 bytes)
|
||||||
|
0x01, // Image header version 1
|
||||||
|
0x01, // JPEG
|
||||||
|
0, 0, 0, 0, // 12 reserved octets, must be all zero.
|
||||||
|
0, 0, 0, 0,
|
||||||
|
0, 0, 0, 0}
|
||||||
|
if _, err = buf.Write(data); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err = jpeg.Encode(&buf, photo, nil); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
uat.Contents = append(uat.Contents, &OpaqueSubpacket{
|
||||||
|
SubType: UserAttrImageSubpacket,
|
||||||
|
Contents: buf.Bytes()})
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewUserAttribute creates a new user attribute packet containing the given subpackets.
|
||||||
|
func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute {
|
||||||
|
return &UserAttribute{Contents: contents}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (uat *UserAttribute) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.13
|
||||||
|
b, err := ioutil.ReadAll(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
uat.Contents, err = OpaqueSubpackets(b)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals the user attribute to w in the form of an OpenPGP packet, including
|
||||||
|
// header.
|
||||||
|
func (uat *UserAttribute) Serialize(w io.Writer) (err error) {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
for _, sp := range uat.Contents {
|
||||||
|
sp.Serialize(&buf)
|
||||||
|
}
|
||||||
|
if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = w.Write(buf.Bytes())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// ImageData returns zero or more byte slices, each containing
|
||||||
|
// JPEG File Interchange Format (JFIF), for each photo in the
|
||||||
|
// the user attribute packet.
|
||||||
|
func (uat *UserAttribute) ImageData() (imageData [][]byte) {
|
||||||
|
for _, sp := range uat.Contents {
|
||||||
|
if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 {
|
||||||
|
imageData = append(imageData, sp.Contents[16:])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
160
vendor/github.com/keybase/go-crypto/openpgp/packet/userid.go
generated
vendored
Normal file
160
vendor/github.com/keybase/go-crypto/openpgp/packet/userid.go
generated
vendored
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package packet
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// UserId contains text that is intended to represent the name and email
|
||||||
|
// address of the key holder. See RFC 4880, section 5.11. By convention, this
|
||||||
|
// takes the form "Full Name (Comment) <email@example.com>"
|
||||||
|
type UserId struct {
|
||||||
|
Id string // By convention, this takes the form "Full Name (Comment) <email@example.com>" which is split out in the fields below.
|
||||||
|
|
||||||
|
Name, Comment, Email string
|
||||||
|
}
|
||||||
|
|
||||||
|
func hasInvalidCharacters(s string) bool {
|
||||||
|
for _, c := range s {
|
||||||
|
switch c {
|
||||||
|
case '(', ')', '<', '>', 0:
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewUserId returns a UserId or nil if any of the arguments contain invalid
|
||||||
|
// characters. The invalid characters are '\x00', '(', ')', '<' and '>'
|
||||||
|
func NewUserId(name, comment, email string) *UserId {
|
||||||
|
// RFC 4880 doesn't deal with the structure of userid strings; the
|
||||||
|
// name, comment and email form is just a convention. However, there's
|
||||||
|
// no convention about escaping the metacharacters and GPG just refuses
|
||||||
|
// to create user ids where, say, the name contains a '('. We mirror
|
||||||
|
// this behaviour.
|
||||||
|
|
||||||
|
if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
uid := new(UserId)
|
||||||
|
uid.Name, uid.Comment, uid.Email = name, comment, email
|
||||||
|
uid.Id = name
|
||||||
|
if len(comment) > 0 {
|
||||||
|
if len(uid.Id) > 0 {
|
||||||
|
uid.Id += " "
|
||||||
|
}
|
||||||
|
uid.Id += "("
|
||||||
|
uid.Id += comment
|
||||||
|
uid.Id += ")"
|
||||||
|
}
|
||||||
|
if len(email) > 0 {
|
||||||
|
if len(uid.Id) > 0 {
|
||||||
|
uid.Id += " "
|
||||||
|
}
|
||||||
|
uid.Id += "<"
|
||||||
|
uid.Id += email
|
||||||
|
uid.Id += ">"
|
||||||
|
}
|
||||||
|
return uid
|
||||||
|
}
|
||||||
|
|
||||||
|
func (uid *UserId) parse(r io.Reader) (err error) {
|
||||||
|
// RFC 4880, section 5.11
|
||||||
|
b, err := ioutil.ReadAll(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
uid.Id = string(b)
|
||||||
|
uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize marshals uid to w in the form of an OpenPGP packet, including
|
||||||
|
// header.
|
||||||
|
func (uid *UserId) Serialize(w io.Writer) error {
|
||||||
|
err := serializeHeader(w, packetTypeUserId, len(uid.Id))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = w.Write([]byte(uid.Id))
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// parseUserId extracts the name, comment and email from a user id string that
|
||||||
|
// is formatted as "Full Name (Comment) <email@example.com>".
|
||||||
|
func parseUserId(id string) (name, comment, email string) {
|
||||||
|
var n, c, e struct {
|
||||||
|
start, end int
|
||||||
|
}
|
||||||
|
var state int
|
||||||
|
|
||||||
|
for offset, rune := range id {
|
||||||
|
switch state {
|
||||||
|
case 0:
|
||||||
|
// Entering name
|
||||||
|
n.start = offset
|
||||||
|
state = 1
|
||||||
|
fallthrough
|
||||||
|
case 1:
|
||||||
|
// In name
|
||||||
|
if rune == '(' {
|
||||||
|
state = 2
|
||||||
|
n.end = offset
|
||||||
|
} else if rune == '<' {
|
||||||
|
state = 5
|
||||||
|
n.end = offset
|
||||||
|
}
|
||||||
|
case 2:
|
||||||
|
// Entering comment
|
||||||
|
c.start = offset
|
||||||
|
state = 3
|
||||||
|
fallthrough
|
||||||
|
case 3:
|
||||||
|
// In comment
|
||||||
|
if rune == ')' {
|
||||||
|
state = 4
|
||||||
|
c.end = offset
|
||||||
|
}
|
||||||
|
case 4:
|
||||||
|
// Between comment and email
|
||||||
|
if rune == '<' {
|
||||||
|
state = 5
|
||||||
|
}
|
||||||
|
case 5:
|
||||||
|
// Entering email
|
||||||
|
e.start = offset
|
||||||
|
state = 6
|
||||||
|
fallthrough
|
||||||
|
case 6:
|
||||||
|
// In email
|
||||||
|
if rune == '>' {
|
||||||
|
state = 7
|
||||||
|
e.end = offset
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
// After email
|
||||||
|
}
|
||||||
|
}
|
||||||
|
switch state {
|
||||||
|
case 1:
|
||||||
|
// ended in the name
|
||||||
|
n.end = len(id)
|
||||||
|
case 3:
|
||||||
|
// ended in comment
|
||||||
|
c.end = len(id)
|
||||||
|
case 6:
|
||||||
|
// ended in email
|
||||||
|
e.end = len(id)
|
||||||
|
}
|
||||||
|
|
||||||
|
name = strings.TrimSpace(id[n.start:n.end])
|
||||||
|
comment = strings.TrimSpace(id[c.start:c.end])
|
||||||
|
email = strings.TrimSpace(id[e.start:e.end])
|
||||||
|
return
|
||||||
|
}
|
7
vendor/github.com/keybase/go-crypto/openpgp/patch.sh
generated
vendored
Normal file
7
vendor/github.com/keybase/go-crypto/openpgp/patch.sh
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
patch < sig-v3.patch
|
||||||
|
patch < s2k-gnu-dummy.patch
|
||||||
|
find . -type f -name '*.go' -exec sed -i'' -e 's/golang.org\/x\/crypto\/openpgp/github.com\/keybase\/go-crypto\/openpgp/' {} \;
|
||||||
|
find . -type f -name '*.go-e' -exec rm {} \;
|
||||||
|
go test ./...
|
463
vendor/github.com/keybase/go-crypto/openpgp/read.go
generated
vendored
Normal file
463
vendor/github.com/keybase/go-crypto/openpgp/read.go
generated
vendored
Normal file
@ -0,0 +1,463 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package openpgp implements high level operations on OpenPGP messages.
|
||||||
|
package openpgp // import "github.com/keybase/go-crypto/openpgp"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/hmac"
|
||||||
|
_ "crypto/sha256"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/armor"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SignatureType is the armor type for a PGP signature.
|
||||||
|
var SignatureType = "PGP SIGNATURE"
|
||||||
|
|
||||||
|
// readArmored reads an armored block with the given type.
|
||||||
|
func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) {
|
||||||
|
block, err := armor.Decode(r)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if block.Type != expectedType {
|
||||||
|
return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type)
|
||||||
|
}
|
||||||
|
|
||||||
|
return block.Body, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// MessageDetails contains the result of parsing an OpenPGP encrypted and/or
|
||||||
|
// signed message.
|
||||||
|
type MessageDetails struct {
|
||||||
|
IsEncrypted bool // true if the message was encrypted.
|
||||||
|
EncryptedToKeyIds []uint64 // the list of recipient key ids.
|
||||||
|
IsSymmetricallyEncrypted bool // true if a passphrase could have decrypted the message.
|
||||||
|
DecryptedWith Key // the private key used to decrypt the message, if any.
|
||||||
|
IsSigned bool // true if the message is signed.
|
||||||
|
SignedByKeyId uint64 // the key id of the signer, if any.
|
||||||
|
SignedBy *Key // the key of the signer, if available.
|
||||||
|
LiteralData *packet.LiteralData // the metadata of the contents
|
||||||
|
UnverifiedBody io.Reader // the contents of the message.
|
||||||
|
|
||||||
|
// If IsSigned is true and SignedBy is non-zero then the signature will
|
||||||
|
// be verified as UnverifiedBody is read. The signature cannot be
|
||||||
|
// checked until the whole of UnverifiedBody is read so UnverifiedBody
|
||||||
|
// must be consumed until EOF before the data can trusted. Even if a
|
||||||
|
// message isn't signed (or the signer is unknown) the data may contain
|
||||||
|
// an authentication code that is only checked once UnverifiedBody has
|
||||||
|
// been consumed. Once EOF has been seen, the following fields are
|
||||||
|
// valid. (An authentication code failure is reported as a
|
||||||
|
// SignatureError error when reading from UnverifiedBody.)
|
||||||
|
SignatureError error // nil if the signature is good.
|
||||||
|
Signature *packet.Signature // the signature packet itself, if v4 (default)
|
||||||
|
SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
|
||||||
|
|
||||||
|
decrypted io.ReadCloser
|
||||||
|
}
|
||||||
|
|
||||||
|
// A PromptFunction is used as a callback by functions that may need to decrypt
|
||||||
|
// a private key, or prompt for a passphrase. It is called with a list of
|
||||||
|
// acceptable, encrypted private keys and a boolean that indicates whether a
|
||||||
|
// passphrase is usable. It should either decrypt a private key or return a
|
||||||
|
// passphrase to try. If the decrypted private key or given passphrase isn't
|
||||||
|
// correct, the function will be called again, forever. Any error returned will
|
||||||
|
// be passed up.
|
||||||
|
type PromptFunction func(keys []Key, symmetric bool) ([]byte, error)
|
||||||
|
|
||||||
|
// A keyEnvelopePair is used to store a private key with the envelope that
|
||||||
|
// contains a symmetric key, encrypted with that key.
|
||||||
|
type keyEnvelopePair struct {
|
||||||
|
key Key
|
||||||
|
encryptedKey *packet.EncryptedKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// ReadMessage parses an OpenPGP message that may be signed and/or encrypted.
|
||||||
|
// The given KeyRing should contain both public keys (for signature
|
||||||
|
// verification) and, possibly encrypted, private keys for decrypting.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) {
|
||||||
|
var p packet.Packet
|
||||||
|
|
||||||
|
var symKeys []*packet.SymmetricKeyEncrypted
|
||||||
|
var pubKeys []keyEnvelopePair
|
||||||
|
var se *packet.SymmetricallyEncrypted
|
||||||
|
|
||||||
|
packets := packet.NewReader(r)
|
||||||
|
md = new(MessageDetails)
|
||||||
|
md.IsEncrypted = true
|
||||||
|
|
||||||
|
// The message, if encrypted, starts with a number of packets
|
||||||
|
// containing an encrypted decryption key. The decryption key is either
|
||||||
|
// encrypted to a public key, or with a passphrase. This loop
|
||||||
|
// collects these packets.
|
||||||
|
ParsePackets:
|
||||||
|
for {
|
||||||
|
p, err = packets.Next()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
switch p := p.(type) {
|
||||||
|
case *packet.SymmetricKeyEncrypted:
|
||||||
|
// This packet contains the decryption key encrypted with a passphrase.
|
||||||
|
md.IsSymmetricallyEncrypted = true
|
||||||
|
symKeys = append(symKeys, p)
|
||||||
|
case *packet.EncryptedKey:
|
||||||
|
// This packet contains the decryption key encrypted to a public key.
|
||||||
|
md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId)
|
||||||
|
switch p.Algo {
|
||||||
|
case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal, packet.PubKeyAlgoECDH:
|
||||||
|
break
|
||||||
|
default:
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
var keys []Key
|
||||||
|
if p.KeyId == 0 {
|
||||||
|
keys = keyring.DecryptionKeys()
|
||||||
|
} else {
|
||||||
|
keys = keyring.KeysById(p.KeyId, nil)
|
||||||
|
}
|
||||||
|
for _, k := range keys {
|
||||||
|
pubKeys = append(pubKeys, keyEnvelopePair{k, p})
|
||||||
|
}
|
||||||
|
case *packet.SymmetricallyEncrypted:
|
||||||
|
se = p
|
||||||
|
break ParsePackets
|
||||||
|
case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature:
|
||||||
|
// This message isn't encrypted.
|
||||||
|
if len(symKeys) != 0 || len(pubKeys) != 0 {
|
||||||
|
return nil, errors.StructuralError("key material not followed by encrypted message")
|
||||||
|
}
|
||||||
|
packets.Unread(p)
|
||||||
|
return readSignedMessage(packets, nil, keyring)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var candidates []Key
|
||||||
|
var decrypted io.ReadCloser
|
||||||
|
|
||||||
|
// Now that we have the list of encrypted keys we need to decrypt at
|
||||||
|
// least one of them or, if we cannot, we need to call the prompt
|
||||||
|
// function so that it can decrypt a key or give us a passphrase.
