clearsign.go 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376
  1. // Copyright 2012 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. // Package clearsign generates and processes OpenPGP, clear-signed data. See
  5. // RFC 4880, section 7.
  6. //
  7. // Clearsigned messages are cryptographically signed, but the contents of the
  8. // message are kept in plaintext so that it can be read without special tools.
  9. package clearsign // import "golang.org/x/crypto/openpgp/clearsign"
  10. import (
  11. "bufio"
  12. "bytes"
  13. "crypto"
  14. "hash"
  15. "io"
  16. "net/textproto"
  17. "strconv"
  18. "golang.org/x/crypto/openpgp/armor"
  19. "golang.org/x/crypto/openpgp/errors"
  20. "golang.org/x/crypto/openpgp/packet"
  21. )
  22. // A Block represents a clearsigned message. A signature on a Block can
  23. // be checked by passing Bytes into openpgp.CheckDetachedSignature.
  24. type Block struct {
  25. Headers textproto.MIMEHeader // Optional message headers
  26. Plaintext []byte // The original message text
  27. Bytes []byte // The signed message
  28. ArmoredSignature *armor.Block // The signature block
  29. }
  30. // start is the marker which denotes the beginning of a clearsigned message.
  31. var start = []byte("\n-----BEGIN PGP SIGNED MESSAGE-----")
  32. // dashEscape is prefixed to any lines that begin with a hyphen so that they
  33. // can't be confused with endText.
  34. var dashEscape = []byte("- ")
  35. // endText is a marker which denotes the end of the message and the start of
  36. // an armored signature.
  37. var endText = []byte("-----BEGIN PGP SIGNATURE-----")
  38. // end is a marker which denotes the end of the armored signature.
  39. var end = []byte("\n-----END PGP SIGNATURE-----")
  40. var crlf = []byte("\r\n")
  41. var lf = byte('\n')
  42. // getLine returns the first \r\n or \n delineated line from the given byte
  43. // array. The line does not include the \r\n or \n. The remainder of the byte
  44. // array (also not including the new line bytes) is also returned and this will
  45. // always be smaller than the original argument.
  46. func getLine(data []byte) (line, rest []byte) {
  47. i := bytes.Index(data, []byte{'\n'})
  48. var j int
  49. if i < 0 {
  50. i = len(data)
  51. j = i
  52. } else {
  53. j = i + 1
  54. if i > 0 && data[i-1] == '\r' {
  55. i--
  56. }
  57. }
  58. return data[0:i], data[j:]
  59. }
  60. // Decode finds the first clearsigned message in data and returns it, as well
  61. // as the suffix of data which remains after the message.
  62. func Decode(data []byte) (b *Block, rest []byte) {
  63. // start begins with a newline. However, at the very beginning of
  64. // the byte array, we'll accept the start string without it.
  65. rest = data
  66. if bytes.HasPrefix(data, start[1:]) {
  67. rest = rest[len(start)-1:]
  68. } else if i := bytes.Index(data, start); i >= 0 {
  69. rest = rest[i+len(start):]
  70. } else {
  71. return nil, data
  72. }
  73. // Consume the start line.
  74. _, rest = getLine(rest)
  75. var line []byte
  76. b = &Block{
  77. Headers: make(textproto.MIMEHeader),
  78. }
  79. // Next come a series of header lines.
  80. for {
  81. // This loop terminates because getLine's second result is
  82. // always smaller than its argument.
  83. if len(rest) == 0 {
  84. return nil, data
  85. }
  86. // An empty line marks the end of the headers.
  87. if line, rest = getLine(rest); len(line) == 0 {
  88. break
  89. }
  90. i := bytes.Index(line, []byte{':'})
  91. if i == -1 {
  92. return nil, data
  93. }
  94. key, val := line[0:i], line[i+1:]
  95. key = bytes.TrimSpace(key)
  96. val = bytes.TrimSpace(val)
  97. b.Headers.Add(string(key), string(val))
  98. }
  99. firstLine := true
  100. for {
  101. start := rest
  102. line, rest = getLine(rest)
  103. if len(line) == 0 && len(rest) == 0 {
  104. // No armored data was found, so this isn't a complete message.
