summaryrefslogtreecommitdiffstats
path: root/src/lib/pgp-key.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/pgp-key.cpp')
-rw-r--r--src/lib/pgp-key.cpp2776
1 files changed, 2776 insertions, 0 deletions
diff --git a/src/lib/pgp-key.cpp b/src/lib/pgp-key.cpp
new file mode 100644
index 0000000..4300331
--- /dev/null
+++ b/src/lib/pgp-key.cpp
@@ -0,0 +1,2776 @@
+/*
+ * Copyright (c) 2017-2022 [Ribose Inc](https://www.ribose.com).
+ * Copyright (c) 2009 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is originally derived from software contributed to
+ * The NetBSD Foundation by Alistair Crooks (agc@netbsd.org), and
+ * carried further by Ribose Inc (https://www.ribose.com).
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Copyright (c) 2005-2008 Nominet UK (www.nic.uk)
+ * All rights reserved.
+ * Contributors: Ben Laurie, Rachel Willmer. The Contributors have asserted
+ * their moral rights under the UK Copyright Design and Patents Act 1988 to
+ * be recorded as the authors of this copyright work.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pgp-key.h"
+#include "utils.h"
+#include <librekey/key_store_pgp.h>
+#include <librekey/key_store_g10.h>
+#include "crypto.h"
+#include "crypto/s2k.h"
+#include "crypto/mem.h"
+#include "crypto/signatures.h"
+#include "fingerprint.h"
+
+#include <librepgp/stream-packet.h>
+#include <librepgp/stream-key.h>
+#include <librepgp/stream-sig.h>
+#include <librepgp/stream-armor.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <time.h>
+#include <algorithm>
+#include <stdexcept>
+#include "defaults.h"
+
+pgp_key_pkt_t *
+pgp_decrypt_seckey_pgp(const pgp_rawpacket_t &raw,
+ const pgp_key_pkt_t & pubkey,
+ const char * password)
+{
+ try {
+ rnp::MemorySource src(raw.raw.data(), raw.raw.size(), false);
+ auto res = std::unique_ptr<pgp_key_pkt_t>(new pgp_key_pkt_t());
+ if (res->parse(src.src()) || decrypt_secret_key(res.get(), password)) {
+ return NULL;
+ }
+ return res.release();
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return NULL;
+ }
+}
+
+/* Note that this function essentially serves two purposes.
+ * - In the case of a protected key, it requests a password and
+ * uses it to decrypt the key and fill in key->key.seckey.
+ * - In the case of an unprotected key, it simply re-loads
+ * key->key.seckey by parsing the key data in packets[0].
+ */
+pgp_key_pkt_t *
+pgp_decrypt_seckey(const pgp_key_t & key,
+ const pgp_password_provider_t &provider,
+ const pgp_password_ctx_t & ctx)
+{
+ // sanity checks
+ if (!key.is_secret()) {
+ RNP_LOG("invalid args");
+ return NULL;
+ }
+ // ask the provider for a password
+ rnp::secure_array<char, MAX_PASSWORD_LENGTH> password;
+ if (key.is_protected() &&
+ !pgp_request_password(&provider, &ctx, password.data(), password.size())) {
+ return NULL;
+ }
+ // attempt to decrypt with the provided password
+ switch (key.format) {
+ case PGP_KEY_STORE_GPG:
+ case PGP_KEY_STORE_KBX:
+ return pgp_decrypt_seckey_pgp(key.rawpkt(), key.pkt(), password.data());
+ case PGP_KEY_STORE_G10:
+ return g10_decrypt_seckey(key.rawpkt(), key.pkt(), password.data());
+ default:
+ RNP_LOG("unexpected format: %d", key.format);