|
||||||
|
FindKey:
|
||||||
|
for {
|
||||||
|
// See if any of the keys already have a private key available
|
||||||
|
candidates = candidates[:0]
|
||||||
|
candidateFingerprints := make(map[string]bool)
|
||||||
|
|
||||||
|
for _, pk := range pubKeys {
|
||||||
|
if pk.key.PrivateKey == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if !pk.key.PrivateKey.Encrypted {
|
||||||
|
if len(pk.encryptedKey.Key) == 0 {
|
||||||
|
pk.encryptedKey.Decrypt(pk.key.PrivateKey, config)
|
||||||
|
}
|
||||||
|
if len(pk.encryptedKey.Key) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
decrypted, err = se.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key)
|
||||||
|
if err != nil && err != errors.ErrKeyIncorrect {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if decrypted != nil {
|
||||||
|
md.DecryptedWith = pk.key
|
||||||
|
break FindKey
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
fpr := string(pk.key.PublicKey.Fingerprint[:])
|
||||||
|
if v := candidateFingerprints[fpr]; v {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
candidates = append(candidates, pk.key)
|
||||||
|
candidateFingerprints[fpr] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(candidates) == 0 && len(symKeys) == 0 {
|
||||||
|
return nil, errors.ErrKeyIncorrect
|
||||||
|
}
|
||||||
|
|
||||||
|
if prompt == nil {
|
||||||
|
return nil, errors.ErrKeyIncorrect
|
||||||
|
}
|
||||||
|
|
||||||
|
passphrase, err := prompt(candidates, len(symKeys) != 0)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try the symmetric passphrase first
|
||||||
|
if len(symKeys) != 0 && passphrase != nil {
|
||||||
|
for _, s := range symKeys {
|
||||||
|
key, cipherFunc, err := s.Decrypt(passphrase)
|
||||||
|
if err == nil {
|
||||||
|
decrypted, err = se.Decrypt(cipherFunc, key)
|
||||||
|
if err != nil && err != errors.ErrKeyIncorrect {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if decrypted != nil {
|
||||||
|
break FindKey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
md.decrypted = decrypted
|
||||||
|
if err := packets.Push(decrypted); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return readSignedMessage(packets, md, keyring)
|
||||||
|
}
|
||||||
|
|
||||||
|
// readSignedMessage reads a possibly signed message if mdin is non-zero then
|
||||||
|
// that structure is updated and returned. Otherwise a fresh MessageDetails is
|
||||||
|
// used.
|
||||||
|
func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing) (md *MessageDetails, err error) {
|
||||||
|
if mdin == nil {
|
||||||
|
mdin = new(MessageDetails)
|
||||||
|
}
|
||||||
|
md = mdin
|
||||||
|
|
||||||
|
var p packet.Packet
|
||||||
|
var h hash.Hash
|
||||||
|
var wrappedHash hash.Hash
|
||||||
|
FindLiteralData:
|
||||||
|
for {
|
||||||
|
p, err = packets.Next()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
switch p := p.(type) {
|
||||||
|
case *packet.Compressed:
|
||||||
|
if err := packets.Push(p.Body); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
case *packet.OnePassSignature:
|
||||||
|
if !p.IsLast {
|
||||||
|
return nil, errors.UnsupportedError("nested signatures")
|
||||||
|
}
|
||||||
|
|
||||||
|
h, wrappedHash, err = hashForSignature(p.Hash, p.SigType)
|
||||||
|
if err != nil {
|
||||||
|
md = nil
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
md.IsSigned = true
|
||||||
|
md.SignedByKeyId = p.KeyId
|
||||||
|
keys := keyring.KeysByIdUsage(p.KeyId, nil, packet.KeyFlagSign)
|
||||||
|
if len(keys) > 0 {
|
||||||
|
md.SignedBy = &keys[0]
|
||||||
|
}
|
||||||
|
case *packet.LiteralData:
|
||||||
|
md.LiteralData = p
|
||||||
|
break FindLiteralData
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if md.SignedBy != nil {
|
||||||
|
md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md}
|
||||||
|
} else if md.decrypted != nil {
|
||||||
|
md.UnverifiedBody = checkReader{md}
|
||||||
|
} else {
|
||||||
|
md.UnverifiedBody = md.LiteralData.Body
|
||||||
|
}
|
||||||
|
|
||||||
|
return md, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// hashForSignature returns a pair of hashes that can be used to verify a
|
||||||
|
// signature. The signature may specify that the contents of the signed message
|
||||||
|
// should be preprocessed (i.e. to normalize line endings). Thus this function
|
||||||
|
// returns two hashes. The second should be used to hash the message itself and
|
||||||
|
// performs any needed preprocessing.
|
||||||
|
func hashForSignature(hashId crypto.Hash, sigType packet.SignatureType) (hash.Hash, hash.Hash, error) {
|
||||||
|
if !hashId.Available() {
|
||||||
|
return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashId)))
|
||||||
|
}
|
||||||
|
h := hashId.New()
|
||||||
|
|
||||||
|
switch sigType {
|
||||||
|
case packet.SigTypeBinary:
|
||||||
|
return h, h, nil
|
||||||
|
case packet.SigTypeText:
|
||||||
|
return h, NewCanonicalTextHash(h), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType)))
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF
|
||||||
|
// it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger
|
||||||
|
// MDC checks.
|
||||||
|
type checkReader struct {
|
||||||
|
md *MessageDetails
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cr checkReader) Read(buf []byte) (n int, err error) {
|
||||||
|
n, err = cr.md.LiteralData.Body.Read(buf)
|
||||||
|
if err == io.EOF {
|
||||||
|
mdcErr := cr.md.decrypted.Close()
|
||||||
|
if mdcErr != nil {
|
||||||
|
err = mdcErr
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes
|
||||||
|
// the data as it is read. When it sees an EOF from the underlying io.Reader
|
||||||
|
// it parses and checks a trailing Signature packet and triggers any MDC checks.
|
||||||
|
type signatureCheckReader struct {
|
||||||
|
packets *packet.Reader
|
||||||
|
h, wrappedHash hash.Hash
|
||||||
|
md *MessageDetails
|
||||||
|
}
|
||||||
|
|
||||||
|
func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
|
||||||
|
n, err = scr.md.LiteralData.Body.Read(buf)
|
||||||
|
scr.wrappedHash.Write(buf[:n])
|
||||||
|
if err == io.EOF {
|
||||||
|
var p packet.Packet
|
||||||
|
p, scr.md.SignatureError = scr.packets.Next()
|
||||||
|
if scr.md.SignatureError != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
if scr.md.Signature, ok = p.(*packet.Signature); ok {
|
||||||
|
var err error
|
||||||
|
if fingerprint := scr.md.Signature.IssuerFingerprint; fingerprint != nil {
|
||||||
|
if !hmac.Equal(fingerprint, scr.md.SignedBy.PublicKey.Fingerprint[:]) {
|
||||||
|
err = errors.StructuralError("bad key fingerprint")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if err == nil {
|
||||||
|
err = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
|
||||||
|
}
|
||||||
|
scr.md.SignatureError = err
|
||||||
|
} else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
|
||||||
|
scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
|
||||||
|
} else {
|
||||||
|
scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// The SymmetricallyEncrypted packet, if any, might have an
|
||||||
|
// unsigned hash of its own. In order to check this we need to
|
||||||
|
// close that Reader.
|
||||||
|
if scr.md.decrypted != nil {
|
||||||
|
mdcErr := scr.md.decrypted.Close()
|
||||||
|
if mdcErr != nil {
|
||||||
|
err = mdcErr
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckDetachedSignature takes a signed file and a detached signature and
|
||||||
|
// returns the signer if the signature is valid. If the signer isn't known,
|
||||||
|
// ErrUnknownIssuer is returned.
|
||||||
|
func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
|
||||||
|
signer, _, err = checkDetachedSignature(keyring, signed, signature)
|
||||||
|
return signer, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, issuer *uint64, err error) {
|
||||||
|
var issuerKeyId uint64
|
||||||
|
var issuerFingerprint []byte
|
||||||
|
var hashFunc crypto.Hash
|
||||||
|
var sigType packet.SignatureType
|
||||||
|
var keys []Key
|
||||||
|
var p packet.Packet
|
||||||
|
|
||||||
|
packets := packet.NewReader(signature)
|
||||||
|
for {
|
||||||
|
p, err = packets.Next()
|
||||||
|
if err == io.EOF {
|
||||||
|
return nil, nil, errors.ErrUnknownIssuer
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
switch sig := p.(type) {
|
||||||
|
case *packet.Signature:
|
||||||
|
if sig.IssuerKeyId == nil {
|
||||||
|
return nil, nil, errors.StructuralError("signature doesn't have an issuer")
|
||||||
|
}
|
||||||
|
issuerKeyId = *sig.IssuerKeyId
|
||||||
|
hashFunc = sig.Hash
|
||||||
|
sigType = sig.SigType
|
||||||
|
issuerFingerprint = sig.IssuerFingerprint
|
||||||
|
case *packet.SignatureV3:
|
||||||
|
issuerKeyId = sig.IssuerKeyId
|
||||||
|
hashFunc = sig.Hash
|
||||||
|
sigType = sig.SigType
|
||||||
|
default:
|
||||||
|
return nil, nil, errors.StructuralError("non signature packet found")
|
||||||
|
}
|
||||||
|
|
||||||
|
keys = keyring.KeysByIdUsage(issuerKeyId, issuerFingerprint, packet.KeyFlagSign)
|
||||||
|
if len(keys) > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(keys) == 0 {
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
h, wrappedHash, err := hashForSignature(hashFunc, sigType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, key := range keys {
|
||||||
|
switch sig := p.(type) {
|
||||||
|
case *packet.Signature:
|
||||||
|
err = key.PublicKey.VerifySignature(h, sig)
|
||||||
|
case *packet.SignatureV3:
|
||||||
|
err = key.PublicKey.VerifySignatureV3(h, sig)
|
||||||
|
default:
|
||||||
|
panic("unreachable")
|
||||||
|
}
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
return key.Entity, &issuerKeyId, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckArmoredDetachedSignature performs the same actions as
|
||||||
|
// CheckDetachedSignature but expects the signature to be armored.
|
||||||
|
func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) {
|
||||||
|
signer, _, err = checkArmoredDetachedSignature(keyring, signed, signature)
|
||||||
|
return signer, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, issuer *uint64, err error) {
|
||||||
|
body, err := readArmored(signature, SignatureType)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return checkDetachedSignature(keyring, signed, body)
|
||||||
|
}
|
326
vendor/github.com/keybase/go-crypto/openpgp/s2k/s2k.go
generated
vendored
Normal file
326
vendor/github.com/keybase/go-crypto/openpgp/s2k/s2k.go
generated
vendored
Normal file
@ -0,0 +1,326 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package s2k implements the various OpenPGP string-to-key transforms as
|
||||||
|
// specified in RFC 4800 section 3.7.1.
|
||||||
|
package s2k // import "github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Config collects configuration parameters for s2k key-stretching
|
||||||
|
// transformatioms. A nil *Config is valid and results in all default
|
||||||
|
// values. Currently, Config is used only by the Serialize function in
|
||||||
|
// this package.
|
||||||
|
type Config struct {
|
||||||
|
// Hash is the default hash function to be used. If
|
||||||
|
// nil, SHA1 is used.
|
||||||
|
Hash crypto.Hash
|
||||||
|
// S2KCount is only used for symmetric encryption. It
|
||||||
|
// determines the strength of the passphrase stretching when
|
||||||
|
// the said passphrase is hashed to produce a key. S2KCount
|
||||||
|
// should be between 1024 and 65011712, inclusive. If Config
|
||||||
|
// is nil or S2KCount is 0, the value 65536 used. Not all
|
||||||
|
// values in the above range can be represented. S2KCount will
|
||||||
|
// be rounded up to the next representable value if it cannot
|
||||||
|
// be encoded exactly. When set, it is strongly encrouraged to
|
||||||
|
// use a value that is at least 65536. See RFC 4880 Section
|
||||||
|
// 3.7.1.3.
|
||||||
|
S2KCount int
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) hash() crypto.Hash {
|
||||||
|
if c == nil || uint(c.Hash) == 0 {
|
||||||
|
// SHA1 is the historical default in this package.
|
||||||
|
return crypto.SHA1
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Config) encodedCount() uint8 {
|
||||||
|
if c == nil || c.S2KCount == 0 {
|
||||||
|
return 96 // The common case. Correspoding to 65536
|
||||||
|
}
|
||||||
|
|
||||||
|
i := c.S2KCount
|
||||||
|
switch {
|
||||||
|
// Behave like GPG. Should we make 65536 the lowest value used?
|
||||||
|
case i < 1024:
|
||||||
|
i = 1024
|
||||||
|
case i > 65011712:
|
||||||
|
i = 65011712
|
||||||
|
}
|
||||||
|
|
||||||
|
return encodeCount(i)
|
||||||
|
}
|
||||||
|
|
||||||
|
// encodeCount converts an iterative "count" in the range 1024 to
|
||||||
|
// 65011712, inclusive, to an encoded count. The return value is the
|
||||||
|
// octet that is actually stored in the GPG file. encodeCount panics
|
||||||
|
// if i is not in the above range (encodedCount above takes care to
|
||||||
|
// pass i in the correct range). See RFC 4880 Section 3.7.7.1.
|
||||||
|
func encodeCount(i int) uint8 {
|
||||||
|
if i < 1024 || i > 65011712 {
|
||||||
|
panic("count arg i outside the required range")
|
||||||
|
}
|
||||||
|
|
||||||
|
for encoded := 0; encoded < 256; encoded++ {
|
||||||
|
count := decodeCount(uint8(encoded))
|
||||||
|
if count >= i {
|
||||||
|
return uint8(encoded)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 255
|
||||||
|
}
|
||||||
|
|
||||||
|
// decodeCount returns the s2k mode 3 iterative "count" corresponding to
|
||||||
|
// the encoded octet c.
|
||||||
|
func decodeCount(c uint8) int {
|
||||||
|
return (16 + int(c&15)) << (uint32(c>>4) + 6)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Simple writes to out the result of computing the Simple S2K function (RFC
|
||||||
|
// 4880, section 3.7.1.1) using the given hash and input passphrase.
|
||||||
|
func Simple(out []byte, h hash.Hash, in []byte) {
|
||||||
|
Salted(out, h, in, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
var zero [1]byte
|
||||||
|
|
||||||
|
// Salted writes to out the result of computing the Salted S2K function (RFC
|
||||||
|
// 4880, section 3.7.1.2) using the given hash, input passphrase and salt.
|
||||||
|
func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {
|
||||||
|
done := 0
|
||||||
|
var digest []byte
|
||||||
|
|
||||||
|
for i := 0; done < len(out); i++ {
|
||||||
|
h.Reset()
|
||||||
|
for j := 0; j < i; j++ {
|
||||||
|
h.Write(zero[:])
|
||||||
|
}
|
||||||
|
h.Write(salt)
|
||||||
|
h.Write(in)
|
||||||
|
digest = h.Sum(digest[:0])
|
||||||
|
n := copy(out[done:], digest)
|
||||||
|
done += n
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Iterated writes to out the result of computing the Iterated and Salted S2K
|
||||||
|
// function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase,
|
||||||
|
// salt and iteration count.