  105. return nil, data
  106. }
  107. if bytes.Equal(line, endText) {
  108. // Back up to the start of the line because armor expects to see the
  109. // header line.
  110. rest = start
  111. break
  112. }
  113. // The final CRLF isn't included in the hash so we don't write it until
  114. // we've seen the next line.
  115. if firstLine {
  116. firstLine = false
  117. } else {
  118. b.Bytes = append(b.Bytes, crlf...)
  119. }
  120. if bytes.HasPrefix(line, dashEscape) {
  121. line = line[2:]
  122. }
  123. line = bytes.TrimRight(line, " \t")
  124. b.Bytes = append(b.Bytes, line...)
  125. b.Plaintext = append(b.Plaintext, line...)
  126. b.Plaintext = append(b.Plaintext, lf)
  127. }
  128. // We want to find the extent of the armored data (including any newlines at
  129. // the end).
  130. i := bytes.Index(rest, end)
  131. if i == -1 {
  132. return nil, data
  133. }
  134. i += len(end)
  135. for i < len(rest) && (rest[i] == '\r' || rest[i] == '\n') {
  136. i++
  137. }
  138. armored := rest[:i]
  139. rest = rest[i:]
  140. var err error
  141. b.ArmoredSignature, err = armor.Decode(bytes.NewBuffer(armored))
  142. if err != nil {
  143. return nil, data
  144. }
  145. return b, rest
  146. }
  147. // A dashEscaper is an io.WriteCloser which processes the body of a clear-signed
  148. // message. The clear-signed message is written to buffered and a hash, suitable
  149. // for signing, is maintained in h.
  150. //
  151. // When closed, an armored signature is created and written to complete the
  152. // message.
  153. type dashEscaper struct {
  154. buffered *bufio.Writer
  155. h hash.Hash
  156. hashType crypto.Hash
  157. atBeginningOfLine bool
  158. isFirstLine bool
  159. whitespace []byte
  160. byteBuf []byte // a one byte buffer to save allocations
  161. privateKey *packet.PrivateKey
  162. config *packet.Config
  163. }
  164. func (d *dashEscaper) Write(data []byte) (n int, err error) {
  165. for _, b := range data {
  166. d.byteBuf[0] = b
  167. if d.atBeginningOfLine {
  168. // The final CRLF isn't included in the hash so we have to wait
  169. // until this point (the start of the next line) before writing it.
  170. if !d.isFirstLine {
  171. d.h.Write(crlf)
  172. }
  173. d.isFirstLine = false
  174. }
  175. // Any whitespace at the end of the line has to be removed so we
  176. // buffer it until we find out whether there's more on this line.
  177. if b == ' ' || b == '\t' || b == '\r' {
  178. d.whitespace = append(d.whitespace, b)
  179. d.atBeginningOfLine = false
  180. continue
  181. }
  182. if d.atBeginningOfLine {
  183. // At the beginning of a line, hyphens have to be escaped.
  184. if b == '-' {
  185. // The signature isn't calculated over the dash-escaped text so
  186. // the escape is only written to buffered.
  187. if _, err = d.buffered.Write(dashEscape); err != nil {
  188. return
  189. }
  190. d.h.Write(d.byteBuf)
  191. d.atBeginningOfLine = false
  192. } else if b == '\n' {
  193. // Nothing to do because we delay writing CRLF to the hash.
  194. } else {
  195. d.h.Write(d.byteBuf)
  196. d.atBeginningOfLine = false
  197. }
  198. if err = d.buffered.WriteByte(b); err != nil {
  199. return
  200. }
  201. } else {
  202. if b == '\n' {
  203. // We got a raw \n. Drop any trailing whitespace and write a
  204. // CRLF.
  205. d.whitespace = d.whitespace[:0]
  206. // We delay writing CRLF to the hash until the start of the
  207. // next line.
  208. if err = d.buffered.WriteByte(b); err != nil {
  209. return
  210. }
  211. d.atBeginningOfLine = true
  212. } else {
  213. // Any buffered whitespace wasn't at the end of the line so
  214. // we need to write it out.