+ return NULL;
+ }
+}
+
+pgp_key_t *
+pgp_sig_get_signer(const pgp_subsig_t &sig, rnp_key_store_t *keyring, pgp_key_provider_t *prov)
+{
+ pgp_key_request_ctx_t ctx(PGP_OP_VERIFY, false, PGP_KEY_SEARCH_UNKNOWN);
+ /* if we have fingerprint let's check it */
+ if (sig.sig.has_keyfp()) {
+ ctx.search.by.fingerprint = sig.sig.keyfp();
+ ctx.search.type = PGP_KEY_SEARCH_FINGERPRINT;
+ } else if (sig.sig.has_keyid()) {
+ ctx.search.by.keyid = sig.sig.keyid();
+ ctx.search.type = PGP_KEY_SEARCH_KEYID;
+ } else {
+ RNP_LOG("No way to search for the signer.");
+ return NULL;
+ }
+
+ pgp_key_t *key = rnp_key_store_search(keyring, &ctx.search, NULL);
+ if (key || !prov) {
+ return key;
+ }
+ return pgp_request_key(prov, &ctx);
+}
+
+static const id_str_pair ss_rr_code_map[] = {
+ {PGP_REVOCATION_NO_REASON, "No reason specified"},
+ {PGP_REVOCATION_SUPERSEDED, "Key is superseded"},
+ {PGP_REVOCATION_COMPROMISED, "Key material has been compromised"},
+ {PGP_REVOCATION_RETIRED, "Key is retired and no longer used"},
+ {PGP_REVOCATION_NO_LONGER_VALID, "User ID information is no longer valid"},
+ {0x00, NULL},
+};
+
+pgp_key_t *
+pgp_key_get_subkey(const pgp_key_t *key, rnp_key_store_t *store, size_t idx)
+{
+ try {
+ return rnp_key_store_get_key_by_fpr(store, key->get_subkey_fp(idx));
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return NULL;
+ }
+}
+
+pgp_key_flags_t
+pgp_pk_alg_capabilities(pgp_pubkey_alg_t alg)
+{
+ switch (alg) {
+ case PGP_PKA_RSA:
+ return pgp_key_flags_t(PGP_KF_SIGN | PGP_KF_CERTIFY | PGP_KF_AUTH | PGP_KF_ENCRYPT);
+
+ case PGP_PKA_RSA_SIGN_ONLY:
+ // deprecated, but still usable
+ return PGP_KF_SIGN;
+
+ case PGP_PKA_RSA_ENCRYPT_ONLY:
+ // deprecated, but still usable
+ return PGP_KF_ENCRYPT;
+
+ case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN: /* deprecated */
+ // These are no longer permitted per the RFC
+ return PGP_KF_NONE;
+
+ case PGP_PKA_DSA:
+ case PGP_PKA_ECDSA:
+ case PGP_PKA_EDDSA:
+ return pgp_key_flags_t(PGP_KF_SIGN | PGP_KF_CERTIFY | PGP_KF_AUTH);
+
+ case PGP_PKA_SM2:
+ return pgp_key_flags_t(PGP_KF_SIGN | PGP_KF_CERTIFY | PGP_KF_AUTH | PGP_KF_ENCRYPT);
+
+ case PGP_PKA_ECDH:
+ case PGP_PKA_ELGAMAL:
+ return PGP_KF_ENCRYPT;
+
+ default:
+ RNP_LOG("unknown pk alg: %d\n", alg);
+ return PGP_KF_NONE;
+ }
+}
+
+bool
+pgp_key_t::write_sec_pgp(pgp_dest_t & dst,
+ pgp_key_pkt_t & seckey,
+ const std::string &password,
+ rnp::RNG & rng)
+{
+ bool res = false;
+ pgp_pkt_type_t oldtag = seckey.tag;
+
+ seckey.tag = type();
+ if (encrypt_secret_key(&seckey, password.c_str(), rng)) {
+ goto done;
+ }
+ try {
+ seckey.write(dst);
+ res = !dst.werr;
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ }
+done:
+ seckey.tag = oldtag;
+ return res;
+}
+
+bool
+pgp_key_t::write_sec_rawpkt(pgp_key_pkt_t & seckey,
+ const std::string & password,
+ rnp::SecurityContext &ctx)
+{
+ // encrypt+write the key in the appropriate format
+ try {
+ rnp::MemoryDest memdst;
+ switch (format) {
+ case PGP_KEY_STORE_GPG:
+ case PGP_KEY_STORE_KBX:
+ if (!write_sec_pgp(memdst.dst(), seckey, password, ctx.rng)) {
+ RNP_LOG("failed to write secret key");
+ return false;
+ }
+ break;