|
||||||
|
func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
|
||||||
|
combined := make([]byte, len(in)+len(salt))
|
||||||
|
copy(combined, salt)
|
||||||
|
copy(combined[len(salt):], in)
|
||||||
|
|
||||||
|
if count < len(combined) {
|
||||||
|
count = len(combined)
|
||||||
|
}
|
||||||
|
|
||||||
|
done := 0
|
||||||
|
var digest []byte
|
||||||
|
for i := 0; done < len(out); i++ {
|
||||||
|
h.Reset()
|
||||||
|
for j := 0; j < i; j++ {
|
||||||
|
h.Write(zero[:])
|
||||||
|
}
|
||||||
|
written := 0
|
||||||
|
for written < count {
|
||||||
|
if written+len(combined) > count {
|
||||||
|
todo := count - written
|
||||||
|
h.Write(combined[:todo])
|
||||||
|
written = count
|
||||||
|
} else {
|
||||||
|
h.Write(combined)
|
||||||
|
written += len(combined)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
digest = h.Sum(digest[:0])
|
||||||
|
n := copy(out[done:], digest)
|
||||||
|
done += n
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseGNUExtensions(r io.Reader) (f func(out, in []byte), err error) {
|
||||||
|
var buf [9]byte
|
||||||
|
|
||||||
|
// A three-byte string identifier
|
||||||
|
_, err = io.ReadFull(r, buf[:3])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
gnuExt := string(buf[:3])
|
||||||
|
|
||||||
|
if gnuExt != "GNU" {
|
||||||
|
return nil, errors.UnsupportedError("Malformed GNU extension: " + gnuExt)
|
||||||
|
}
|
||||||
|
_, err = io.ReadFull(r, buf[:1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
gnuExtType := int(buf[0])
|
||||||
|
switch gnuExtType {
|
||||||
|
case 1:
|
||||||
|
return nil, nil
|
||||||
|
case 2:
|
||||||
|
// Read a serial number, which is prefixed by a 1-byte length.
|
||||||
|
// The maximum length is 16.
|
||||||
|
var lenBuf [1]byte
|
||||||
|
_, err = io.ReadFull(r, lenBuf[:])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
maxLen := 16
|
||||||
|
ivLen := int(lenBuf[0])
|
||||||
|
if ivLen > maxLen {
|
||||||
|
ivLen = maxLen
|
||||||
|
}
|
||||||
|
ivBuf := make([]byte, ivLen)
|
||||||
|
// For now we simply discard the IV
|
||||||
|
_, err = io.ReadFull(r, ivBuf)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
|
default:
|
||||||
|
return nil, errors.UnsupportedError("unknown S2K GNU protection mode: " + strconv.Itoa(int(gnuExtType)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse reads a binary specification for a string-to-key transformation from r
|
||||||
|
// and returns a function which performs that transform.
|
||||||
|
func Parse(r io.Reader) (f func(out, in []byte), err error) {
|
||||||
|
var buf [9]byte
|
||||||
|
|
||||||
|
_, err = io.ReadFull(r, buf[:2])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// GNU Extensions; handle them before we try to look for a hash, which won't
|
||||||
|
// be needed in most cases anyway.
|
||||||
|
if buf[0] == 101 {
|
||||||
|
return parseGNUExtensions(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
hash, ok := HashIdToHash(buf[1])
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1])))
|
||||||
|
}
|
||||||
|
if !hash.Available() {
|
||||||
|
return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash)))
|
||||||
|
}
|
||||||
|
h := hash.New()
|
||||||
|
|
||||||
|
switch buf[0] {
|
||||||
|
case 0:
|
||||||
|
f := func(out, in []byte) {
|
||||||
|
Simple(out, h, in)
|
||||||
|
}
|
||||||
|
return f, nil
|
||||||
|
case 1:
|
||||||
|
_, err = io.ReadFull(r, buf[:8])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
f := func(out, in []byte) {
|
||||||
|
Salted(out, h, in, buf[:8])
|
||||||
|
}
|
||||||
|
return f, nil
|
||||||
|
case 3:
|
||||||
|
_, err = io.ReadFull(r, buf[:9])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
count := decodeCount(buf[8])
|
||||||
|
f := func(out, in []byte) {
|
||||||
|
Iterated(out, h, in, buf[:8], count)
|
||||||
|
}
|
||||||
|
return f, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, errors.UnsupportedError("S2K function")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Serialize salts and stretches the given passphrase and writes the
|
||||||
|
// resulting key into key. It also serializes an S2K descriptor to
|
||||||
|
// w. The key stretching can be configured with c, which may be
|
||||||
|
// nil. In that case, sensible defaults will be used.
|
||||||
|
func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error {
|
||||||
|
var buf [11]byte
|
||||||
|
buf[0] = 3 /* iterated and salted */
|
||||||
|
buf[1], _ = HashToHashId(c.hash())
|
||||||
|
salt := buf[2:10]
|
||||||
|
if _, err := io.ReadFull(rand, salt); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
encodedCount := c.encodedCount()
|
||||||
|
count := decodeCount(encodedCount)
|
||||||
|
buf[10] = encodedCount
|
||||||
|
if _, err := w.Write(buf[:]); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
Iterated(key, c.hash().New(), passphrase, salt, count)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with
|
||||||
|
// Go's crypto.Hash type. See RFC 4880, section 9.4.
|
||||||
|
var hashToHashIdMapping = []struct {
|
||||||
|
id byte
|
||||||
|
hash crypto.Hash
|
||||||
|
name string
|
||||||
|
}{
|
||||||
|
{1, crypto.MD5, "MD5"},
|
||||||
|
{2, crypto.SHA1, "SHA1"},
|
||||||
|
{3, crypto.RIPEMD160, "RIPEMD160"},
|
||||||
|
{8, crypto.SHA256, "SHA256"},
|
||||||
|
{9, crypto.SHA384, "SHA384"},
|
||||||
|
{10, crypto.SHA512, "SHA512"},
|
||||||
|
{11, crypto.SHA224, "SHA224"},
|
||||||
|
}
|
||||||
|
|
||||||
|
// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
|
||||||
|
// hash id.
|
||||||
|
func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
|
||||||
|
for _, m := range hashToHashIdMapping {
|
||||||
|
if m.id == id {
|
||||||
|
return m.hash, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// HashIdToString returns the name of the hash function corresponding to the
|
||||||
|
// given OpenPGP hash id, or panics if id is unknown.
|
||||||
|
func HashIdToString(id byte) (name string, ok bool) {
|
||||||
|
for _, m := range hashToHashIdMapping {
|
||||||
|
if m.id == id {
|
||||||
|
return m.name, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
|
||||||
|
// HashIdToHash returns an OpenPGP hash id which corresponds the given Hash.
|
||||||
|
func HashToHashId(h crypto.Hash) (id byte, ok bool) {
|
||||||
|
for _, m := range hashToHashIdMapping {
|
||||||
|
if m.hash == h {
|
||||||
|
return m.id, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0, false
|
||||||
|
}
|
135
vendor/github.com/keybase/go-crypto/openpgp/sig-v3.patch
generated
vendored
Normal file
135
vendor/github.com/keybase/go-crypto/openpgp/sig-v3.patch
generated
vendored
Normal file
@ -0,0 +1,135 @@
|
|||||||
|
diff --git a/openpgp/read.go b/openpgp/read.go
|
||||||
|
index a6cecc5..0c9397b 100644
|
||||||
|
--- a/openpgp/read.go
|
||||||
|
+++ b/openpgp/read.go
|
||||||
|
@@ -56,8 +56,9 @@ type MessageDetails struct {
|
||||||
|
// been consumed. Once EOF has been seen, the following fields are
|
||||||
|
// valid. (An authentication code failure is reported as a
|
||||||
|
// SignatureError error when reading from UnverifiedBody.)
|
||||||
|
- SignatureError error // nil if the signature is good.
|
||||||
|
- Signature *packet.Signature // the signature packet itself.
|
||||||
|
+ SignatureError error // nil if the signature is good.
|
||||||
|
+ Signature *packet.Signature // the signature packet itself, if v4 (default)
|
||||||
|
+ SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
|
||||||
|
|
||||||
|
decrypted io.ReadCloser
|
||||||
|
}
|
||||||
|
@@ -334,13 +335,15 @@ func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
- if scr.md.Signature, ok = p.(*packet.Signature); !ok {
|
||||||
|
+ if scr.md.Signature, ok = p.(*packet.Signature); ok {
|
||||||
|
+ scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
|
||||||
|
+ } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
|
||||||
|
+ scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
|
||||||
|
+ } else {
|
||||||
|
scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
- scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
|
||||||
|
-
|
||||||
|
// The SymmetricallyEncrypted packet, if any, might have an
|
||||||
|
// unsigned hash of its own. In order to check this we need to
|
||||||
|
// close that Reader.
|
||||||
|
diff --git a/openpgp/read_test.go b/openpgp/read_test.go
|
||||||
|
index 52f942c..abe8d7b 100644
|
||||||
|
--- a/openpgp/read_test.go
|
||||||
|
+++ b/openpgp/read_test.go
|
||||||
|
@@ -13,6 +13,7 @@ import (
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
+ "golang.org/x/crypto/openpgp/armor"
|
||||||
|
"golang.org/x/crypto/openpgp/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
@@ -411,6 +412,50 @@ func TestIssue11504(t *testing.T) {
|
||||||
|
testReadMessageError(t, "9303000130303030303030303030983002303030303030030000000130")
|
||||||
|
}
|
||||||
|
|
||||||
|
+// TestSignatureV3Message tests the verification of V3 signature, generated
|
||||||
|
+// with a modern V4-style key. Some people have their clients set to generate
|
||||||
|
+// V3 signatures, so it's useful to be able to verify them.
|
||||||
|
+func TestSignatureV3Message(t *testing.T) {
|
||||||
|
+ sig, err := armor.Decode(strings.NewReader(signedMessageV3))
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ key, err := ReadArmoredKeyRing(strings.NewReader(keyV4forVerifyingSignedMessageV3))
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ md, err := ReadMessage(sig.Body, key, nil, nil)
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ _, err = ioutil.ReadAll(md.UnverifiedBody)
|
||||||
|
+ if err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // We'll see a sig error here after reading in the UnverifiedBody above,
|
||||||
|
+ // if there was one to see.
|
||||||
|
+ if err = md.SignatureError; err != nil {
|
||||||
|
+ t.Error(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if md.SignatureV3 == nil {
|
||||||
|
+ t.Errorf("No available signature after checking signature")
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ if md.Signature != nil {
|
||||||
|
+ t.Errorf("Did not expect a signature V4 back")
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ return
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const testKey1KeyId = 0xA34D7E18C20C31BB
|
||||||
|
const testKey3KeyId = 0x338934250CCC0360
|
||||||
|
|
||||||
|
@@ -504,3 +549,36 @@ const unknownHashFunctionHex = `8a00000040040001990006050253863c24000a09103b4fe6
|
||||||
|
const missingHashFunctionHex = `8a00000040040001030006050253863c24000a09103b4fe6acc0b21f32ffff0101010101010101010101010101010101010101010101010101010101010101010101010101`
|
||||||
|
|
||||||
|
const campbellQuine = `a0b001000300fcffa0b001000d00f2ff000300fcffa0b001000d00f2ff8270a01c00000500faff8270a01c00000500faff000500faff001400ebff8270a01c00000500faff000500faff001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400001400ebff428821c400000000ffff000000ffff000b00f4ff428821c400000000ffff000000ffff000b00f4ff0233214c40000100feff000233214c40000100feff0000`
|
||||||
|
+
|
||||||
|
+const keyV4forVerifyingSignedMessageV3 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
+Comment: GPGTools - https://gpgtools.org
|
||||||
|
+
|
||||||
|
+mI0EVfxoFQEEAMBIqmbDfYygcvP6Phr1wr1XI41IF7Qixqybs/foBF8qqblD9gIY
|
||||||
|
+BKpXjnBOtbkcVOJ0nljd3/sQIfH4E0vQwK5/4YRQSI59eKOqd6Fx+fWQOLG+uu6z
|
||||||
|
+tewpeCj9LLHvibx/Sc7VWRnrznia6ftrXxJ/wHMezSab3tnGC0YPVdGNABEBAAG0
|
||||||
|
+JEdvY3J5cHRvIFRlc3QgS2V5IDx0aGVtYXhAZ21haWwuY29tPoi5BBMBCgAjBQJV
|
||||||
|
+/GgVAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQeXnQmhdGW9PFVAP+
|
||||||
|
+K7TU0qX5ArvIONIxh/WAweyOk884c5cE8f+3NOPOOCRGyVy0FId5A7MmD5GOQh4H
|
||||||
|
+JseOZVEVCqlmngEvtHZb3U1VYtVGE5WZ+6rQhGsMcWP5qaT4soYwMBlSYxgYwQcx
|
||||||
|
+YhN9qOr292f9j2Y//TTIJmZT4Oa+lMxhWdqTfX+qMgG4jQRV/GgVAQQArhFSiij1
|
||||||
|
+b+hT3dnapbEU+23Z1yTu1DfF6zsxQ4XQWEV3eR8v+8mEDDNcz8oyyF56k6UQ3rXi
|
||||||
|
+UMTIwRDg4V6SbZmaFbZYCOwp/EmXJ3rfhm7z7yzXj2OFN22luuqbyVhuL7LRdB0M
|
||||||
|
+pxgmjXb4tTvfgKd26x34S+QqUJ7W6uprY4sAEQEAAYifBBgBCgAJBQJV/GgVAhsM
|
||||||
|
+AAoJEHl50JoXRlvT7y8D/02ckx4OMkKBZo7viyrBw0MLG92i+DC2bs35PooHR6zz
|
||||||
|
+786mitjOp5z2QWNLBvxC70S0qVfCIz8jKupO1J6rq6Z8CcbLF3qjm6h1omUBf8Nd
|
||||||
|
+EfXKD2/2HV6zMKVknnKzIEzauh+eCKS2CeJUSSSryap/QLVAjRnckaES/OsEWhNB
|
||||||
|
+=RZia
|
||||||
|
+-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+const signedMessageV3 = `-----BEGIN PGP MESSAGE-----
|
||||||
|
+Comment: GPGTools - https://gpgtools.org
|
||||||
|
+
|
||||||
|
+owGbwMvMwMVYWXlhlrhb9GXG03JJDKF/MtxDMjKLFYAoUaEktbhEITe1uDgxPVWP
|
||||||
|
+q5NhKjMrWAVcC9evD8z/bF/uWNjqtk/X3y5/38XGRQHm/57rrDRYuGnTw597Xqka
|
||||||
|
+uM3137/hH3Os+Jf2dc0fXOITKwJvXJvecPVs0ta+Vg7ZO1MLn8w58Xx+6L58mbka
|
||||||
|
+DGHyU9yTueZE8D+QF/Tz28Y78dqtF56R1VPn9Xw4uJqrWYdd7b3vIZ1V6R4Nh05d
|
||||||
|
+iT57d/OhWwA=
|
||||||
|
+=hG7R
|
||||||
|
+-----END PGP MESSAGE-----
|
||||||
|
+`
|
495
vendor/github.com/keybase/go-crypto/openpgp/write.go
generated
vendored
Normal file
495
vendor/github.com/keybase/go-crypto/openpgp/write.go
generated
vendored
Normal file
@ -0,0 +1,495 @@
|
|||||||
|
// Copyright 2011 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package openpgp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/keybase/go-crypto/openpgp/armor"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/errors"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/packet"
|
||||||
|
"github.com/keybase/go-crypto/openpgp/s2k"
|
||||||
|
)
|
||||||
|
|
||||||
|
// DetachSign signs message with the private key from signer (which must
|
||||||
|
// already have been decrypted) and writes the signature to w.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
|
||||||
|
return detachSign(w, signer, message, packet.SigTypeBinary, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ArmoredDetachSign signs message with the private key from signer (which
|
||||||
|
// must already have been decrypted) and writes an armored signature to w.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) {
|
||||||
|
return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DetachSignText signs message (after canonicalising the line endings) with
|
||||||
|
// the private key from signer (which must already have been decrypted) and
|
||||||
|
// writes the signature to w.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
|
||||||
|
return detachSign(w, signer, message, packet.SigTypeText, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ArmoredDetachSignText signs message (after canonicalising the line endings)
|
||||||
|
// with the private key from signer (which must already have been decrypted)
|
||||||
|
// and writes an armored signature to w.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
|
||||||
|
return armoredDetachSign(w, signer, message, packet.SigTypeText, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
|
||||||
|
out, err := armor.Encode(w, SignatureType, nil)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = detachSign(out, signer, message, sigType, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return out.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignWithSigner signs the message of type sigType with s and writes the
|
||||||
|
// signature to w.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func SignWithSigner(s packet.Signer, w io.Writer, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
|
||||||
|
keyId := s.KeyId()
|
||||||
|
sig := new(packet.Signature)
|
||||||
|
sig.SigType = sigType
|
||||||
|
sig.PubKeyAlgo = s.PublicKeyAlgo()
|
||||||
|
sig.Hash = config.Hash()
|
||||||
|
sig.CreationTime = config.Now()
|
||||||
|
sig.IssuerKeyId = &keyId
|
||||||
|
|
||||||
|
s.Reset()
|
||||||
|
|
||||||
|
wrapped := s.(hash.Hash)
|
||||||
|
|
||||||
|
if sigType == packet.SigTypeText {
|
||||||
|
wrapped = NewCanonicalTextHash(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
io.Copy(wrapped, message)
|
||||||
|
|
||||||
|
err = sig.Sign(s, nil, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = sig.Serialize(w)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
|
||||||
|
signerSubkey, ok := signer.signingKey(config.Now())
|
||||||
|
if !ok {
|
||||||
|
err = errors.InvalidArgumentError("no valid signing keys")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if signerSubkey.PrivateKey == nil {
|
||||||
|
return errors.InvalidArgumentError("signing key doesn't have a private key")
|
||||||
|
}
|
||||||
|
if signerSubkey.PrivateKey.Encrypted {
|
||||||
|
return errors.InvalidArgumentError("signing key is encrypted")
|
||||||
|
}
|
||||||
|
|
||||||
|
sig := new(packet.Signature)
|
||||||
|
sig.SigType = sigType
|
||||||
|
sig.PubKeyAlgo = signerSubkey.PrivateKey.PubKeyAlgo
|
||||||
|
sig.Hash = config.Hash()
|
||||||
|
sig.CreationTime = config.Now()
|
||||||
|
sig.IssuerKeyId = &signerSubkey.PrivateKey.KeyId
|
||||||
|
|
||||||
|
h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
io.Copy(wrappedHash, message)
|
||||||
|
|
||||||
|
err = sig.Sign(h, signerSubkey.PrivateKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
return sig.Serialize(w)
|
||||||
|
}
|
||||||
|
|
||||||
|
// FileHints contains metadata about encrypted files. This metadata is, itself,
|
||||||
|
// encrypted.
