-
Notifications
You must be signed in to change notification settings - Fork 15
/
passphrase2pgp.go
704 lines (639 loc) · 16.4 KB
/
passphrase2pgp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
// This is free and unencumbered software released into the public domain.
package main
import (
"bufio"
"bytes"
"encoding/hex"
"fmt"
"io"
"io/ioutil"
"os"
"strconv"
"time"
"unicode/utf8"
"github.com/skeeto/optparse-go"
"github.com/skeeto/passphrase2pgp/openpgp"
"golang.org/x/crypto/argon2"
)
const (
kdfTime = 8
kdfMemory = 1024 * 1024 // 1 GB
sshRounds = 64 // bcrypt_pbkdf rounds
defaultExpires = "2y"
cmdKey = iota
cmdSign
cmdClearsign
formatPGP = iota
formatSSH
version = "0.1.0"
)
// Print the message like fmt.Printf() and then os.Exit(1).
func fatal(format string, args ...interface{}) {
buf := bytes.NewBufferString("passphrase2pgp: ")
fmt.Fprintf(buf, format, args...)
buf.WriteRune('\n')
os.Stderr.Write(buf.Bytes())
os.Exit(1)
}
// Read and confirm the passphrase per the user's preference.
func readPassphrase(pinentry, hint string, repeat int) ([]byte, error) {
if pinentry != "" {
return pinentryPassphrase(pinentry, hint, repeat)
}
return terminalPassphrase(hint, repeat)
}
// Returns the first line of a file not including \r or \n. Does not
// require a newline and does not return io.EOF.
func firstLine(filename string) ([]byte, error) {
f, err := os.Open(filename)
if err != nil {
return nil, err
}
defer f.Close()
s := bufio.NewScanner(f)
if !s.Scan() {
if err := s.Err(); err != io.EOF {
return nil, err
}
return nil, nil // empty files are ok
}
return s.Bytes(), nil
}
// Derive a 64-byte seed from the given passphrase. The scale factor
// scales up the difficulty proportional to scale*scale.
func kdf(passphrase, uid []byte, scale int) []byte {
time := uint32(kdfTime * scale)
memory := uint32(kdfMemory * scale)
threads := uint8(1)
return argon2.IDKey(passphrase, uid, time, memory, threads, 64)
}
type config struct {
cmd int
args []string
armor bool
check []byte
protect bool
format int
help bool
input string
load string
pinentry string
public bool
repeat int
subkey bool
created int64
uid string
verbose bool
expires int64
passphrase []byte
protectPassword []byte
protectQuery int
}
func usage(w io.Writer) {
bw := bufio.NewWriter(w)
i := " "
b := " "
p := "passphrase2pgp"
f := func(s ...interface{}) {
fmt.Fprintln(bw, s...)
}
f("Usage:")
f(i, p, "<-u id|-l key> [-hv] [-c id] [-i pwfile] [--pinentry[=cmd]]")
f(b, "-K [-anps] [-e[n]] [-f pgp|ssh] [-r n] [-t secs] [-x[spec]]")
f(b, "-S [-a] [-r n] [files...]")
f(b, "-T [-r n] >doc-signed.txt <doc.txt")
f("Commands:")
f(i, "-K, --key output a key (default)")
f(i, "-S, --sign output detached signatures")
f(i, "-T, --clearsign output a cleartext signature")
f("Options:")
f(i, "-a, --armor encode output in ASCII armor")
f(i, "-c, --check KEYID require last Key ID bytes to match")
f(i, "-e, --protect[=ASKS] protect private key with S2K")
f(i, "-f, --format pgp|ssh select key format [pgp]")
f(i, "-h, --help print this help message")
f(i, "-i, --input FILE read passphrase from file")
f(i, "-l, --load FILE load key from file instead of generating")
f(i, "-n, --now use current time as creation date")
f(i, "--pinentry[=CMD] use pinentry to read the passphrase")
f(i, "-p, --public only output the public key")
f(i, "-r, --repeat N number of repeated passphrase prompts")
f(i, "-s, --subkey also output an encryption subkey")
f(i, "-t, --time SECONDS key creation date (unix epoch seconds)")
f(i, "-u, --uid USERID user ID for the key")
f(i, "-v, --verbose print additional information")
f(i, "--version print version information")
f(i, "-x, --expires[=SPEC] set key expiration time ["+defaultExpires+"]")
bw.Flush()
}
func parse() *config {
conf := config{
cmd: cmdKey,
format: formatPGP,
repeat: 1,
}
options := []optparse.Option{
{"sign", 'S', optparse.KindNone},
{"keygen", 'K', optparse.KindNone},
{"clearsign", 'T', optparse.KindNone},
{"armor", 'a', optparse.KindNone},
{"check", 'c', optparse.KindRequired},
{"protect", 'e', optparse.KindOptional},
{"format", 'f', optparse.KindRequired},
{"help", 'h', optparse.KindNone},
{"input", 'i', optparse.KindRequired},
{"load", 'l', optparse.KindRequired},
{"now", 'n', optparse.KindNone},
{"public", 'p', optparse.KindNone},
{"pinentry", 0, optparse.KindOptional},
{"public", 'p', optparse.KindNone},
{"repeat", 'r', optparse.KindRequired},
{"subkey", 's', optparse.KindNone},
{"time", 't', optparse.KindRequired},
{"uid", 'u', optparse.KindRequired},
{"verbose", 'v', optparse.KindNone},
{"version", 0, optparse.KindNone},
{"expires", 'x', optparse.KindOptional},
}
var repeatSeen bool
var uidSeen bool
var timeSeen bool
args := os.Args
if len(args) == 4 && args[1] == "--status-fd=2" && args[2] == "-bsau" {
// Pretend to be GnuPG in order to sign for Git. Unfortunately
// this is fragile, but there's no practical way to avoid it.
