1 // Copyright 2011 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
12 "golang.org/x/crypto/openpgp/armor"
13 "golang.org/x/crypto/openpgp/errors"
14 "golang.org/x/crypto/openpgp/packet"
17 // PublicKeyType is the armor type for a PGP public key.
18 var PublicKeyType = "PGP PUBLIC KEY BLOCK"
20 // PrivateKeyType is the armor type for a PGP private key.
21 var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
23 // An Entity represents the components of an OpenPGP key: a primary public key
24 // (which must be a signing key), one or more identities claimed by that key,
25 // and zero or more subkeys, which may be encryption keys.
27 PrimaryKey *packet.PublicKey
28 PrivateKey *packet.PrivateKey
29 Identities map[string]*Identity // indexed by Identity.Name
30 Revocations []*packet.Signature
34 // An Identity represents an identity claimed by an Entity and zero or more
35 // assertions by other entities about that claim.
36 type Identity struct {
37 Name string // by convention, has the form "Full Name (comment) <email@example.com>"
39 SelfSignature *packet.Signature
40 Signatures []*packet.Signature
43 // A Subkey is an additional public key in an Entity. Subkeys can be used for
46 PublicKey *packet.PublicKey
47 PrivateKey *packet.PrivateKey
51 // A Key identifies a specific public key in an Entity. This is either the
52 // Entity's primary key or a subkey.
55 PublicKey *packet.PublicKey
56 PrivateKey *packet.PrivateKey
57 SelfSignature *packet.Signature
60 // A KeyRing provides access to public and private keys.
61 type KeyRing interface {
62 // KeysById returns the set of keys that have the given key id.
63 KeysById(id uint64) []Key
64 // KeysByIdAndUsage returns the set of keys with the given id
65 // that also meet the key usage given by requiredUsage.
66 // The requiredUsage is expressed as the bitwise-OR of
67 // packet.KeyFlag* values.
68 KeysByIdUsage(id uint64, requiredUsage byte) []Key
69 // DecryptionKeys returns all private keys that are valid for
71 DecryptionKeys() []Key
74 // primaryIdentity returns the Identity marked as primary or the first identity
75 // if none are so marked.
76 func (e *Entity) primaryIdentity() *Identity {
77 var firstIdentity *Identity
78 for _, ident := range e.Identities {
79 if firstIdentity == nil {
82 if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
89 // encryptionKey returns the best candidate Key for encrypting a message to the
91 func (e *Entity) encryptionKey(now time.Time) (Key, bool) {
94 // Iterate the keys to find the newest key
96 for i, subkey := range e.Subkeys {
97 if subkey.Sig.FlagsValid &&
98 subkey.Sig.FlagEncryptCommunications &&
99 subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
100 !subkey.Sig.KeyExpired(now) &&
101 (maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
103 maxTime = subkey.Sig.CreationTime
107 if candidateSubkey != -1 {
108 subkey := e.Subkeys[candidateSubkey]
109 return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
112 // If we don't have any candidate subkeys for encryption and
113 // the primary key doesn't have any usage metadata then we
114 // assume that the primary key is ok. Or, if the primary key is
115 // marked as ok to encrypt to, then we can obviously use it.
116 i := e.primaryIdentity()
117 if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
118 e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
119 !i.SelfSignature.KeyExpired(now) {
120 return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
123 // This Entity appears to be signing only.
127 // signingKey return the best candidate Key for signing a message with this
129 func (e *Entity) signingKey(now time.Time) (Key, bool) {
130 candidateSubkey := -1
132 for i, subkey := range e.Subkeys {
133 if subkey.Sig.FlagsValid &&
134 subkey.Sig.FlagSign &&
135 subkey.PublicKey.PubKeyAlgo.CanSign() &&
136 !subkey.Sig.KeyExpired(now) {
142 if candidateSubkey != -1 {
143 subkey := e.Subkeys[candidateSubkey]
144 return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true
147 // If we have no candidate subkey then we assume that it's ok to sign
148 // with the primary key.
149 i := e.primaryIdentity()
150 if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign &&
151 !i.SelfSignature.KeyExpired(now) {
152 return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true
158 // An EntityList contains one or more Entities.
159 type EntityList []*Entity
161 // KeysById returns the set of keys that have the given key id.
162 func (el EntityList) KeysById(id uint64) (keys []Key) {
163 for _, e := range el {
164 if e.PrimaryKey.KeyId == id {
165 var selfSig *packet.Signature
166 for _, ident := range e.Identities {
168 selfSig = ident.SelfSignature
169 } else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
170 selfSig = ident.SelfSignature
174 keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig})
177 for _, subKey := range e.Subkeys {
178 if subKey.PublicKey.KeyId == id {
179 keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
186 // KeysByIdAndUsage returns the set of keys with the given id that also meet
187 // the key usage given by requiredUsage. The requiredUsage is expressed as
188 // the bitwise-OR of packet.KeyFlag* values.