|
||||||
|
type FileHints struct {
|
||||||
|
// IsBinary can be set to hint that the contents are binary data.
|
||||||
|
IsBinary bool
|
||||||
|
// FileName hints at the name of the file that should be written. It's
|
||||||
|
// truncated to 255 bytes if longer. It may be empty to suggest that the
|
||||||
|
// file should not be written to disk. It may be equal to "_CONSOLE" to
|
||||||
|
// suggest the data should not be written to disk.
|
||||||
|
FileName string
|
||||||
|
// ModTime contains the modification time of the file, or the zero time if not applicable.
|
||||||
|
ModTime time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
// SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase.
|
||||||
|
// The resulting WriteCloser must be closed after the contents of the file have
|
||||||
|
// been written.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
|
||||||
|
if hints == nil {
|
||||||
|
hints = &FileHints{}
|
||||||
|
}
|
||||||
|
|
||||||
|
key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
literaldata := w
|
||||||
|
if algo := config.Compression(); algo != packet.CompressionNone {
|
||||||
|
var compConfig *packet.CompressionConfig
|
||||||
|
if config != nil {
|
||||||
|
compConfig = config.CompressionConfig
|
||||||
|
}
|
||||||
|
literaldata, err = packet.SerializeCompressed(w, algo, compConfig)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var epochSeconds uint32
|
||||||
|
if !hints.ModTime.IsZero() {
|
||||||
|
epochSeconds = uint32(hints.ModTime.Unix())
|
||||||
|
}
|
||||||
|
return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds)
|
||||||
|
}
|
||||||
|
|
||||||
|
// intersectPreferences mutates and returns a prefix of a that contains only
|
||||||
|
// the values in the intersection of a and b. The order of a is preserved.
|
||||||
|
func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
|
||||||
|
var j int
|
||||||
|
for _, v := range a {
|
||||||
|
for _, v2 := range b {
|
||||||
|
if v == v2 {
|
||||||
|
a[j] = v
|
||||||
|
j++
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return a[:j]
|
||||||
|
}
|
||||||
|
|
||||||
|
func hashToHashId(h crypto.Hash) uint8 {
|
||||||
|
v, ok := s2k.HashToHashId(h)
|
||||||
|
if !ok {
|
||||||
|
panic("tried to convert unknown hash")
|
||||||
|
}
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt encrypts a message to a number of recipients and, optionally, signs
|
||||||
|
// it. hints contains optional information, that is also encrypted, that aids
|
||||||
|
// the recipients in processing the message. The resulting WriteCloser must
|
||||||
|
// be closed after the contents of the file have been written.
|
||||||
|
// If config is nil, sensible defaults will be used.
|
||||||
|
func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
|
||||||
|
var signer *packet.PrivateKey
|
||||||
|
if signed != nil {
|
||||||
|
signKey, ok := signed.signingKey(config.Now())
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("no valid signing keys")
|
||||||
|
}
|
||||||
|
signer = signKey.PrivateKey
|
||||||
|
if signer == nil {
|
||||||
|
return nil, errors.InvalidArgumentError("no private key in signing key")
|
||||||
|
}
|
||||||
|
if signer.Encrypted {
|
||||||
|
return nil, errors.InvalidArgumentError("signing key must be decrypted")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are the possible ciphers that we'll use for the message.
|
||||||
|
candidateCiphers := []uint8{
|
||||||
|
uint8(packet.CipherAES128),
|
||||||
|
uint8(packet.CipherAES256),
|
||||||
|
uint8(packet.CipherCAST5),
|
||||||
|
}
|
||||||
|
// These are the possible hash functions that we'll use for the signature.
|
||||||
|
candidateHashes := []uint8{
|
||||||
|
hashToHashId(crypto.SHA256),
|
||||||
|
hashToHashId(crypto.SHA512),
|
||||||
|
hashToHashId(crypto.SHA1),
|
||||||
|
hashToHashId(crypto.RIPEMD160),
|
||||||
|
}
|
||||||
|
|
||||||
|
// If no preferences were specified, assume something safe and reasonable.
|
||||||
|
defaultCiphers := []uint8{
|
||||||
|
uint8(packet.CipherAES128),
|
||||||
|
uint8(packet.CipherAES192),
|
||||||
|
uint8(packet.CipherAES256),
|
||||||
|
uint8(packet.CipherCAST5),
|
||||||
|
}
|
||||||
|
|
||||||
|
defaultHashes := []uint8{
|
||||||
|
hashToHashId(crypto.SHA256),
|
||||||
|
hashToHashId(crypto.SHA512),
|
||||||
|
hashToHashId(crypto.RIPEMD160),
|
||||||
|
}
|
||||||
|
|
||||||
|
encryptKeys := make([]Key, len(to))
|
||||||
|
for i := range to {
|
||||||
|
var ok bool
|
||||||
|
encryptKeys[i], ok = to[i].encryptionKey(config.Now())
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys")
|
||||||
|
}
|
||||||
|
|
||||||
|
sig := to[i].primaryIdentity().SelfSignature
|
||||||
|
|
||||||
|
preferredSymmetric := sig.PreferredSymmetric
|
||||||
|
if len(preferredSymmetric) == 0 {
|
||||||
|
preferredSymmetric = defaultCiphers
|
||||||
|
}
|
||||||
|
preferredHashes := sig.PreferredHash
|
||||||
|
if len(preferredHashes) == 0 {
|
||||||
|
preferredHashes = defaultHashes
|
||||||
|
}
|
||||||
|
candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric)
|
||||||
|
candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(candidateCiphers) == 0 {
|
||||||
|
return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common ciphers")
|
||||||
|
}
|
||||||
|
if len(candidateHashes) == 0 {
|
||||||
|
return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common hashes")
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher := packet.CipherFunction(candidateCiphers[0])
|
||||||
|
// If the cipher specifed by config is a candidate, we'll use that.
|
||||||
|
configuredCipher := config.Cipher()
|
||||||
|
for _, c := range candidateCiphers {
|
||||||
|
cipherFunc := packet.CipherFunction(c)
|
||||||
|
if cipherFunc == configuredCipher {
|
||||||
|
cipher = cipherFunc
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var hash crypto.Hash
|
||||||
|
for _, hashId := range candidateHashes {
|
||||||
|
if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() {
|
||||||
|
hash = h
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the hash specified by config is a candidate, we'll use that.
|
||||||
|
if configuredHash := config.Hash(); configuredHash.Available() {
|
||||||
|
for _, hashId := range candidateHashes {
|
||||||
|
if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash {
|
||||||
|
hash = h
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if hash == 0 {
|
||||||
|
hashId := candidateHashes[0]
|
||||||
|
name, ok := s2k.HashIdToString(hashId)
|
||||||
|
if !ok {
|
||||||
|
name = "#" + strconv.Itoa(int(hashId))
|
||||||
|
}
|
||||||
|
return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)")
|
||||||
|
}
|
||||||
|
|
||||||
|
symKey := make([]byte, cipher.KeySize())
|
||||||
|
if _, err := io.ReadFull(config.Random(), symKey); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, key := range encryptKeys {
|
||||||
|
if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
encryptedData, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if signer != nil {
|
||||||
|
ops := &packet.OnePassSignature{
|
||||||
|
SigType: packet.SigTypeBinary,
|
||||||
|
Hash: hash,
|
||||||
|
PubKeyAlgo: signer.PubKeyAlgo,
|
||||||
|
KeyId: signer.KeyId,
|
||||||
|
IsLast: true,
|
||||||
|
}
|
||||||
|
if err := ops.Serialize(encryptedData); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if hints == nil {
|
||||||
|
hints = &FileHints{}
|
||||||
|
}
|
||||||
|
|
||||||
|
w := encryptedData
|
||||||
|
if signer != nil {
|
||||||
|
// If we need to write a signature packet after the literal
|
||||||
|
// data then we need to stop literalData from closing
|
||||||
|
// encryptedData.
|
||||||
|
w = noOpCloser{encryptedData}
|
||||||
|
|
||||||
|
}
|
||||||
|
var epochSeconds uint32
|
||||||
|
if !hints.ModTime.IsZero() {
|
||||||
|
epochSeconds = uint32(hints.ModTime.Unix())
|
||||||
|
}
|
||||||
|
literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if signer != nil {
|
||||||
|
return signatureWriter{encryptedData, literalData, hash, hash.New(), signer, config}, nil
|
||||||
|
}
|
||||||
|
return literalData, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// signatureWriter hashes the contents of a message while passing it along to
|
||||||
|
// literalData. When closed, it closes literalData, writes a signature packet
|
||||||
|
// to encryptedData and then also closes encryptedData.
|
||||||
|
type signatureWriter struct {
|
||||||
|
encryptedData io.WriteCloser
|
||||||
|
literalData io.WriteCloser
|
||||||
|
hashType crypto.Hash
|
||||||
|
h hash.Hash
|
||||||
|
signer *packet.PrivateKey
|
||||||
|
config *packet.Config
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s signatureWriter) Write(data []byte) (int, error) {
|
||||||
|
s.h.Write(data)
|
||||||
|
return s.literalData.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s signatureWriter) Close() error {
|
||||||
|
sig := &packet.Signature{
|
||||||
|
SigType: packet.SigTypeBinary,
|
||||||
|
PubKeyAlgo: s.signer.PubKeyAlgo,
|
||||||
|
Hash: s.hashType,
|
||||||
|
CreationTime: s.config.Now(),
|
||||||
|
IssuerKeyId: &s.signer.KeyId,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := sig.Sign(s.h, s.signer, s.config); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := s.literalData.Close(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := sig.Serialize(s.encryptedData); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return s.encryptedData.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
// noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
|
||||||
|
// TODO: we have two of these in OpenPGP packages alone. This probably needs
|
||||||
|
// to be promoted somewhere more common.
|
||||||
|
type noOpCloser struct {
|
||||||
|
w io.Writer
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c noOpCloser) Write(data []byte) (n int, err error) {
|
||||||
|
return c.w.Write(data)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c noOpCloser) Close() error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AttachedSign is like openpgp.Encrypt (as in p.crypto/openpgp/write.go), but
|
||||||
|
// don't encrypt at all, just sign the literal unencrypted data.
|
||||||
|
// Unfortunately we need to duplicate some code here that's already
|
||||||
|
// in write.go
|
||||||
|
func AttachedSign(out io.WriteCloser, signed Entity, hints *FileHints,
|
||||||
|
config *packet.Config) (in io.WriteCloser, err error) {
|
||||||
|
|
||||||
|
if hints == nil {
|
||||||
|
hints = &FileHints{}
|
||||||
|
}
|
||||||
|
|
||||||
|
if config == nil {
|
||||||
|
config = &packet.Config{}
|
||||||
|
}
|
||||||
|
|
||||||
|
var signer *packet.PrivateKey
|
||||||
|
|
||||||
|
signKey, ok := signed.signingKey(config.Now())
|
||||||
|
if !ok {
|
||||||
|
err = errors.InvalidArgumentError("no valid signing keys")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
signer = signKey.PrivateKey
|
||||||
|
if signer == nil {
|
||||||
|
err = errors.InvalidArgumentError("no valid signing keys")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if signer.Encrypted {
|
||||||
|
err = errors.InvalidArgumentError("signing key must be decrypted")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
hasher := crypto.SHA512
|
||||||
|
|
||||||
|
ops := &packet.OnePassSignature{
|
||||||
|
SigType: packet.SigTypeBinary,
|
||||||
|
Hash: hasher,
|
||||||
|
PubKeyAlgo: signer.PubKeyAlgo,
|
||||||
|
KeyId: signer.KeyId,
|
||||||
|
IsLast: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = ops.Serialize(out); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var epochSeconds uint32
|
||||||
|
if !hints.ModTime.IsZero() {
|
||||||
|
epochSeconds = uint32(hints.ModTime.Unix())
|
||||||
|
}
|
||||||
|
|
||||||
|
// We don't want the literal serializer to closer the output stream
|
||||||
|
// since we're going to need to write to it when we finish up the
|
||||||
|
// signature stuff.
|
||||||
|
in, err = packet.SerializeLiteral(noOpCloser{out}, hints.IsBinary, hints.FileName, epochSeconds)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we need to write a signature packet after the literal
|
||||||
|
// data then we need to stop literalData from closing
|
||||||
|
// encryptedData.