+ case PGP_KEY_STORE_G10:
+ if (!g10_write_seckey(&memdst.dst(), &seckey, password.c_str(), ctx)) {
+ RNP_LOG("failed to write g10 secret key");
+ return false;
+ }
+ break;
+ default:
+ RNP_LOG("invalid format");
+ return false;
+ }
+
+ rawpkt_ = pgp_rawpacket_t((uint8_t *) memdst.memory(), memdst.writeb(), type());
+ return true;
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+}
+
+static bool
+update_sig_expiration(pgp_signature_t * dst,
+ const pgp_signature_t *src,
+ uint64_t create,
+ uint32_t expiry)
+{
+ try {
+ *dst = *src;
+ if (!expiry) {
+ dst->remove_subpkt(dst->get_subpkt(PGP_SIG_SUBPKT_KEY_EXPIRY));
+ } else {
+ dst->set_key_expiration(expiry);
+ }
+ dst->set_creation(create);
+ return true;
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+}
+
+bool
+pgp_key_set_expiration(pgp_key_t * key,
+ pgp_key_t * seckey,
+ uint32_t expiry,
+ const pgp_password_provider_t &prov,
+ rnp::SecurityContext & ctx)
+{
+ if (!key->is_primary()) {
+ RNP_LOG("Not a primary key");
+ return false;
+ }
+
+ std::vector<pgp_sig_id_t> sigs;
+ /* update expiration for the latest direct-key signature and self-signature for each userid
+ */
+ pgp_subsig_t *sig = key->latest_selfsig(PGP_UID_NONE);
+ if (sig) {
+ sigs.push_back(sig->sigid);
+ }
+ for (size_t uid = 0; uid < key->uid_count(); uid++) {
+ sig = key->latest_selfsig(uid);
+ if (sig) {
+ sigs.push_back(sig->sigid);
+ }
+ }
+ if (sigs.empty()) {
+ RNP_LOG("No valid self-signature(s)");
+ return false;
+ }
+
+ rnp::KeyLocker seclock(*seckey);
+ for (const auto &sigid : sigs) {
+ pgp_subsig_t &sig = key->get_sig(sigid);
+ /* update signature and re-sign it */
+ if (!expiry && !sig.sig.has_subpkt(PGP_SIG_SUBPKT_KEY_EXPIRY)) {
+ continue;
+ }
+
+ /* unlock secret key if needed */
+ if (seckey->is_locked() && !seckey->unlock(prov)) {
+ RNP_LOG("Failed to unlock secret key");
+ return false;
+ }
+
+ pgp_signature_t newsig;
+ pgp_sig_id_t oldsigid = sigid;
+ if (!update_sig_expiration(&newsig, &sig.sig, ctx.time(), expiry)) {
+ return false;
+ }
+ try {
+ if (sig.is_cert()) {
+ if (sig.uid >= key->uid_count()) {
+ RNP_LOG("uid not found");
+ return false;
+ }
+ seckey->sign_cert(key->pkt(), key->get_uid(sig.uid).pkt, newsig, ctx);
+ } else {
+ /* direct-key signature case */
+ seckey->sign_direct(key->pkt(), newsig, ctx);
+ }
+ /* replace signature, first for secret key since it may be replaced in public */
+ if (seckey->has_sig(oldsigid)) {
+ seckey->replace_sig(oldsigid, newsig);
+ }
+ if (key != seckey) {
+ key->replace_sig(oldsigid, newsig);
+ }
+ } catch (const std::exception &e) {
+ RNP_LOG("failed to calculate or add signature: %s", e.what());
+ return false;
+ }
+ }
+
+ if (!seckey->refresh_data(ctx)) {
+ RNP_LOG("Failed to refresh seckey data.");
+ return false;
+ }
+ if ((key != seckey) && !key->refresh_data(ctx)) {
+ RNP_LOG("Failed to refresh key data.");
+ return false;
+ }
+ return true;
+}
+
+bool
+pgp_subkey_set_expiration(pgp_key_t * sub,
+ pgp_key_t * primsec,
+ pgp_key_t * secsub,
+ uint32_t expiry,
+ const pgp_password_provider_t &prov,
+ rnp::SecurityContext & ctx)
+{
+ if (!sub->is_subkey()) {
+ RNP_LOG("Not a subkey");
+ return false;
+ }
+