// The Git documentation says it depends on the GnuPG interface
// without being specific, so the only robust solution is to
// re-implement the entire GnuPG interface.
args = []string{args[0], "--sign", "--armor", "--uid", args[3]}
os.Stderr.WriteString("\n[GNUPG:] SIG_CREATED ")
}
results, rest, err := optparse.Parse(options, args)
if err != nil {
usage(os.Stderr)
fatal("%s", err)
}
for _, result := range results {
switch result.Long {
case "sign":
conf.cmd = cmdSign
case "keygen":
conf.cmd = cmdKey
case "clearsign":
conf.cmd = cmdClearsign
case "armor":
conf.armor = true
case "check":
check, err := hex.DecodeString(result.Optarg)
if err != nil {
fatal("%s: %q", err, result.Optarg)
}
conf.check = check
case "protect":
conf.protect = true
if result.Optarg != "" {
repeat, err := strconv.Atoi(result.Optarg)
if err != nil {
fatal("--protect (-e): %s", err)
}
conf.protectQuery = repeat
}
case "format":
switch result.Optarg {
case "pgp":
conf.format = formatPGP
case "ssh":
conf.format = formatSSH
default:
fatal("invalid format: %s", result.Optarg)
}
case "help":
usage(os.Stdout)
os.Exit(0)
case "input":
conf.input = result.Optarg
case "load":
conf.load = result.Optarg
case "now":
conf.created = time.Now().Unix()
timeSeen = true
case "pinentry":
if result.Optarg != "" {
conf.pinentry = result.Optarg
} else {
conf.pinentry = "pinentry"
}
case "public":
conf.public = true
case "repeat":
repeat, err := strconv.Atoi(result.Optarg)
if err != nil {
fatal("--repeat (-r): %s", err)
}
conf.repeat = repeat
repeatSeen = true
case "subkey":
conf.subkey = true
case "time":
time, err := strconv.ParseUint(result.Optarg, 10, 32)
if err != nil {
fatal("--time (-t): %s", err)
}
conf.created = int64(time)
timeSeen = true
case "uid":
conf.uid = result.Optarg
if len(conf.uid) > 255 {
fatal("user ID length must be <= 255 bytes")
}
if !utf8.ValidString(conf.uid) {
fatal("user ID must be valid UTF-8")
}
uidSeen = true
case "verbose":
conf.verbose = true
case "version":
fmt.Println("passphrase2pgp", version)
os.Exit(0)
case "expires":
conf.expires = timespec(result.Optarg)
}
}
if !uidSeen && conf.load == "" {
// Using os.Getenv instead of os.LookupEnv because empty is just
// as good as not set. It means a user can do something like:
// $ EMAIL= passphrase2pgp ...
if email := os.Getenv("EMAIL"); email != "" {
if realname := os.Getenv("REALNAME"); realname != "" {
conf.uid = fmt.Sprintf("%s <%s>", realname, email)
}
}
if conf.uid == "" {
fatal("--uid or --load required (or $REALNAME and $EMAIL)")
}
}
if conf.load != "" && !timeSeen {
conf.created = time.Now().Unix()
}
if conf.check == nil {
check, err := hex.DecodeString(os.Getenv("KEYID"))
if err != nil {
fmt.Fprintf(os.Stderr, "warning: $KEYID invalid, ignoring it\n")
} else {
conf.check = check
}
}
if len(conf.check) > 0 {
if !repeatSeen {
conf.repeat = 0
}
}
if conf.expires != 0 {
delta := conf.expires - conf.created
if delta > 0xffffffff {
// Delta between created date and expiration must fit in a
// 32-bit integer. According to RFC 4880, this should
// treated as a uint32. However, GnuPG (as of 2.2.12) treats
// it as int32, allowing for nonsensical negative values
// (keys can expire before they were created) and cutting
// the range in half. This is a GnuPG bug, but hopefully
// it will be fixed before it becomes a problem.