|
||||||
|
in = signatureWriter{out, in, hasher, hasher.New(), signer, config}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
325
vendor/github.com/keybase/go-crypto/rsa/pkcs1v15.go
generated
vendored
Normal file
325
vendor/github.com/keybase/go-crypto/rsa/pkcs1v15.go
generated
vendored
Normal file
@ -0,0 +1,325 @@
|
|||||||
|
// Copyright 2009 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package rsa
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
// This file implements encryption and decryption using PKCS#1 v1.5 padding.
|
||||||
|
|
||||||
|
// PKCS1v15DecrypterOpts is for passing options to PKCS#1 v1.5 decryption using
|
||||||
|
// the crypto.Decrypter interface.
|
||||||
|
type PKCS1v15DecryptOptions struct {
|
||||||
|
// SessionKeyLen is the length of the session key that is being
|
||||||
|
// decrypted. If not zero, then a padding error during decryption will
|
||||||
|
// cause a random plaintext of this length to be returned rather than
|
||||||
|
// an error. These alternatives happen in constant time.
|
||||||
|
SessionKeyLen int
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptPKCS1v15 encrypts the given message with RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// The message must be no longer than the length of the public modulus minus 11 bytes.
|
||||||
|
//
|
||||||
|
// The rand parameter is used as a source of entropy to ensure that encrypting
|
||||||
|
// the same message twice doesn't result in the same ciphertext.
|
||||||
|
//
|
||||||
|
// WARNING: use of this function to encrypt plaintexts other than session keys
|
||||||
|
// is dangerous. Use RSA OAEP in new protocols.
|
||||||
|
func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []byte, err error) {
|
||||||
|
if err := checkPub(pub); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
k := (pub.N.BitLen() + 7) / 8
|
||||||
|
if len(msg) > k-11 {
|
||||||
|
err = ErrMessageTooLong
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// EM = 0x00 || 0x02 || PS || 0x00 || M
|
||||||
|
em := make([]byte, k)
|
||||||
|
em[1] = 2
|
||||||
|
ps, mm := em[2:len(em)-len(msg)-1], em[len(em)-len(msg):]
|
||||||
|
err = nonZeroRandomBytes(ps, rand)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
em[len(em)-len(msg)-1] = 0
|
||||||
|
copy(mm, msg)
|
||||||
|
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c := encrypt(new(big.Int), pub, m)
|
||||||
|
|
||||||
|
copyWithLeftPad(em, c.Bytes())
|
||||||
|
out = em
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
|
||||||
|
//
|
||||||
|
// Note that whether this function returns an error or not discloses secret
|
||||||
|
// information. If an attacker can cause this function to run repeatedly and
|
||||||
|
// learn whether each instance returned an error then they can decrypt and
|
||||||
|
// forge signatures as if they had the private key. See
|
||||||
|
// DecryptPKCS1v15SessionKey for a way of solving this problem.
|
||||||
|
func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (out []byte, err error) {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if valid == 0 {
|
||||||
|
return nil, ErrDecryption
|
||||||
|
}
|
||||||
|
out = out[index:]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.
|
||||||
|
// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
|
||||||
|
// It returns an error if the ciphertext is the wrong length or if the
|
||||||
|
// ciphertext is greater than the public modulus. Otherwise, no error is
|
||||||
|
// returned. If the padding is valid, the resulting plaintext message is copied
|
||||||
|
// into key. Otherwise, key is unchanged. These alternatives occur in constant
|
||||||
|
// time. It is intended that the user of this function generate a random
|
||||||
|
// session key beforehand and continue the protocol with the resulting value.
|
||||||
|
// This will remove any possibility that an attacker can learn any information
|
||||||
|
// about the plaintext.
|
||||||
|
// See ``Chosen Ciphertext Attacks Against Protocols Based on the RSA
|
||||||
|
// Encryption Standard PKCS #1'', Daniel Bleichenbacher, Advances in Cryptology
|
||||||
|
// (Crypto '98).
|
||||||
|
//
|
||||||
|
// Note that if the session key is too small then it may be possible for an
|
||||||
|
// attacker to brute-force it. If they can do that then they can learn whether
|
||||||
|
// a random value was used (because it'll be different for the same ciphertext)
|
||||||
|
// and thus whether the padding was correct. This defeats the point of this
|
||||||
|
// function. Using at least a 16-byte key will protect against this attack.
|
||||||
|
func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) (err error) {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k-(len(key)+3+8) < 0 {
|
||||||
|
return ErrDecryption
|
||||||
|
}
|
||||||
|
|
||||||
|
valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(em) != k {
|
||||||
|
// This should be impossible because decryptPKCS1v15 always
|
||||||
|
// returns the full slice.
|
||||||
|
return ErrDecryption
|
||||||
|
}
|
||||||
|
|
||||||
|
valid &= subtle.ConstantTimeEq(int32(len(em)-index), int32(len(key)))
|
||||||
|
subtle.ConstantTimeCopy(valid, key, em[len(em)-len(key):])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if
|
||||||
|
// rand is not nil. It returns one or zero in valid that indicates whether the
|
||||||
|
// plaintext was correctly structured. In either case, the plaintext is
|
||||||
|
// returned in em so that it may be read independently of whether it was valid
|
||||||
|
// in order to maintain constant memory access patterns. If the plaintext was
|
||||||
|
// valid then index contains the index of the original message in em.
|
||||||
|
func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k < 11 {
|
||||||
|
err = ErrDecryption
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c := new(big.Int).SetBytes(ciphertext)
|
||||||
|
m, err := decrypt(rand, priv, c)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
em = leftPad(m.Bytes(), k)
|
||||||
|
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
|
||||||
|
secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
|
||||||
|
|
||||||
|
// The remainder of the plaintext must be a string of non-zero random
|
||||||
|
// octets, followed by a 0, followed by the message.
|
||||||
|
// lookingForIndex: 1 iff we are still looking for the zero.
|
||||||
|
// index: the offset of the first zero byte.
|
||||||
|
lookingForIndex := 1
|
||||||
|
|
||||||
|
for i := 2; i < len(em); i++ {
|
||||||
|
equals0 := subtle.ConstantTimeByteEq(em[i], 0)
|
||||||
|
index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
|
||||||
|
lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
|
||||||
|
}
|
||||||
|
|
||||||
|
// The PS padding must be at least 8 bytes long, and it starts two
|
||||||
|
// bytes into em.
|
||||||
|
validPS := subtle.ConstantTimeLessOrEq(2+8, index)
|
||||||
|
|
||||||
|
valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1) & validPS
|
||||||
|
index = subtle.ConstantTimeSelect(valid, index+1, 0)
|
||||||
|
return valid, em, index, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// nonZeroRandomBytes fills the given slice with non-zero random octets.
|
||||||
|
func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
|
||||||
|
_, err = io.ReadFull(rand, s)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := 0; i < len(s); i++ {
|
||||||
|
for s[i] == 0 {
|
||||||
|
_, err = io.ReadFull(rand, s[i:i+1])
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// In tests, the PRNG may return all zeros so we do
|
||||||
|
// this to break the loop.
|
||||||
|
s[i] ^= 0x42
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// These are ASN1 DER structures:
|
||||||
|
// DigestInfo ::= SEQUENCE {
|
||||||
|
// digestAlgorithm AlgorithmIdentifier,
|
||||||
|
// digest OCTET STRING
|
||||||
|
// }
|
||||||
|
// For performance, we don't use the generic ASN1 encoder. Rather, we
|
||||||
|
// precompute a prefix of the digest value that makes a valid ASN1 DER string
|
||||||
|
// with the correct contents.
|
||||||
|
var hashPrefixes = map[crypto.Hash][]byte{
|
||||||
|
crypto.MD5: {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},
|
||||||
|
crypto.SHA1: {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14},
|
||||||
|
crypto.SHA224: {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},
|
||||||
|
crypto.SHA256: {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},
|
||||||
|
crypto.SHA384: {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},
|
||||||
|
crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
|
||||||
|
crypto.MD5SHA1: {}, // A special TLS case which doesn't use an ASN1 prefix.
|
||||||
|
crypto.RIPEMD160: {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31, 0x04, 0x14},
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignPKCS1v15 calculates the signature of hashed using RSASSA-PKCS1-V1_5-SIGN from RSA PKCS#1 v1.5.
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. If hash is zero, hashed is signed directly. This isn't
|
||||||
|
// advisable except for interoperability.
|
||||||
|
//
|
||||||
|
// If rand is not nil then RSA blinding will be used to avoid timing side-channel attacks.
|
||||||
|
//
|
||||||
|
// This function is deterministic. Thus, if the set of possible messages is
|
||||||
|
// small, an attacker may be able to build a map from messages to signatures
|
||||||
|
// and identify the signed messages. As ever, signatures provide authenticity,
|
||||||
|
// not confidentiality.
|
||||||
|
func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte) (s []byte, err error) {
|
||||||
|
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
tLen := len(prefix) + hashLen
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if k < tLen+11 {
|
||||||
|
return nil, ErrMessageTooLong
|
||||||
|
}
|
||||||
|
|
||||||
|
// EM = 0x00 || 0x01 || PS || 0x00 || T
|
||||||
|
em := make([]byte, k)
|
||||||
|
em[1] = 1
|
||||||
|
for i := 2; i < k-tLen-1; i++ {
|
||||||
|
em[i] = 0xff
|
||||||
|
}
|
||||||
|
copy(em[k-tLen:k-hashLen], prefix)
|
||||||
|
copy(em[k-hashLen:k], hashed)
|
||||||
|
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c, err := decryptAndCheck(rand, priv, m)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
copyWithLeftPad(em, c.Bytes())
|
||||||
|
s = em
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
|
||||||
|
// hashed is the result of hashing the input message using the given hash
|
||||||
|
// function and sig is the signature. A valid signature is indicated by
|
||||||
|
// returning a nil error. If hash is zero then hashed is used directly. This
|
||||||
|
// isn't advisable except for interoperability.
|
||||||
|
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) (err error) {
|
||||||
|
hashLen, prefix, err := pkcs1v15HashInfo(hash, len(hashed))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
tLen := len(prefix) + hashLen
|
||||||
|
k := (pub.N.BitLen() + 7) / 8
|
||||||
|
if k < tLen+11 {
|
||||||
|
err = ErrVerification
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c := new(big.Int).SetBytes(sig)
|
||||||
|
m := encrypt(new(big.Int), pub, c)
|
||||||
|
em := leftPad(m.Bytes(), k)
|
||||||
|
// EM = 0x00 || 0x01 || PS || 0x00 || T
|
||||||
|
|
||||||
|
ok := subtle.ConstantTimeByteEq(em[0], 0)
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[1], 1)
|
||||||
|
ok &= subtle.ConstantTimeCompare(em[k-hashLen:k], hashed)
|
||||||
|
ok &= subtle.ConstantTimeCompare(em[k-tLen:k-hashLen], prefix)
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[k-tLen-1], 0)
|
||||||
|
|
||||||
|
for i := 2; i < k-tLen-1; i++ {
|
||||||
|
ok &= subtle.ConstantTimeByteEq(em[i], 0xff)
|
||||||
|
}
|
||||||
|
|
||||||
|
if ok != 1 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte, err error) {
|
||||||
|
// Special case: crypto.Hash(0) is used to indicate that the data is
|
||||||
|
// signed directly.
|
||||||
|
if hash == 0 {
|
||||||
|
return inLen, nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
hashLen = hash.Size()
|
||||||
|
if inLen != hashLen {
|
||||||
|
return 0, nil, errors.New("crypto/rsa: input must be hashed message")
|
||||||
|
}
|
||||||
|
prefix, ok := hashPrefixes[hash]
|
||||||
|
if !ok {
|
||||||
|
return 0, nil, errors.New("crypto/rsa: unsupported hash function")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// copyWithLeftPad copies src to the end of dest, padding with zero bytes as
|
||||||
|
// needed.
|
||||||
|
func copyWithLeftPad(dest, src []byte) {
|
||||||
|
numPaddingBytes := len(dest) - len(src)
|
||||||
|
for i := 0; i < numPaddingBytes; i++ {
|
||||||
|
dest[i] = 0
|
||||||
|
}
|
||||||
|
copy(dest[numPaddingBytes:], src)
|
||||||
|
}
|
297
vendor/github.com/keybase/go-crypto/rsa/pss.go
generated
vendored
Normal file
297
vendor/github.com/keybase/go-crypto/rsa/pss.go
generated
vendored
Normal file
@ -0,0 +1,297 @@
|
|||||||
|
// Copyright 2013 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package rsa
|
||||||
|
|
||||||
|
// This file implements the PSS signature scheme [1].
|
||||||
|
//
|
||||||
|
// [1] http://www.rsa.com/rsalabs/pkcs/files/h11300-wp-pkcs-1v2-2-rsa-cryptography-standard.pdf
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"errors"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
|
||||||
|
// See [1], section 9.1.1
|
||||||
|
hLen := hash.Size()
|
||||||
|
sLen := len(salt)
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
|
||||||
|
// 1. If the length of M is greater than the input limitation for the
|
||||||
|
// hash function (2^61 - 1 octets for SHA-1), output "message too
|
||||||
|
// long" and stop.
|
||||||
|
//
|
||||||
|
// 2. Let mHash = Hash(M), an octet string of length hLen.
|
||||||
|
|
||||||
|
if len(mHash) != hLen {
|
||||||
|
return nil, errors.New("crypto/rsa: input must be hashed message")
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. If emLen < hLen + sLen + 2, output "encoding error" and stop.
|
||||||
|
|
||||||
|
if emLen < hLen+sLen+2 {
|
||||||
|
return nil, errors.New("crypto/rsa: encoding error")
|
||||||
|
}
|
||||||
|
|
||||||
|
em := make([]byte, emLen)
|
||||||
|
db := em[:emLen-sLen-hLen-2+1+sLen]
|
||||||
|
h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
|
||||||
|
|
||||||
|
// 4. Generate a random octet string salt of length sLen; if sLen = 0,
|
||||||
|
// then salt is the empty string.
|
||||||
|
//
|
||||||
|
// 5. Let
|
||||||
|
// M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt;
|
||||||
|
//
|
||||||
|
// M' is an octet string of length 8 + hLen + sLen with eight
|
||||||
|
// initial zero octets.
|
||||||
|
//
|
||||||
|
// 6. Let H = Hash(M'), an octet string of length hLen.
|
||||||
|
|
||||||
|
var prefix [8]byte
|
||||||
|
|
||||||
|
hash.Write(prefix[:])
|
||||||
|
hash.Write(mHash)
|
||||||
|
hash.Write(salt)
|
||||||
|
|
||||||
|
h = hash.Sum(h[:0])
|
||||||
|
hash.Reset()
|
||||||
|
|
||||||
|
// 7. Generate an octet string PS consisting of emLen - sLen - hLen - 2
|
||||||
|
// zero octets. The length of PS may be 0.
|
||||||
|
//
|
||||||
|
// 8. Let DB = PS || 0x01 || salt; DB is an octet string of length
|
||||||
|
// emLen - hLen - 1.
|
||||||
|
|
||||||
|
db[emLen-sLen-hLen-2] = 0x01
|
||||||
|
copy(db[emLen-sLen-hLen-1:], salt)
|
||||||
|
|
||||||
|
// 9. Let dbMask = MGF(H, emLen - hLen - 1).
|
||||||
|
//
|
||||||
|
// 10. Let maskedDB = DB \xor dbMask.
|
||||||
|
|
||||||
|
mgf1XOR(db, hash, h)
|
||||||
|
|
||||||
|
// 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in
|
||||||
|
// maskedDB to zero.
|
||||||
|
|
||||||
|
db[0] &= (0xFF >> uint(8*emLen-emBits))
|
||||||
|
|
||||||
|
// 12. Let EM = maskedDB || H || 0xbc.
|
||||||
|
em[emLen-1] = 0xBC
|
||||||
|
|
||||||
|
// 13. Output EM.
|
||||||
|
return em, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
|
||||||
|
// 1. If the length of M is greater than the input limitation for the
|
||||||
|
// hash function (2^61 - 1 octets for SHA-1), output "inconsistent"
|
||||||
|
// and stop.
|
||||||
|
//
|
||||||
|
// 2. Let mHash = Hash(M), an octet string of length hLen.
|
||||||
|
hLen := hash.Size()
|
||||||
|
if hLen != len(mHash) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. If emLen < hLen + sLen + 2, output "inconsistent" and stop.