+ /* find the latest valid subkey binding */
+ pgp_subsig_t *subsig = sub->latest_binding();
+ if (!subsig) {
+ RNP_LOG("No valid subkey binding");
+ return false;
+ }
+ if (!expiry && !subsig->sig.has_subpkt(PGP_SIG_SUBPKT_KEY_EXPIRY)) {
+ return true;
+ }
+
+ rnp::KeyLocker primlock(*primsec);
+ if (primsec->is_locked() && !primsec->unlock(prov)) {
+ RNP_LOG("Failed to unlock primary key");
+ return false;
+ }
+ bool subsign = secsub->can_sign();
+ rnp::KeyLocker sublock(*secsub);
+ if (subsign && secsub->is_locked() && !secsub->unlock(prov)) {
+ RNP_LOG("Failed to unlock subkey");
+ return false;
+ }
+
+ try {
+ /* update signature and re-sign */
+ pgp_signature_t newsig;
+ pgp_sig_id_t oldsigid = subsig->sigid;
+ if (!update_sig_expiration(&newsig, &subsig->sig, ctx.time(), expiry)) {
+ return false;
+ }
+ primsec->sign_subkey_binding(*secsub, newsig, ctx);
+ /* replace signature, first for the secret key since it may be replaced in public */
+ if (secsub->has_sig(oldsigid)) {
+ secsub->replace_sig(oldsigid, newsig);
+ if (!secsub->refresh_data(primsec, ctx)) {
+ return false;
+ }
+ }
+ if (sub == secsub) {
+ return true;
+ }
+ sub->replace_sig(oldsigid, newsig);
+ return sub->refresh_data(primsec, ctx);
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+}
+
+pgp_key_t *
+find_suitable_key(pgp_op_t op,
+ pgp_key_t * key,
+ pgp_key_provider_t *key_provider,
+ bool no_primary)
+{
+ if (!key) {
+ return NULL;
+ }
+ bool secret = false;
+ switch (op) {
+ case PGP_OP_ENCRYPT:
+ break;
+ case PGP_OP_SIGN:
+ case PGP_OP_CERTIFY:
+ secret = true;
+ break;
+ default:
+ RNP_LOG("Unsupported operation: %d", (int) op);
+ return NULL;
+ }
+ /* Return if specified primary key fits our needs */
+ if (!no_primary && key->usable_for(op)) {
+ return key;
+ }
+ /* Check for the case when we need to look up for a secret key */
+ pgp_key_request_ctx_t ctx(op, secret, PGP_KEY_SEARCH_FINGERPRINT);
+ if (!no_primary && secret && key->is_public() && key->usable_for(op, true)) {
+ ctx.search.by.fingerprint = key->fp();
+ pgp_key_t *sec = pgp_request_key(key_provider, &ctx);
+ if (sec && sec->usable_for(op)) {
+ return sec;
+ }
+ }
+ /* Now look up for subkeys */
+ pgp_key_t *subkey = NULL;
+ for (auto &fp : key->subkey_fps()) {
+ ctx.search.by.fingerprint = fp;
+ pgp_key_t *cur = pgp_request_key(key_provider, &ctx);
+ if (!cur || !cur->usable_for(op)) {
+ continue;
+ }
+ if (!subkey || (cur->creation() > subkey->creation())) {
+ subkey = cur;
+ }
+ }
+ return subkey;
+}
+
+pgp_hash_alg_t
+pgp_hash_adjust_alg_to_key(pgp_hash_alg_t hash, const pgp_key_pkt_t *pubkey)
+{
+ if ((pubkey->alg != PGP_PKA_DSA) && (pubkey->alg != PGP_PKA_ECDSA)) {
+ return hash;
+ }
+
+ pgp_hash_alg_t hash_min;
+ if (pubkey->alg == PGP_PKA_ECDSA) {
+ hash_min = ecdsa_get_min_hash(pubkey->material.ec.curve);
+ } else {
+ hash_min = dsa_get_min_hash(mpi_bits(&pubkey->material.dsa.q));
+ }
+
+ if (rnp::Hash::size(hash) < rnp::Hash::size(hash_min)) {
+ return hash_min;
+ }
+ return hash;
+}
+
+static void
+bytevec_append_uniq(std::vector<uint8_t> &vec, uint8_t val)
+{
+ if (std::find(vec.begin(), vec.end(), val) == vec.end()) {
+ vec.push_back(val);
+ }