189 func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
190 for _, key := range el.KeysById(id) {
191 if len(key.Entity.Revocations) > 0 {
195 if key.SelfSignature.RevocationReason != nil {
199 if key.SelfSignature.FlagsValid && requiredUsage != 0 {
201 if key.SelfSignature.FlagCertify {
202 usage |= packet.KeyFlagCertify
204 if key.SelfSignature.FlagSign {
205 usage |= packet.KeyFlagSign
207 if key.SelfSignature.FlagEncryptCommunications {
208 usage |= packet.KeyFlagEncryptCommunications
210 if key.SelfSignature.FlagEncryptStorage {
211 usage |= packet.KeyFlagEncryptStorage
213 if usage&requiredUsage != requiredUsage {
218 keys = append(keys, key)
223 // DecryptionKeys returns all private keys that are valid for decryption.
224 func (el EntityList) DecryptionKeys() (keys []Key) {
225 for _, e := range el {
226 for _, subKey := range e.Subkeys {
227 if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
228 keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig})
235 // ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
236 func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
237 block, err := armor.Decode(r)
239 return nil, errors.InvalidArgumentError("no armored data found")
244 if block.Type != PublicKeyType && block.Type != PrivateKeyType {
245 return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
248 return ReadKeyRing(block.Body)
251 // ReadKeyRing reads one or more public/private keys. Unsupported keys are
252 // ignored as long as at least a single valid key is found.
253 func ReadKeyRing(r io.Reader) (el EntityList, err error) {
254 packets := packet.NewReader(r)
255 var lastUnsupportedError error
259 e, err = ReadEntity(packets)
261 // TODO: warn about skipped unsupported/unreadable keys
262 if _, ok := err.(errors.UnsupportedError); ok {
263 lastUnsupportedError = err
264 err = readToNextPublicKey(packets)
265 } else if _, ok := err.(errors.StructuralError); ok {
266 // Skip unreadable, badly-formatted keys
267 lastUnsupportedError = err
268 err = readToNextPublicKey(packets)
283 if len(el) == 0 && err == nil {
284 err = lastUnsupportedError
289 // readToNextPublicKey reads packets until the start of the entity and leaves
290 // the first packet of the new entity in the Reader.
291 func readToNextPublicKey(packets *packet.Reader) (err error) {
294 p, err = packets.Next()
297 } else if err != nil {
298 if _, ok := err.(errors.UnsupportedError); ok {
305 if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
312 // ReadEntity reads an entity (public key, identities, subkeys etc) from the
314 func ReadEntity(packets *packet.Reader) (*Entity, error) {
316 e.Identities = make(map[string]*Identity)
318 p, err := packets.Next()
324 if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
325 if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
327 return nil, errors.StructuralError("first packet was not a public/private key")
329 e.PrimaryKey = &e.PrivateKey.PublicKey
333 if !e.PrimaryKey.PubKeyAlgo.CanSign() {
334 return nil, errors.StructuralError("primary key cannot be used for signatures")
337 var current *Identity
338 var revocations []*packet.Signature
341 p, err := packets.Next()
344 } else if err != nil {
348 switch pkt := p.(type) {
350 current = new(Identity)
351 current.Name = pkt.Id
353 e.Identities[pkt.Id] = current
356 p, err = packets.Next()
358 return nil, io.ErrUnexpectedEOF
359 } else if err != nil {
363 sig, ok := p.(*packet.Signature)
365 return nil, errors.StructuralError("user ID packet not followed by self-signature")
368 if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId {
369 if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
370 return nil, errors.StructuralError("user ID self-signature invalid: " + err.Error())
372 current.SelfSignature = sig
375 current.Signatures = append(current.Signatures, sig)
377 case *packet.Signature:
378 if pkt.SigType == packet.SigTypeKeyRevocation {
379 revocations = append(revocations, pkt)
380 } else if pkt.SigType == packet.SigTypeDirectSignature {
381 // TODO: RFC4880 5.2.1 permits signatures
382 // directly on keys (eg. to bind additional
384 } else if current == nil {
385 return nil, errors.StructuralError("signature packet found before user id packet")
387 current.Signatures = append(current.Signatures, pkt)
389 case *packet.PrivateKey:
390 if pkt.IsSubkey == false {
394 err = addSubkey(e, packets, &pkt.PublicKey, pkt)
398 case *packet.PublicKey:
399 if pkt.IsSubkey == false {
403 err = addSubkey(e, packets, pkt, nil)
408 // we ignore unknown packets
412 if len(e.Identities) == 0 {
413 return nil, errors.StructuralError("entity without any identities")
416 for _, revocation := range revocations {
417 err = e.PrimaryKey.VerifyRevocationSignature(revocation)
419 e.Revocations = append(e.Revocations, revocation)
421 // TODO: RFC 4880 5.2.3.15 defines revocation keys.