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
if emLen < hLen+sLen+2 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 4. If the rightmost octet of EM does not have hexadecimal value
|
||||||
|
// 0xbc, output "inconsistent" and stop.
|
||||||
|
if em[len(em)-1] != 0xBC {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 5. Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and
|
||||||
|
// let H be the next hLen octets.
|
||||||
|
db := em[:emLen-hLen-1]
|
||||||
|
h := em[emLen-hLen-1 : len(em)-1]
|
||||||
|
|
||||||
|
// 6. If the leftmost 8 * emLen - emBits bits of the leftmost octet in
|
||||||
|
// maskedDB are not all equal to zero, output "inconsistent" and
|
||||||
|
// stop.
|
||||||
|
if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
// 7. Let dbMask = MGF(H, emLen - hLen - 1).
|
||||||
|
//
|
||||||
|
// 8. Let DB = maskedDB \xor dbMask.
|
||||||
|
mgf1XOR(db, hash, h)
|
||||||
|
|
||||||
|
// 9. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB
|
||||||
|
// to zero.
|
||||||
|
db[0] &= (0xFF >> uint(8*emLen-emBits))
|
||||||
|
|
||||||
|
if sLen == PSSSaltLengthAuto {
|
||||||
|
FindSaltLength:
|
||||||
|
for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- {
|
||||||
|
switch db[emLen-hLen-sLen-2] {
|
||||||
|
case 1:
|
||||||
|
break FindSaltLength
|
||||||
|
case 0:
|
||||||
|
continue
|
||||||
|
default:
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if sLen < 0 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
|
||||||
|
// or if the octet at position emLen - hLen - sLen - 1 (the leftmost
|
||||||
|
// position is "position 1") does not have hexadecimal value 0x01,
|
||||||
|
// output "inconsistent" and stop.
|
||||||
|
for _, e := range db[:emLen-hLen-sLen-2] {
|
||||||
|
if e != 0x00 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if db[emLen-hLen-sLen-2] != 0x01 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 11. Let salt be the last sLen octets of DB.
|
||||||
|
salt := db[len(db)-sLen:]
|
||||||
|
|
||||||
|
// 12. Let
|
||||||
|
// M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt ;
|
||||||
|
// M' is an octet string of length 8 + hLen + sLen with eight
|
||||||
|
// initial zero octets.
|
||||||
|
//
|
||||||
|
// 13. Let H' = Hash(M'), an octet string of length hLen.
|
||||||
|
var prefix [8]byte
|
||||||
|
hash.Write(prefix[:])
|
||||||
|
hash.Write(mHash)
|
||||||
|
hash.Write(salt)
|
||||||
|
|
||||||
|
h0 := hash.Sum(nil)
|
||||||
|
|
||||||
|
// 14. If H = H', output "consistent." Otherwise, output "inconsistent."
|
||||||
|
if !bytes.Equal(h0, h) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt.
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. salt is a random sequence of bytes whose length will be
|
||||||
|
// later used to verify the signature.
|
||||||
|
func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
|
||||||
|
nBits := priv.N.BitLen()
|
||||||
|
em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New())
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
m := new(big.Int).SetBytes(em)
|
||||||
|
c, err := decryptAndCheck(rand, priv, m)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s = make([]byte, (nBits+7)/8)
|
||||||
|
copyWithLeftPad(s, c.Bytes())
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
// PSSSaltLengthAuto causes the salt in a PSS signature to be as large
|
||||||
|
// as possible when signing, and to be auto-detected when verifying.
|
||||||
|
PSSSaltLengthAuto = 0
|
||||||
|
// PSSSaltLengthEqualsHash causes the salt length to equal the length
|
||||||
|
// of the hash used in the signature.
|
||||||
|
PSSSaltLengthEqualsHash = -1
|
||||||
|
)
|
||||||
|
|
||||||
|
// PSSOptions contains options for creating and verifying PSS signatures.
|
||||||
|
type PSSOptions struct {
|
||||||
|
// SaltLength controls the length of the salt used in the PSS
|
||||||
|
// signature. It can either be a number of bytes, or one of the special
|
||||||
|
// PSSSaltLength constants.
|
||||||
|
SaltLength int
|
||||||
|
|
||||||
|
// Hash, if not zero, overrides the hash function passed to SignPSS.
|
||||||
|
// This is the only way to specify the hash function when using the
|
||||||
|
// crypto.Signer interface.
|
||||||
|
Hash crypto.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
// HashFunc returns pssOpts.Hash so that PSSOptions implements
|
||||||
|
// crypto.SignerOpts.
|
||||||
|
func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
|
||||||
|
return pssOpts.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
func (opts *PSSOptions) saltLength() int {
|
||||||
|
if opts == nil {
|
||||||
|
return PSSSaltLengthAuto
|
||||||
|
}
|
||||||
|
return opts.SaltLength
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignPSS calculates the signature of hashed using RSASSA-PSS [1].
|
||||||
|
// Note that hashed must be the result of hashing the input message using the
|
||||||
|
// given hash function. The opts argument may be nil, in which case sensible
|
||||||
|
// defaults are used.
|
||||||
|
func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) (s []byte, err error) {
|
||||||
|
saltLength := opts.saltLength()
|
||||||
|
switch saltLength {
|
||||||
|
case PSSSaltLengthAuto:
|
||||||
|
saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size()
|
||||||
|
case PSSSaltLengthEqualsHash:
|
||||||
|
saltLength = hash.Size()
|
||||||
|
}
|
||||||
|
|
||||||
|
if opts != nil && opts.Hash != 0 {
|
||||||
|
hash = opts.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
salt := make([]byte, saltLength)
|
||||||
|
if _, err = io.ReadFull(rand, salt); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return signPSSWithSalt(rand, priv, hash, hashed, salt)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyPSS verifies a PSS signature.
|
||||||
|
// hashed is the result of hashing the input message using the given hash
|
||||||
|
// function and sig is the signature. A valid signature is indicated by
|
||||||
|
// returning a nil error. The opts argument may be nil, in which case sensible
|
||||||
|
// defaults are used.
|
||||||
|
func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error {
|
||||||
|
return verifyPSS(pub, hash, hashed, sig, opts.saltLength())
|
||||||
|
}
|
||||||
|
|
||||||
|
// verifyPSS verifies a PSS signature with the given salt length.
|
||||||
|
func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error {
|
||||||
|
nBits := pub.N.BitLen()
|
||||||
|
if len(sig) != (nBits+7)/8 {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
s := new(big.Int).SetBytes(sig)
|
||||||
|
m := encrypt(new(big.Int), pub, s)
|
||||||
|
emBits := nBits - 1
|
||||||
|
emLen := (emBits + 7) / 8
|
||||||
|
if emLen < len(m.Bytes()) {
|
||||||
|
return ErrVerification
|
||||||
|
}
|
||||||
|
em := make([]byte, emLen)
|
||||||
|
copyWithLeftPad(em, m.Bytes())
|
||||||
|
if saltLen == PSSSaltLengthEqualsHash {
|
||||||
|
saltLen = hash.Size()
|
||||||
|
}
|
||||||
|
return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New())
|
||||||
|
}
|
646
vendor/github.com/keybase/go-crypto/rsa/rsa.go
generated
vendored
Normal file
646
vendor/github.com/keybase/go-crypto/rsa/rsa.go
generated
vendored
Normal file
@ -0,0 +1,646 @@
|
|||||||
|
// Copyright 2009 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// Package rsa implements RSA encryption as specified in PKCS#1.
|
||||||
|
//
|
||||||
|
// RSA is a single, fundamental operation that is used in this package to
|
||||||
|
// implement either public-key encryption or public-key signatures.
|
||||||
|
//
|
||||||
|
// The original specification for encryption and signatures with RSA is PKCS#1
|
||||||
|
// and the terms "RSA encryption" and "RSA signatures" by default refer to
|
||||||
|
// PKCS#1 version 1.5. However, that specification has flaws and new designs
|
||||||
|
// should use version two, usually called by just OAEP and PSS, where
|
||||||
|
// possible.
|
||||||
|
//
|
||||||
|
// Two sets of interfaces are included in this package. When a more abstract
|
||||||
|
// interface isn't neccessary, there are functions for encrypting/decrypting
|
||||||
|
// with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract
|
||||||
|
// over the public-key primitive, the PrivateKey struct implements the
|
||||||
|
// Decrypter and Signer interfaces from the crypto package.
|
||||||
|
package rsa
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/subtle"
|
||||||
|
"errors"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
var bigZero = big.NewInt(0)
|
||||||
|
var bigOne = big.NewInt(1)
|
||||||
|
|
||||||
|
// A PublicKey represents the public part of an RSA key.
|
||||||
|
type PublicKey struct {
|
||||||
|
N *big.Int // modulus
|
||||||
|
E int64 // public exponent
|
||||||
|
}
|
||||||
|
|
||||||
|
// OAEPOptions is an interface for passing options to OAEP decryption using the
|
||||||
|
// crypto.Decrypter interface.
|
||||||
|
type OAEPOptions struct {
|
||||||
|
// Hash is the hash function that will be used when generating the mask.
|
||||||
|
Hash crypto.Hash
|
||||||
|
// Label is an arbitrary byte string that must be equal to the value
|
||||||
|
// used when encrypting.
|
||||||
|
Label []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
errPublicModulus = errors.New("crypto/rsa: missing public modulus")
|
||||||
|
errPublicExponentSmall = errors.New("crypto/rsa: public exponent too small")
|
||||||
|
errPublicExponentLarge = errors.New("crypto/rsa: public exponent too large")
|
||||||
|
)
|
||||||
|
|
||||||
|
// checkPub sanity checks the public key before we use it.
|
||||||
|
// We require pub.E to fit into a 32-bit integer so that we
|
||||||
|
// do not have different behavior depending on whether
|
||||||
|
// int is 32 or 64 bits. See also
|
||||||
|
// http://www.imperialviolet.org/2012/03/16/rsae.html.
|
||||||
|
func checkPub(pub *PublicKey) error {
|
||||||
|
if pub.N == nil {
|
||||||
|
return errPublicModulus
|
||||||
|
}
|
||||||
|
if pub.E < 2 {
|
||||||
|
return errPublicExponentSmall
|
||||||
|
}
|
||||||
|
if pub.E > 1<<63-1 {
|
||||||
|
return errPublicExponentLarge
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// A PrivateKey represents an RSA key
|
||||||
|
type PrivateKey struct {
|
||||||
|
PublicKey // public part.
|
||||||
|
D *big.Int // private exponent
|
||||||
|
Primes []*big.Int // prime factors of N, has >= 2 elements.
|
||||||
|
|
||||||
|
// Precomputed contains precomputed values that speed up private
|
||||||
|
// operations, if available.
|
||||||
|
Precomputed PrecomputedValues
|
||||||
|
}
|
||||||
|
|
||||||
|
// Public returns the public key corresponding to priv.
|
||||||
|
func (priv *PrivateKey) Public() crypto.PublicKey {
|
||||||
|
return &priv.PublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign signs msg with priv, reading randomness from rand. If opts is a
|
||||||
|
// *PSSOptions then the PSS algorithm will be used, otherwise PKCS#1 v1.5 will
|
||||||
|
// be used. This method is intended to support keys where the private part is
|
||||||
|
// kept in, for example, a hardware module. Common uses should use the Sign*
|
||||||
|
// functions in this package.
|
||||||
|
func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
|
||||||
|
if pssOpts, ok := opts.(*PSSOptions); ok {
|
||||||
|
return SignPSS(rand, priv, pssOpts.Hash, msg, pssOpts)
|
||||||
|
}
|
||||||
|
|
||||||
|
return SignPKCS1v15(rand, priv, opts.HashFunc(), msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt decrypts ciphertext with priv. If opts is nil or of type
|
||||||
|
// *PKCS1v15DecryptOptions then PKCS#1 v1.5 decryption is performed. Otherwise
|
||||||
|
// opts must have type *OAEPOptions and OAEP decryption is done.
|
||||||
|
func (priv *PrivateKey) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) {
|
||||||
|
if opts == nil {
|
||||||
|
return DecryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
}
|
||||||
|
|
||||||
|
switch opts := opts.(type) {
|
||||||
|
case *OAEPOptions:
|
||||||
|
return DecryptOAEP(opts.Hash.New(), rand, priv, ciphertext, opts.Label)
|
||||||
|
|
||||||
|
case *PKCS1v15DecryptOptions:
|
||||||
|
if l := opts.SessionKeyLen; l > 0 {
|
||||||
|
plaintext = make([]byte, l)
|
||||||
|
if _, err := io.ReadFull(rand, plaintext); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if err := DecryptPKCS1v15SessionKey(rand, priv, ciphertext, plaintext); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return plaintext, nil
|
||||||
|
} else {
|
||||||
|
return DecryptPKCS1v15(rand, priv, ciphertext)
|
||||||
|
}
|
||||||
|
|
||||||
|
default:
|
||||||
|
return nil, errors.New("crypto/rsa: invalid options for Decrypt")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type PrecomputedValues struct {
|
||||||
|
Dp, Dq *big.Int // D mod (P-1) (or mod Q-1)
|
||||||
|
Qinv *big.Int // Q^-1 mod P
|
||||||
|
|
||||||
|
// CRTValues is used for the 3rd and subsequent primes. Due to a
|
||||||
|
// historical accident, the CRT for the first two primes is handled
|
||||||
|
// differently in PKCS#1 and interoperability is sufficiently
|
||||||
|
// important that we mirror this.
|
||||||
|
CRTValues []CRTValue
|
||||||
|
}
|
||||||
|
|
||||||
|
// CRTValue contains the precomputed Chinese remainder theorem values.
|
||||||
|
type CRTValue struct {
|
||||||
|
Exp *big.Int // D mod (prime-1).
|
||||||
|
Coeff *big.Int // R·Coeff ≡ 1 mod Prime.
|
||||||
|
R *big.Int // product of primes prior to this (inc p and q).