+}
+
+void
+pgp_user_prefs_t::set_symm_algs(const std::vector<uint8_t> &algs)
+{
+ symm_algs = algs;
+}
+
+void
+pgp_user_prefs_t::add_symm_alg(pgp_symm_alg_t alg)
+{
+ bytevec_append_uniq(symm_algs, alg);
+}
+
+void
+pgp_user_prefs_t::set_hash_algs(const std::vector<uint8_t> &algs)
+{
+ hash_algs = algs;
+}
+
+void
+pgp_user_prefs_t::add_hash_alg(pgp_hash_alg_t alg)
+{
+ bytevec_append_uniq(hash_algs, alg);
+}
+
+void
+pgp_user_prefs_t::set_z_algs(const std::vector<uint8_t> &algs)
+{
+ z_algs = algs;
+}
+
+void
+pgp_user_prefs_t::add_z_alg(pgp_compression_type_t alg)
+{
+ bytevec_append_uniq(z_algs, alg);
+}
+
+void
+pgp_user_prefs_t::set_ks_prefs(const std::vector<uint8_t> &prefs)
+{
+ ks_prefs = prefs;
+}
+
+void
+pgp_user_prefs_t::add_ks_pref(pgp_key_server_prefs_t pref)
+{
+ bytevec_append_uniq(ks_prefs, pref);
+}
+
+pgp_rawpacket_t::pgp_rawpacket_t(const pgp_signature_t &sig)
+{
+ rnp::MemoryDest dst;
+ sig.write(dst.dst());
+ raw = dst.to_vector();
+ tag = PGP_PKT_SIGNATURE;
+}
+
+pgp_rawpacket_t::pgp_rawpacket_t(pgp_key_pkt_t &key)
+{
+ rnp::MemoryDest dst;
+ key.write(dst.dst());
+ raw = dst.to_vector();
+ tag = key.tag;
+}
+
+pgp_rawpacket_t::pgp_rawpacket_t(const pgp_userid_pkt_t &uid)
+{
+ rnp::MemoryDest dst;
+ uid.write(dst.dst());
+ raw = dst.to_vector();
+ tag = uid.tag;
+}
+
+void
+pgp_rawpacket_t::write(pgp_dest_t &dst) const
+{
+ dst_write(&dst, raw.data(), raw.size());
+}
+
+void
+pgp_validity_t::mark_valid()
+{
+ validated = true;
+ valid = true;
+ expired = false;
+}
+
+void
+pgp_validity_t::reset()
+{
+ validated = false;
+ valid = false;
+ expired = false;
+}
+
+pgp_subsig_t::pgp_subsig_t(const pgp_signature_t &pkt)
+{
+ sig = pkt;
+ sigid = sig.get_id();
+ if (sig.has_subpkt(PGP_SIG_SUBPKT_TRUST)) {
+ trustlevel = sig.trust_level();
+ trustamount = sig.trust_amount();
+ }
+ prefs.set_symm_algs(sig.preferred_symm_algs());
+ prefs.set_hash_algs(sig.preferred_hash_algs());
+ prefs.set_z_algs(sig.preferred_z_algs());
+
+ if (sig.has_subpkt(PGP_SIG_SUBPKT_KEY_FLAGS)) {
+ key_flags = sig.key_flags();
+ }
+ if (sig.has_subpkt(PGP_SIG_SUBPKT_KEYSERV_PREFS)) {
+ prefs.set_ks_prefs({sig.key_server_prefs()});
+ }
+ if (sig.has_subpkt(PGP_SIG_SUBPKT_PREF_KEYSERV)) {
+ prefs.key_server = sig.key_server();
+ }
+ /* add signature rawpacket */
+ rawpkt = pgp_rawpacket_t(sig);
+}
+
+bool
+pgp_subsig_t::valid() const
+{
+ return validity.validated && validity.valid && !validity.expired;
+}
+
+bool
+pgp_subsig_t::validated() const
+{
+ return validity.validated;
+}
+
+bool
+pgp_subsig_t::is_cert() const
+{
+ pgp_sig_type_t type = sig.type();
+ return (type == PGP_CERT_CASUAL) || (type == PGP_CERT_GENERIC) ||
+ (type == PGP_CERT_PERSONA) || (type == PGP_CERT_POSITIVE);
+}
+
+bool
+pgp_subsig_t::expired(uint64_t at) const
+{
+ /* sig expiration: absence of subpkt or 0 means it never expires */
+ uint64_t expiration = sig.expiration();
+ if (!expiration) {
+ return false;
+ }
+ return expiration + sig.creation() < at;
+}
+
+pgp_userid_t::pgp_userid_t(const pgp_userid_pkt_t &uidpkt)
+{
+ /* copy packet data */
+ pkt = uidpkt;
+ rawpkt = pgp_rawpacket_t(uidpkt);
+ /* populate uid string */