fatal("key expiration too far in the future")
// Side note: Another GnuPG bug is that it doesn't properly
// process expiration dates for keys with a zero creation
// date (i.e. passphrase2pgp keys), and instead treats such
// keys as having no expiration date. Hopefully this is
// fixed someday, too.
}
}
conf.args = rest
switch conf.cmd {
case cmdKey:
if len(conf.args) > 0 {
fatal("too many arguments")
}
case cmdSign:
// processed elsewhere
case cmdClearsign:
if len(conf.args) > 1 {
fatal("too many arguments")
}
}
return &conf
}
// Return a key expiration date from the given "timespec" string. See
// the README for format information.
func timespec(ts string) int64 {
if ts == "" {
ts = defaultExpires
}
unit := ts[len(ts)-1]
value := ts
var duration time.Duration
switch unit {
case 'd':
value = ts[:len(ts)-1]
duration = time.Hour * 24
case 'w':
value = ts[:len(ts)-1]
duration = time.Hour * 24 * 7
case 'm':
value = ts[:len(ts)-1]
duration = time.Hour * 24 * 30
case 'y':
value = ts[:len(ts)-1]
duration = time.Hour * 24 * 365
}
t, err := strconv.ParseInt(value, 10, 64)
if err != nil {
fatal("timespec, %s: %s", err, ts)
}
if duration != 0 {
t = time.Now().Unix() + int64(duration.Seconds())*t
}
if t < 0 {
fatal("timespec cannot be negative: %s", ts)
}
return t
}
func main() {
var key openpgp.SignKey
var subkey openpgp.EncryptKey
var userid openpgp.UserID
config := parse()
if config.load == "" {
if config.verbose {
fmt.Fprintf(os.Stderr, "User ID: %s\n", config.uid)
}
// Read the passphrase from the terminal
var err error
if config.input != "" {
config.passphrase, err = firstLine(config.input)
} else {
pinentry := config.pinentry
repeat := config.repeat
config.passphrase, err = readPassphrase(pinentry, "", repeat)
}
if err != nil {
fatal("%s", err)
}
// Run KDF on passphrase
scale := 1
seed := kdf(config.passphrase, []byte(config.uid), scale)
key.Seed(seed[:32])
key.SetCreated(config.created)
key.SetExpires(config.expires)
userid = openpgp.UserID{[]byte(config.uid)}
if config.subkey {
subkey.Seed(seed[32:])
subkey.SetCreated(config.created)
subkey.SetExpires(config.expires)
}
} else {
// Load keys from previous output
packets, err := parsePackets(config.load)
if err != nil {
fatal("%s", err)
}
if len(packets) < 3 {
fatal("invalid input (too few packets)")
}
config.created = time.Now().Unix()
if err := key.Load(packets[0], nil); err != nil {
if err != openpgp.ErrDecryptKey {
fatal("%s", err)
}
pinentry := config.pinentry
repeat := config.protectQuery - 1
password, err := readPassphrase(pinentry, "protection", repeat)
if err != nil {
fatal("%s", err)
}
config.protectPassword = password
if err := key.Load(packets[0], password); err != nil {
fatal("%s", err)
}
}
if err := userid.Load(packets[1]); err != nil {
fatal("%s", err)
}
if config.verbose {
fmt.Fprintf(os.Stderr, "User ID: %s\n", userid.ID)
}
config.subkey = false
if len(packets) >= 5 {
password := config.protectPassword
if err := subkey.Load(packets[3], password); err != nil {
fatal("%s", err)
}
config.subkey = true
}
}
keyid := key.KeyID()
if config.verbose {
fmt.Fprintf(os.Stderr, "Key ID: %X\n", keyid)
}
checked := keyid[len(keyid)-len(config.check):]
if !bytes.Equal(config.check, checked) {
fatal("Key ID does not match --check (-c):\n %X != %X",
checked, config.check)
}
switch config.cmd {
case cmdKey:
ck := completeKey{&key, &userid, &subkey}
switch config.format {
case formatPGP:
ck.outputPGP(config)
case formatSSH:
ck.outputSSH(config)
}
case cmdSign:
if len(config.args) == 0 {
// stdin to stdout
output, err := key.Sign(os.Stdin)
if err != nil {
fatal("%s", err)
}
if config.armor {
output = openpgp.Armor(output)