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validate performs basic sanity checks on the key.
|
||||||
|
// It returns nil if the key is valid, or else an error describing a problem.
|
||||||
|
func (priv *PrivateKey) Validate() error {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that Πprimes == n.
|
||||||
|
modulus := new(big.Int).Set(bigOne)
|
||||||
|
for _, prime := range priv.Primes {
|
||||||
|
// Any primes ≤ 1 will cause divide-by-zero panics later.
|
||||||
|
if prime.Cmp(bigOne) <= 0 {
|
||||||
|
return errors.New("crypto/rsa: invalid prime value")
|
||||||
|
}
|
||||||
|
modulus.Mul(modulus, prime)
|
||||||
|
}
|
||||||
|
if modulus.Cmp(priv.N) != 0 {
|
||||||
|
return errors.New("crypto/rsa: invalid modulus")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that de ≡ 1 mod p-1, for each prime.
|
||||||
|
// This implies that e is coprime to each p-1 as e has a multiplicative
|
||||||
|
// inverse. Therefore e is coprime to lcm(p-1,q-1,r-1,...) =
|
||||||
|
// exponent(ℤ/nℤ). It also implies that a^de ≡ a mod p as a^(p-1) ≡ 1
|
||||||
|
// mod p. Thus a^de ≡ a mod n for all a coprime to n, as required.
|
||||||
|
congruence := new(big.Int)
|
||||||
|
de := new(big.Int).SetInt64(int64(priv.E))
|
||||||
|
de.Mul(de, priv.D)
|
||||||
|
for _, prime := range priv.Primes {
|
||||||
|
pminus1 := new(big.Int).Sub(prime, bigOne)
|
||||||
|
congruence.Mod(de, pminus1)
|
||||||
|
if congruence.Cmp(bigOne) != 0 {
|
||||||
|
return errors.New("crypto/rsa: invalid exponents")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateKey generates an RSA keypair of the given bit size using the
|
||||||
|
// random source random (for example, crypto/rand.Reader).
|
||||||
|
func GenerateKey(random io.Reader, bits int) (priv *PrivateKey, err error) {
|
||||||
|
return GenerateMultiPrimeKey(random, 2, bits)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateMultiPrimeKey generates a multi-prime RSA keypair of the given bit
|
||||||
|
// size and the given random source, as suggested in [1]. Although the public
|
||||||
|
// keys are compatible (actually, indistinguishable) from the 2-prime case,
|
||||||
|
// the private keys are not. Thus it may not be possible to export multi-prime
|
||||||
|
// private keys in certain formats or to subsequently import them into other
|
||||||
|
// code.
|
||||||
|
//
|
||||||
|
// Table 1 in [2] suggests maximum numbers of primes for a given size.
|
||||||
|
//
|
||||||
|
// [1] US patent 4405829 (1972, expired)
|
||||||
|
// [2] http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
|
||||||
|
func GenerateMultiPrimeKey(random io.Reader, nprimes int, bits int) (priv *PrivateKey, err error) {
|
||||||
|
priv = new(PrivateKey)
|
||||||
|
priv.E = 65537
|
||||||
|
|
||||||
|
if nprimes < 2 {
|
||||||
|
return nil, errors.New("crypto/rsa: GenerateMultiPrimeKey: nprimes must be >= 2")
|
||||||
|
}
|
||||||
|
|
||||||
|
primes := make([]*big.Int, nprimes)
|
||||||
|
|
||||||
|
NextSetOfPrimes:
|
||||||
|
for {
|
||||||
|
todo := bits
|
||||||
|
// crypto/rand should set the top two bits in each prime.
|
||||||
|
// Thus each prime has the form
|
||||||
|
// p_i = 2^bitlen(p_i) × 0.11... (in base 2).
|
||||||
|
// And the product is:
|
||||||
|
// P = 2^todo × α
|
||||||
|
// where α is the product of nprimes numbers of the form 0.11...
|
||||||
|
//
|
||||||
|
// If α < 1/2 (which can happen for nprimes > 2), we need to
|
||||||
|
// shift todo to compensate for lost bits: the mean value of 0.11...
|
||||||
|
// is 7/8, so todo + shift - nprimes * log2(7/8) ~= bits - 1/2
|
||||||
|
// will give good results.
|
||||||
|
if nprimes >= 7 {
|
||||||
|
todo += (nprimes - 2) / 5
|
||||||
|
}
|
||||||
|
for i := 0; i < nprimes; i++ {
|
||||||
|
primes[i], err = rand.Prime(random, todo/(nprimes-i))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
todo -= primes[i].BitLen()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make sure that primes is pairwise unequal.
|
||||||
|
for i, prime := range primes {
|
||||||
|
for j := 0; j < i; j++ {
|
||||||
|
if prime.Cmp(primes[j]) == 0 {
|
||||||
|
continue NextSetOfPrimes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
n := new(big.Int).Set(bigOne)
|
||||||
|
totient := new(big.Int).Set(bigOne)
|
||||||
|
pminus1 := new(big.Int)
|
||||||
|
for _, prime := range primes {
|
||||||
|
n.Mul(n, prime)
|
||||||
|
pminus1.Sub(prime, bigOne)
|
||||||
|
totient.Mul(totient, pminus1)
|
||||||
|
}
|
||||||
|
if n.BitLen() != bits {
|
||||||
|
// This should never happen for nprimes == 2 because
|
||||||
|
// crypto/rand should set the top two bits in each prime.
|
||||||
|
// For nprimes > 2 we hope it does not happen often.
|
||||||
|
continue NextSetOfPrimes
|
||||||
|
}
|
||||||
|
|
||||||
|
g := new(big.Int)
|
||||||
|
priv.D = new(big.Int)
|
||||||
|
y := new(big.Int)
|
||||||
|
e := big.NewInt(int64(priv.E))
|
||||||
|
g.GCD(priv.D, y, e, totient)
|
||||||
|
|
||||||
|
if g.Cmp(bigOne) == 0 {
|
||||||
|
if priv.D.Sign() < 0 {
|
||||||
|
priv.D.Add(priv.D, totient)
|
||||||
|
}
|
||||||
|
priv.Primes = primes
|
||||||
|
priv.N = n
|
||||||
|
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
priv.Precompute()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// incCounter increments a four byte, big-endian counter.
|
||||||
|
func incCounter(c *[4]byte) {
|
||||||
|
if c[3]++; c[3] != 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if c[2]++; c[2] != 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if c[1]++; c[1] != 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
c[0]++
|
||||||
|
}
|
||||||
|
|
||||||
|
// mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function
|
||||||
|
// specified in PKCS#1 v2.1.
|
||||||
|
func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
|
||||||
|
var counter [4]byte
|
||||||
|
var digest []byte
|
||||||
|
|
||||||
|
done := 0
|
||||||
|
for done < len(out) {
|
||||||
|
hash.Write(seed)
|
||||||
|
hash.Write(counter[0:4])
|
||||||
|
digest = hash.Sum(digest[:0])
|
||||||
|
hash.Reset()
|
||||||
|
|
||||||
|
for i := 0; i < len(digest) && done < len(out); i++ {
|
||||||
|
out[done] ^= digest[i]
|
||||||
|
done++
|
||||||
|
}
|
||||||
|
incCounter(&counter)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ErrMessageTooLong is returned when attempting to encrypt a message which is
|
||||||
|
// too large for the size of the public key.
|
||||||
|
var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size")
|
||||||
|
|
||||||
|
func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
|
||||||
|
e := big.NewInt(int64(pub.E))
|
||||||
|
c.Exp(m, e, pub.N)
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptOAEP encrypts the given message with RSA-OAEP.
|
||||||
|
//
|
||||||
|
// OAEP is parameterised by a hash function that is used as a random oracle.
|
||||||
|
// Encryption and decryption of a given message must use the same hash function
|
||||||
|
// and sha256.New() is a reasonable choice.
|
||||||
|
//
|
||||||
|
// The random parameter is used as a source of entropy to ensure that
|
||||||
|
// encrypting the same message twice doesn't result in the same ciphertext.
|
||||||
|
//
|
||||||
|
// The label parameter may contain arbitrary data that will not be encrypted,
|
||||||
|
// but which gives important context to the message. For example, if a given
|
||||||
|
// public key is used to decrypt two types of messages then distinct label
|
||||||
|
// values could be used to ensure that a ciphertext for one purpose cannot be
|
||||||
|
// used for another by an attacker. If not required it can be empty.
|
||||||
|
//
|
||||||
|
// The message must be no longer than the length of the public modulus less
|
||||||
|
// twice the hash length plus 2.
|
||||||
|
func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) (out []byte, err error) {
|
||||||
|
if err := checkPub(pub); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
hash.Reset()
|
||||||
|
k := (pub.N.BitLen() + 7) / 8
|
||||||
|
if len(msg) > k-2*hash.Size()-2 {
|
||||||
|
err = ErrMessageTooLong
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
hash.Write(label)
|
||||||
|
lHash := hash.Sum(nil)
|
||||||
|
hash.Reset()
|
||||||
|
|
||||||
|
em := make([]byte, k)
|
||||||
|
seed := em[1 : 1+hash.Size()]
|
||||||
|
db := em[1+hash.Size():]
|
||||||
|
|
||||||
|
copy(db[0:hash.Size()], lHash)
|
||||||
|
db[len(db)-len(msg)-1] = 1
|
||||||
|
copy(db[len(db)-len(msg):], msg)
|
||||||
|
|
||||||
|
_, err = io.ReadFull(random, seed)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
mgf1XOR(db, hash, seed)
|
||||||
|
mgf1XOR(seed, hash, db)
|
||||||
|
|
||||||
|
m := new(big.Int)
|
||||||
|
m.SetBytes(em)
|
||||||
|
c := encrypt(new(big.Int), pub, m)
|
||||||
|
out = c.Bytes()
|
||||||
|
|
||||||
|
if len(out) < k {
|
||||||
|
// If the output is too small, we need to left-pad with zeros.
|
||||||
|
t := make([]byte, k)
|
||||||
|
copy(t[k-len(out):], out)
|
||||||
|
out = t
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// ErrDecryption represents a failure to decrypt a message.
|
||||||
|
// It is deliberately vague to avoid adaptive attacks.
|
||||||
|
var ErrDecryption = errors.New("crypto/rsa: decryption error")
|
||||||
|
|
||||||
|
// ErrVerification represents a failure to verify a signature.
|
||||||
|
// It is deliberately vague to avoid adaptive attacks.
|
||||||
|
var ErrVerification = errors.New("crypto/rsa: verification error")
|
||||||
|
|
||||||
|
// modInverse returns ia, the inverse of a in the multiplicative group of prime
|
||||||
|
// order n. It requires that a be a member of the group (i.e. less than n).
|
||||||
|
func modInverse(a, n *big.Int) (ia *big.Int, ok bool) {
|
||||||
|
g := new(big.Int)
|
||||||
|
x := new(big.Int)
|
||||||
|
y := new(big.Int)
|
||||||
|
g.GCD(x, y, a, n)
|
||||||
|
if g.Cmp(bigOne) != 0 {
|
||||||
|
// In this case, a and n aren't coprime and we cannot calculate
|
||||||
|
// the inverse. This happens because the values of n are nearly
|
||||||
|
// prime (being the product of two primes) rather than truly
|
||||||
|
// prime.
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if x.Cmp(bigOne) < 0 {
|
||||||
|
// 0 is not the multiplicative inverse of any element so, if x
|
||||||
|
// < 1, then x is negative.
|
||||||
|
x.Add(x, n)
|
||||||
|
}
|
||||||
|
|
||||||
|
return x, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Precompute performs some calculations that speed up private key operations
|
||||||
|
// in the future.
|
||||||
|
func (priv *PrivateKey) Precompute() {
|
||||||
|
if priv.Precomputed.Dp != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
priv.Precomputed.Dp = new(big.Int).Sub(priv.Primes[0], bigOne)
|
||||||
|
priv.Precomputed.Dp.Mod(priv.D, priv.Precomputed.Dp)
|
||||||
|
|
||||||
|
priv.Precomputed.Dq = new(big.Int).Sub(priv.Primes[1], bigOne)
|
||||||
|
priv.Precomputed.Dq.Mod(priv.D, priv.Precomputed.Dq)
|
||||||
|
|
||||||
|
priv.Precomputed.Qinv = new(big.Int).ModInverse(priv.Primes[1], priv.Primes[0])
|
||||||
|
|
||||||
|
r := new(big.Int).Mul(priv.Primes[0], priv.Primes[1])
|
||||||
|
priv.Precomputed.CRTValues = make([]CRTValue, len(priv.Primes)-2)
|
||||||
|
for i := 2; i < len(priv.Primes); i++ {
|
||||||
|
prime := priv.Primes[i]
|
||||||
|
values := &priv.Precomputed.CRTValues[i-2]
|
||||||
|
|
||||||
|
values.Exp = new(big.Int).Sub(prime, bigOne)
|
||||||
|
values.Exp.Mod(priv.D, values.Exp)
|
||||||
|
|
||||||
|
values.R = new(big.Int).Set(r)
|
||||||
|
values.Coeff = new(big.Int).ModInverse(r, prime)
|
||||||
|
|
||||||
|
r.Mul(r, prime)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
|
||||||
|
// random source is given, RSA blinding is used.
|
||||||
|
func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
|
||||||
|
// TODO(agl): can we get away with reusing blinds?
|
||||||
|
if c.Cmp(priv.N) > 0 {
|
||||||
|
err = ErrDecryption
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var ir *big.Int
|
||||||
|
if random != nil {
|
||||||
|
// Blinding enabled. Blinding involves multiplying c by r^e.
|
||||||
|
// Then the decryption operation performs (m^e * r^e)^d mod n
|
||||||
|
// which equals mr mod n. The factor of r can then be removed
|
||||||
|
// by multiplying by the multiplicative inverse of r.
|
||||||
|
|
||||||
|
var r *big.Int
|
||||||
|
|
||||||
|
for {
|
||||||
|
r, err = rand.Int(random, priv.N)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if r.Cmp(bigZero) == 0 {
|
||||||
|
r = bigOne
|
||||||
|
}
|
||||||
|
var ok bool
|
||||||
|
ir, ok = modInverse(r, priv.N)
|
||||||
|
if ok {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
bigE := big.NewInt(int64(priv.E))
|
||||||
|
rpowe := new(big.Int).Exp(r, bigE, priv.N)
|
||||||
|
cCopy := new(big.Int).Set(c)
|
||||||
|
cCopy.Mul(cCopy, rpowe)
|
||||||
|
cCopy.Mod(cCopy, priv.N)
|
||||||
|
c = cCopy
|
||||||
|
}
|
||||||
|
|
||||||
|
if priv.Precomputed.Dp == nil {
|
||||||
|
m = new(big.Int).Exp(c, priv.D, priv.N)
|
||||||
|
} else {
|
||||||
|
// We have the precalculated values needed for the CRT.
|
||||||
|
m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0])
|
||||||
|
m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1])
|
||||||
|
m.Sub(m, m2)
|
||||||
|
if m.Sign() < 0 {
|
||||||
|
m.Add(m, priv.Primes[0])
|
||||||
|
}
|
||||||
|
m.Mul(m, priv.Precomputed.Qinv)
|
||||||
|
m.Mod(m, priv.Primes[0])
|
||||||
|
m.Mul(m, priv.Primes[1])
|
||||||
|
m.Add(m, m2)
|
||||||
|
|
||||||
|
for i, values := range priv.Precomputed.CRTValues {
|
||||||
|
prime := priv.Primes[2+i]
|
||||||
|
m2.Exp(c, values.Exp, prime)
|
||||||
|
m2.Sub(m2, m)
|
||||||
|
m2.Mul(m2, values.Coeff)
|
||||||
|
m2.Mod(m2, prime)
|
||||||
|
if m2.Sign() < 0 {
|
||||||
|
m2.Add(m2, prime)
|
||||||
|
}
|
||||||
|
m2.Mul(m2, values.R)
|
||||||
|
m.Add(m, m2)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ir != nil {
|
||||||
|
// Unblind.