422 return nil, errors.StructuralError("revocation signature signed by alternate key")
429 func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
431 subKey.PublicKey = pub
432 subKey.PrivateKey = priv
433 p, err := packets.Next()
435 return io.ErrUnexpectedEOF
438 return errors.StructuralError("subkey signature invalid: " + err.Error())
441 subKey.Sig, ok = p.(*packet.Signature)
443 return errors.StructuralError("subkey packet not followed by signature")
445 if subKey.Sig.SigType != packet.SigTypeSubkeyBinding && subKey.Sig.SigType != packet.SigTypeSubkeyRevocation {
446 return errors.StructuralError("subkey signature with wrong type")
448 err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, subKey.Sig)
450 return errors.StructuralError("subkey signature invalid: " + err.Error())
452 e.Subkeys = append(e.Subkeys, subKey)
456 const defaultRSAKeyBits = 2048
458 // NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
459 // single identity composed of the given full name, comment and email, any of
460 // which may be empty but must not contain any of "()<>\x00".
461 // If config is nil, sensible defaults will be used.
462 func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
463 currentTime := config.Now()
465 bits := defaultRSAKeyBits
466 if config != nil && config.RSABits != 0 {
467 bits = config.RSABits
470 uid := packet.NewUserId(name, comment, email)
472 return nil, errors.InvalidArgumentError("user id field contained invalid characters")
474 signingPriv, err := rsa.GenerateKey(config.Random(), bits)
478 encryptingPriv, err := rsa.GenerateKey(config.Random(), bits)
484 PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
485 PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
486 Identities: make(map[string]*Identity),
489 e.Identities[uid.Id] = &Identity{
492 SelfSignature: &packet.Signature{
493 CreationTime: currentTime,
494 SigType: packet.SigTypePositiveCert,
495 PubKeyAlgo: packet.PubKeyAlgoRSA,
497 IsPrimaryId: &isPrimaryId,
501 IssuerKeyId: &e.PrimaryKey.KeyId,
505 // If the user passes in a DefaultHash via packet.Config,
506 // set the PreferredHash for the SelfSignature.
507 if config != nil && config.DefaultHash != 0 {
508 e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)}
511 e.Subkeys = make([]Subkey, 1)
512 e.Subkeys[0] = Subkey{
513 PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
514 PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
515 Sig: &packet.Signature{
516 CreationTime: currentTime,
517 SigType: packet.SigTypeSubkeyBinding,
518 PubKeyAlgo: packet.PubKeyAlgoRSA,
521 FlagEncryptStorage: true,
522 FlagEncryptCommunications: true,
523 IssuerKeyId: &e.PrimaryKey.KeyId,
526 e.Subkeys[0].PublicKey.IsSubkey = true
527 e.Subkeys[0].PrivateKey.IsSubkey = true
532 // SerializePrivate serializes an Entity, including private key material, to
533 // the given Writer. For now, it must only be used on an Entity returned from
535 // If config is nil, sensible defaults will be used.
536 func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
537 err = e.PrivateKey.Serialize(w)
541 for _, ident := range e.Identities {
542 err = ident.UserId.Serialize(w)
546 err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
550 err = ident.SelfSignature.Serialize(w)
555 for _, subkey := range e.Subkeys {
556 err = subkey.PrivateKey.Serialize(w)
560 err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
564 err = subkey.Sig.Serialize(w)
572 // Serialize writes the public part of the given Entity to w. (No private
573 // key material will be output).
574 func (e *Entity) Serialize(w io.Writer) error {
575 err := e.PrimaryKey.Serialize(w)
579 for _, ident := range e.Identities {
580 err = ident.UserId.Serialize(w)
584 err = ident.SelfSignature.Serialize(w)
588 for _, sig := range ident.Signatures {
589 err = sig.Serialize(w)
595 for _, subkey := range e.Subkeys {
596 err = subkey.PublicKey.Serialize(w)
600 err = subkey.Sig.Serialize(w)
608 // SignIdentity adds a signature to e, from signer, attesting that identity is
609 // associated with e. The provided identity must already be an element of
610 // e.Identities and the private key of signer must have been decrypted if
612 // If config is nil, sensible defaults will be used.
613 func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
614 if signer.PrivateKey == nil {
615 return errors.InvalidArgumentError("signing Entity must have a private key")
617 if signer.PrivateKey.Encrypted {
618 return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
620 ident, ok := e.Identities[identity]
622 return errors.InvalidArgumentError("given identity string not found in Entity")
625 sig := &packet.Signature{
626 SigType: packet.SigTypeGenericCert,
627 PubKeyAlgo: signer.PrivateKey.PubKeyAlgo,
629 CreationTime: config.Now(),
630 IssuerKeyId: &signer.PrivateKey.KeyId,
632 if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil {
635 ident.Signatures = append(ident.Signatures, sig)