}
_, err = os.Stdout.Write(output)
if err != nil {
fatal("%s", err)
}
} else {
// file by file
var ext string
if config.armor {
ext = ".asc"
} else {
ext = ".sig"
}
for _, infile := range config.args {
// Open input file first
in, err := os.Open(infile)
if err != nil {
fatal("%s: %s", err, infile)
}
// Create output file second (before reading input)
outfile := infile + ext
out, err := os.Create(outfile)
if err != nil {
fatal("%s: %s", err, outfile)
}
// Process input, cleaning up on error
output, err := key.Sign(in)
if err != nil {
out.Close()
os.Remove(outfile)
fatal("%s: %s", err, infile)
}
if config.armor {
output = openpgp.Armor(output)
}
// Write output, cleaning up on error
_, err = out.Write(output)
out.Close()
if err != nil {
os.Remove(outfile)
fatal("%s: %s", err, outfile)
}
}
}
case cmdClearsign:
out := bufio.NewWriter(os.Stdout)
var in io.Reader
var f *os.File
if len(config.args) == 1 {
var err error
f, err = os.Open(config.args[0])
if err != nil {
fatal("%s", err)
}
in = key.Clearsign(f)
} else {
in = key.Clearsign(os.Stdin)
}
// Pump input through filter
if _, err := io.Copy(out, in); err != nil {
fatal("%s", err)
}
if err := out.Flush(); err != nil {
fatal("%s", err)
}
if f != nil {
f.Close()
}
}
}
type completeKey struct {
key *openpgp.SignKey
userid *openpgp.UserID
subkey *openpgp.EncryptKey
}
func (k *completeKey) outputPGP(config *config) {
key := k.key
userid := k.userid
subkey := k.subkey
flags := 0
if config.subkey {
flags |= openpgp.FlagMDC
}
var buf bytes.Buffer
if config.public {
buf.Write(key.PubPacket())
buf.Write(userid.Packet())
buf.Write(key.SelfSign(userid, config.created, flags))
if config.subkey {
buf.Write(subkey.PubPacket())
buf.Write(key.Bind(subkey, config.created))
}
} else {
if config.protect {
buf.Write(key.EncPacket(getProtect(config)))
} else {
buf.Write(key.Packet())
}
buf.Write(userid.Packet())
buf.Write(key.SelfSign(userid, config.created, flags))
if config.subkey {
if config.protect {
buf.Write(subkey.EncPacket(config.protectPassword))
} else {
buf.Write(subkey.Packet())
}
buf.Write(key.Bind(subkey, config.created))
}
}
output := buf.Bytes()
if config.armor {
output = openpgp.Armor(output)
}
if _, err := os.Stdout.Write(output); err != nil {
fatal("%s", err)
}
}
func getProtect(config *config) []byte {
if config.protectPassword == nil {
if config.protectQuery > 0 {
var err error
pinentry := config.pinentry
repeat := config.protectQuery - 1
password, err := readPassphrase(pinentry, "protection", repeat)
if err != nil {
fatal("%s", err)
}
config.protectPassword = password
} else if config.protectPassword == nil {
config.protectPassword = config.passphrase
}
}
return config.protectPassword
}
func (k *completeKey) outputSSH(config *config) {
pubkey := k.key.Pubkey()
seckey := k.key.Seckey()
uid := k.userid.ID
if !config.public {
var b []byte
if config.protect {
b = secSSH(pubkey, seckey, uid, getProtect(config), sshRounds)
} else {
b = secSSH(pubkey, seckey, uid, nil, 0)
}
if _, err := os.Stdout.Write(b); err != nil {
fatal("%s", err)
}
}
b := pubSSH(pubkey, uid)
if _, err := os.Stdout.Write(b); err != nil {
fatal("%s", err)
}
}
func parsePackets(filename string) ([]openpgp.Packet, error) {
data, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
if len(data) < 1 {
return nil, openpgp.ErrInvalidPacket
}
if data[0] < 128 {
var err error
data, err = openpgp.Dearmor(data)
if err != nil {
return nil, err
}
}
var packets []openpgp.Packet
for len(data) > 0 {
var err error
var packet openpgp.Packet
packet, data, err = openpgp.ParsePacket(data)
if err != nil {
return nil, err
}
packets = append(packets, packet)
}
return packets, nil
}