  215. if len(d.whitespace) > 0 {
  216. d.h.Write(d.whitespace)
  217. if _, err = d.buffered.Write(d.whitespace); err != nil {
  218. return
  219. }
  220. d.whitespace = d.whitespace[:0]
  221. }
  222. d.h.Write(d.byteBuf)
  223. if err = d.buffered.WriteByte(b); err != nil {
  224. return
  225. }
  226. }
  227. }
  228. }
  229. n = len(data)
  230. return
  231. }
  232. func (d *dashEscaper) Close() (err error) {
  233. if !d.atBeginningOfLine {
  234. if err = d.buffered.WriteByte(lf); err != nil {
  235. return
  236. }
  237. }
  238. sig := new(packet.Signature)
  239. sig.SigType = packet.SigTypeText
  240. sig.PubKeyAlgo = d.privateKey.PubKeyAlgo
  241. sig.Hash = d.hashType
  242. sig.CreationTime = d.config.Now()
  243. sig.IssuerKeyId = &d.privateKey.KeyId
  244. if err = sig.Sign(d.h, d.privateKey, d.config); err != nil {
  245. return
  246. }
  247. out, err := armor.Encode(d.buffered, "PGP SIGNATURE", nil)
  248. if err != nil {
  249. return
  250. }
  251. if err = sig.Serialize(out); err != nil {
  252. return
  253. }
  254. if err = out.Close(); err != nil {
  255. return
  256. }
  257. if err = d.buffered.Flush(); err != nil {
  258. return
  259. }
  260. return
  261. }
  262. // Encode returns a WriteCloser which will clear-sign a message with privateKey
  263. // and write it to w. If config is nil, sensible defaults are used.
  264. func Encode(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
  265. if privateKey.Encrypted {
  266. return nil, errors.InvalidArgumentError("signing key is encrypted")
  267. }
  268. hashType := config.Hash()
  269. name := nameOfHash(hashType)
  270. if len(name) == 0 {
  271. return nil, errors.UnsupportedError("unknown hash type: " + strconv.Itoa(int(hashType)))
  272. }
  273. if !hashType.Available() {
  274. return nil, errors.UnsupportedError("unsupported hash type: " + strconv.Itoa(int(hashType)))
  275. }
  276. h := hashType.New()
  277. buffered := bufio.NewWriter(w)
  278. // start has a \n at the beginning that we don't want here.
  279. if _, err = buffered.Write(start[1:]); err != nil {
  280. return
  281. }
  282. if err = buffered.WriteByte(lf); err != nil {
  283. return
  284. }
  285. if _, err = buffered.WriteString("Hash: "); err != nil {
  286. return
  287. }
  288. if _, err = buffered.WriteString(name); err != nil {
  289. return
  290. }
  291. if err = buffered.WriteByte(lf); err != nil {
  292. return
  293. }
  294. if err = buffered.WriteByte(lf); err != nil {
  295. return
  296. }
  297. plaintext = &dashEscaper{
  298. buffered: buffered,
  299. h: h,
  300. hashType: hashType,
  301. atBeginningOfLine: true,
  302. isFirstLine: true,
  303. byteBuf: make([]byte, 1),
  304. privateKey: privateKey,
  305. config: config,
  306. }
  307. return
  308. }
  309. // nameOfHash returns the OpenPGP name for the given hash, or the empty string
  310. // if the name isn't known. See RFC 4880, section 9.4.
  311. func nameOfHash(h crypto.Hash) string {
  312. switch h {
  313. case crypto.MD5:
  314. return "MD5"
  315. case crypto.SHA1:
  316. return "SHA1"
  317. case crypto.RIPEMD160:
  318. return "RIPEMD160"
  319. case crypto.SHA224:
  320. return "SHA224"
  321. case crypto.SHA256:
  322. return "SHA256"
  323. case crypto.SHA384:
  324. return "SHA384"
  325. case crypto.SHA512:
  326. return "SHA512"
  327. }
  328. return ""
  329. }