|
||||||
|
m.Mul(m, ir)
|
||||||
|
m.Mod(m, priv.N)
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
|
||||||
|
m, err = decrypt(random, priv, c)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// In order to defend against errors in the CRT computation, m^e is
|
||||||
|
// calculated, which should match the original ciphertext.
|
||||||
|
check := encrypt(new(big.Int), &priv.PublicKey, m)
|
||||||
|
if c.Cmp(check) != 0 {
|
||||||
|
return nil, errors.New("rsa: internal error")
|
||||||
|
}
|
||||||
|
return m, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptOAEP decrypts ciphertext using RSA-OAEP.
|
||||||
|
|
||||||
|
// OAEP is parameterised by a hash function that is used as a random oracle.
|
||||||
|
// Encryption and decryption of a given message must use the same hash function
|
||||||
|
// and sha256.New() is a reasonable choice.
|
||||||
|
//
|
||||||
|
// The random parameter, if not nil, is used to blind the private-key operation
|
||||||
|
// and avoid timing side-channel attacks. Blinding is purely internal to this
|
||||||
|
// function – the random data need not match that used when encrypting.
|
||||||
|
//
|
||||||
|
// The label parameter must match the value given when encrypting. See
|
||||||
|
// EncryptOAEP for details.
|
||||||
|
func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) (msg []byte, err error) {
|
||||||
|
if err := checkPub(&priv.PublicKey); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
k := (priv.N.BitLen() + 7) / 8
|
||||||
|
if len(ciphertext) > k ||
|
||||||
|
k < hash.Size()*2+2 {
|
||||||
|
err = ErrDecryption
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
c := new(big.Int).SetBytes(ciphertext)
|
||||||
|
|
||||||
|
m, err := decrypt(random, priv, c)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
hash.Write(label)
|
||||||
|
lHash := hash.Sum(nil)
|
||||||
|
hash.Reset()
|
||||||
|
|
||||||
|
// Converting the plaintext number to bytes will strip any
|
||||||
|
// leading zeros so we may have to left pad. We do this unconditionally
|
||||||
|
// to avoid leaking timing information. (Although we still probably
|
||||||
|
// leak the number of leading zeros. It's not clear that we can do
|
||||||
|
// anything about this.)
|
||||||
|
em := leftPad(m.Bytes(), k)
|
||||||
|
|
||||||
|
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
|
||||||
|
|
||||||
|
seed := em[1 : hash.Size()+1]
|
||||||
|
db := em[hash.Size()+1:]
|
||||||
|
|
||||||
|
mgf1XOR(seed, hash, db)
|
||||||
|
mgf1XOR(db, hash, seed)
|
||||||
|
|
||||||
|
lHash2 := db[0:hash.Size()]
|
||||||
|
|
||||||
|
// We have to validate the plaintext in constant time in order to avoid
|
||||||
|
// attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal
|
||||||
|
// Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1
|
||||||
|
// v2.0. In J. Kilian, editor, Advances in Cryptology.
|
||||||
|
lHash2Good := subtle.ConstantTimeCompare(lHash, lHash2)
|
||||||
|
|
||||||
|
// The remainder of the plaintext must be zero or more 0x00, followed
|
||||||
|
// by 0x01, followed by the message.
|
||||||
|
// lookingForIndex: 1 iff we are still looking for the 0x01
|
||||||
|
// index: the offset of the first 0x01 byte
|
||||||
|
// invalid: 1 iff we saw a non-zero byte before the 0x01.
|
||||||
|
var lookingForIndex, index, invalid int
|
||||||
|
lookingForIndex = 1
|
||||||
|
rest := db[hash.Size():]
|
||||||
|
|
||||||
|
for i := 0; i < len(rest); i++ {
|
||||||
|
equals0 := subtle.ConstantTimeByteEq(rest[i], 0)
|
||||||
|
equals1 := subtle.ConstantTimeByteEq(rest[i], 1)
|
||||||
|
index = subtle.ConstantTimeSelect(lookingForIndex&equals1, i, index)
|
||||||
|
lookingForIndex = subtle.ConstantTimeSelect(equals1, 0, lookingForIndex)
|
||||||
|
invalid = subtle.ConstantTimeSelect(lookingForIndex&^equals0, 1, invalid)
|
||||||
|
}
|
||||||
|
|
||||||
|
if firstByteIsZero&lHash2Good&^invalid&^lookingForIndex != 1 {
|
||||||
|
err = ErrDecryption
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
msg = rest[index+1:]
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// leftPad returns a new slice of length size. The contents of input are right
|
||||||
|
// aligned in the new slice.
|
||||||
|
func leftPad(input []byte, size int) (out []byte) {
|
||||||
|
n := len(input)
|
||||||
|
if n > size {
|
||||||
|
n = size
|
||||||
|
}
|
||||||
|
out = make([]byte, size)
|
||||||
|
copy(out[len(out)-n:], input)
|
||||||
|
return
|
||||||
|
}
|
112
vendor/vendor.json
vendored
112
vendor/vendor.json
vendored
@ -329,6 +329,12 @@
|
|||||||
"revision": "5a0f697c9ed9d68fef0116532c6e05cfeae00e55",
|
"revision": "5a0f697c9ed9d68fef0116532c6e05cfeae00e55",
|
||||||
"revisionTime": "2017-06-01T23:02:30Z"
|
"revisionTime": "2017-06-01T23:02:30Z"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "p/8vSviYF91gFflhrt5vkyksroo=",
|
||||||
|
"path": "github.com/golang/snappy",
|
||||||
|
"revision": "553a641470496b2327abcac10b36396bd98e45c9",
|
||||||
|
"revisionTime": "2017-02-15T23:32:05Z"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "ovDzecwDMswgStyaKHg0VosC3FU=",
|
"checksumSHA1": "ovDzecwDMswgStyaKHg0VosC3FU=",
|
||||||
"path": "github.com/googleapis/gax-go",
|
"path": "github.com/googleapis/gax-go",
|
||||||
@ -512,6 +518,14 @@
|
|||||||
"version": "v0.10.0",
|
"version": "v0.10.0",
|
||||||
"versionExact": "v0.10.0"
|
"versionExact": "v0.10.0"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "FH5eOEHfHgdxPC/JnfmCeSBk66U=",
|
||||||
|
"path": "github.com/hashicorp/terraform/helper/encryption",
|
||||||
|
"revision": "v0.10.0",
|
||||||
|
"revisionTime": "2017-08-02T18:39:14Z",
|
||||||
|
"version": "v0.10.0",
|
||||||
|
"versionExact": "v0.10.0"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "Vbo55GDzPgG/L/+W2pcvDhxrPZc=",
|
"checksumSHA1": "Vbo55GDzPgG/L/+W2pcvDhxrPZc=",
|
||||||
"path": "github.com/hashicorp/terraform/helper/experiment",
|
"path": "github.com/hashicorp/terraform/helper/experiment",
|
||||||
@ -630,6 +644,26 @@
|
|||||||
"version": "v0.10.0",
|
"version": "v0.10.0",
|
||||||
"versionExact": "v0.10.0"
|
"versionExact": "v0.10.0"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "au+CDkddC4sVFV15UaPiI7FvSw0=",
|
||||||
|
"path": "github.com/hashicorp/vault/helper/compressutil",
|
||||||
|
"revision": "6faf8365e922c4cf1bde05b6b886a17881b9ebca",
|
||||||
|
"revisionTime": "2017-09-25T18:41:46Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "yUiSTPf0QUuL2r/81sjuytqBoeQ=",
|
||||||
|
"path": "github.com/hashicorp/vault/helper/jsonutil",
|
||||||
|
"revision": "6faf8365e922c4cf1bde05b6b886a17881b9ebca",
|
||||||
|
"revisionTime": "2017-09-25T18:41:46Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "YmXAnTwbzhLLBZM+1tQrJiG3qpc=",
|
||||||
|
"path": "github.com/hashicorp/vault/helper/pgpkeys",
|
||||||
|
"revision": "6b29fb2b7f70ed538ee2b3c057335d706b6d4e36",
|
||||||
|
"revisionTime": "2017-09-19T14:56:10Z",
|
||||||
|
"version": "=v0.8.3",
|
||||||
|
"versionExact": "v0.8.3"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
||||||
"path": "github.com/hashicorp/yamux",
|
"path": "github.com/hashicorp/yamux",
|
||||||
@ -643,6 +677,84 @@
|
|||||||
"revision": "bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d",
|
"revision": "bd40a432e4c76585ef6b72d3fd96fb9b6dc7b68d",
|
||||||
"revisionTime": "2016-08-03T19:07:31Z"
|
"revisionTime": "2016-08-03T19:07:31Z"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "VJk3rOWfxEV9Ilig5lgzH1qg8Ss=",
|
||||||
|
"path": "github.com/keybase/go-crypto/brainpool",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "rnRjEJs5luF+DIXp2J6LFcQk8Gg=",
|
||||||
|
"path": "github.com/keybase/go-crypto/cast5",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "F5++ZQS5Vt7hd6lxPCKTffvph1A=",
|
||||||
|
"path": "github.com/keybase/go-crypto/curve25519",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "IvrDXwIixB5yPPbo6tq1/1cSn78=",
|
||||||
|
"path": "github.com/keybase/go-crypto/ed25519",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "4+fslB6pCbplNq4viy6CrOkkY6Y=",
|
||||||
|
"path": "github.com/keybase/go-crypto/ed25519/internal/edwards25519",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "fgFlkfkaotUjBVhJik2979oCeJw=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "+spfcEChljh3yeIg4K/xHOQ2pVM=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/armor",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "nWhmwjBJqPSvkCWqaap2Z9EiS1k=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/ecdh",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "uxXG9IC/XF8jwwvZUbW65+x8/+M=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/elgamal",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "EyUf82Yknzc75m8RcA21CNQINw0=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/errors",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "tw0BkvixAuw9Ai80hHzFy6W5mnk=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/packet",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "BGDxg1Xtsz0DSPzdQGJLLQqfYc8=",
|
||||||
|
"path": "github.com/keybase/go-crypto/openpgp/s2k",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"checksumSHA1": "rE3pp7b3gfcmBregzpIvN5IdFhY=",
|
||||||
|
"path": "github.com/keybase/go-crypto/rsa",
|
||||||
|
"revision": "433e2f3d43ef1bd31387582a899389b2fbe2005e",
|
||||||
|
"revisionTime": "2017-06-28T15:29:38Z"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "guxbLo8KHHBeM0rzou4OTzzpDNs=",
|
"checksumSHA1": "guxbLo8KHHBeM0rzou4OTzzpDNs=",
|
||||||
"path": "github.com/mitchellh/copystructure",
|
"path": "github.com/mitchellh/copystructure",
|
||||||
|
85
website/docs/r/google_service_account_key.html.markdown
Normal file
85
website/docs/r/google_service_account_key.html.markdown
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
---
|
||||||
|
layout: "google"
|
||||||
|
page_title: "Google: google_service_account_key"
|
||||||
|
sidebar_current: "docs-google-service-account-key"
|
||||||
|
description: |-
|
||||||
|
Allows management of a Google Cloud Platform service account Key Pair
|
||||||
|
---
|
||||||
|
|
||||||
|
# google\_service\_account\_key
|
||||||
|
|
||||||
|
Creates and manages service account key-pairs, which allow the user to establish identity of a service account outside of GCP. For more information, see [the official documentation](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and [API](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys).
|
||||||
|
|
||||||
|
|
||||||
|
## Example Usage, creating a new Key Pair
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_service_account" "acceptance" {
|
||||||
|
account_id = "%v"
|
||||||
|
display_name = "%v"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_key" "acceptance" {
|
||||||
|
service_account_id = "${google_service_account.acceptance.id}"
|
||||||
|
public_key_type = "TYPE_X509_PEM_FILE"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Create new Key Pair, encrypting the private key with a PGP Key
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_service_account" "acceptance" {
|
||||||
|
account_id = "%v"
|
||||||
|
display_name = "%v"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_key" "acceptance" {
|
||||||
|
service_account_id = "${google_service_account.acceptance.id}"
|
||||||
|
pgp_key = "keybase:keybaseusername"
|
||||||
|
public_key_type = "TYPE_X509_PEM_FILE"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Argument Reference
|
||||||
|
|
||||||
|
The following arguments are supported:
|
||||||
|
|
||||||
|
* `service_account_id` - (Required) The Service account id of the Key Pair.
|
||||||
|
|
||||||
|
* `key_algorithm` - (Optional) The output format of the private key. GOOGLE_CREDENTIALS_FILE is the default output format. Valid values are listed at [ServiceAccountPrivateKeyType](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType) (only used on create)
|
||||||
|
|
||||||
|
* `public_key_type` (Optional) The output format of the public key requested. X509_PEM is the default output format.
|
||||||
|
|
||||||
|
* `private_key_type` (Optional) The output format of the private key. GOOGLE_CREDENTIALS_FILE is the default output format.
|
||||||
|
|
||||||
|
* `pgp_key` – (Optional) An optional PGP key to encrypt the resulting private
|
||||||
|
key material. Only used when creating or importing a new key pair
|
||||||
|
|
||||||
|
~> **NOTE:** a PGP key is not required, however it is strongly encouraged.
|
||||||
|
Without a PGP key, the private key material will be stored in state unencrypted.
|
||||||
|
|
||||||
|
## Attributes Reference
|
||||||
|
|
||||||
|
The following attributes are exported in addition to the arguments listed above:
|
||||||
|
|
||||||
|
* `name` - The name used for this key pair
|
||||||
|
|
||||||
|
* `fingerprint` - The MD5 public key fingerprint as specified in section 4 of RFC 4716.
|
||||||
|
|
||||||
|
* `public_key` - The public key, base64 encoded
|
||||||
|
|
||||||
|
* `private_key` - The private key, base64 encoded. This is only populated
|
||||||
|
when creating a new key, and when no `pgp_key` is provided
|
||||||
|
|
||||||
|
* `private_key_encrypted` – The private key material, base 64 encoded and
|
||||||
|
encrypted with the given `pgp_key`. This is only populated when creating a new
|
||||||
|
key and `pgp_key` is supplied
|
||||||
|
|
||||||
|
* `private_key_fingerprint` - The MD5 public key fingerprint for the encrypted
|
||||||
|
private key
|
||||||
|
|
||||||
|
* `valid_after` - The key can be used after this timestamp. A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
|
||||||
|
|
||||||
|
* `valid_before` - The key can be used before this timestamp.
|
||||||
|
A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".
|
||||||
|
|
@ -98,6 +98,10 @@
|
|||||||
<li<%= sidebar_current("docs-google-service-account") %>>
|
<li<%= sidebar_current("docs-google-service-account") %>>
|
||||||
<a href="/docs/providers/google/r/google_service_account.html">google_service_account</a>
|
<a href="/docs/providers/google/r/google_service_account.html">google_service_account</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-google-service-account-key") %>>
|
||||||
|
<a href="/docs/providers/google/r/google_service_account_key.html">google_service_account_key</a>
|
||||||
|
</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user