+ if (uidpkt.tag == PGP_PKT_USER_ID) {
+ str = std::string(uidpkt.uid, uidpkt.uid + uidpkt.uid_len);
+ } else {
+ str = "(photo)";
+ }
+}
+
+size_t
+pgp_userid_t::sig_count() const
+{
+ return sigs_.size();
+}
+
+const pgp_sig_id_t &
+pgp_userid_t::get_sig(size_t idx) const
+{
+ if (idx >= sigs_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return sigs_[idx];
+}
+
+bool
+pgp_userid_t::has_sig(const pgp_sig_id_t &id) const
+{
+ return std::find(sigs_.begin(), sigs_.end(), id) != sigs_.end();
+}
+
+void
+pgp_userid_t::add_sig(const pgp_sig_id_t &sig)
+{
+ sigs_.push_back(sig);
+}
+
+void
+pgp_userid_t::replace_sig(const pgp_sig_id_t &id, const pgp_sig_id_t &newsig)
+{
+ auto it = std::find(sigs_.begin(), sigs_.end(), id);
+ if (it == sigs_.end()) {
+ throw std::invalid_argument("id");
+ }
+ *it = newsig;
+}
+
+bool
+pgp_userid_t::del_sig(const pgp_sig_id_t &id)
+{
+ auto it = std::find(sigs_.begin(), sigs_.end(), id);
+ if (it == sigs_.end()) {
+ return false;
+ }
+ sigs_.erase(it);
+ return true;
+}
+
+void
+pgp_userid_t::clear_sigs()
+{
+ sigs_.clear();
+}
+
+pgp_revoke_t::pgp_revoke_t(pgp_subsig_t &sig)
+{
+ uid = sig.uid;
+ sigid = sig.sigid;
+ if (!sig.sig.has_subpkt(PGP_SIG_SUBPKT_REVOCATION_REASON)) {
+ RNP_LOG("Warning: no revocation reason in the revocation");
+ code = PGP_REVOCATION_NO_REASON;
+ } else {
+ code = sig.sig.revocation_code();
+ reason = sig.sig.revocation_reason();
+ }
+ if (reason.empty()) {
+ reason = id_str_pair::lookup(ss_rr_code_map, code);
+ }
+}
+
+pgp_key_t::pgp_key_t(const pgp_key_pkt_t &keypkt) : pkt_(keypkt)
+{
+ if (!is_key_pkt(pkt_.tag) || !pkt_.material.alg) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ if (pgp_keyid(keyid_, pkt_) || pgp_fingerprint(fingerprint_, pkt_) ||
+ !rnp_key_store_get_key_grip(&pkt_.material, grip_)) {
+ throw rnp::rnp_exception(RNP_ERROR_GENERIC);
+ }
+
+ /* parse secret key if not encrypted */
+ if (is_secret_key_pkt(pkt_.tag)) {
+ bool cleartext = pkt_.sec_protection.s2k.usage == PGP_S2KU_NONE;
+ if (cleartext && decrypt_secret_key(&pkt_, NULL)) {
+ RNP_LOG("failed to setup key fields");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ /* decryption resets validity */
+ pkt_.material.validity = keypkt.material.validity;
+ }
+ /* add rawpacket */
+ rawpkt_ = pgp_rawpacket_t(pkt_);
+ format = PGP_KEY_STORE_GPG;
+}
+
+pgp_key_t::pgp_key_t(const pgp_key_pkt_t &pkt, pgp_key_t &primary) : pgp_key_t(pkt)
+{
+ primary.link_subkey_fp(*this);
+}
+
+pgp_key_t::pgp_key_t(const pgp_key_t &src, bool pubonly)
+{
+ /* Do some checks for g10 keys */
+ if (src.format == PGP_KEY_STORE_G10) {
+ if (pubonly) {
+ RNP_LOG("attempt to copy public part from g10 key");
+ throw std::invalid_argument("pubonly");
+ }
+ }
+
+ if (pubonly) {
+ pkt_ = pgp_key_pkt_t(src.pkt_, true);
+ rawpkt_ = pgp_rawpacket_t(pkt_);
+ } else {
+ pkt_ = src.pkt_;
+ rawpkt_ = src.rawpkt_;
+ }
+
+ uids_ = src.uids_;
+ sigs_ = src.sigs_;
+ sigs_map_ = src.sigs_map_;
+ keysigs_ = src.keysigs_;
+ subkey_fps_ = src.subkey_fps_;
+ primary_fp_set_ = src.primary_fp_set_;
+ primary_fp_ = src.primary_fp_;
+ expiration_ = src.expiration_;
+ flags_ = src.flags_;
+ keyid_ = src.keyid_;
+ fingerprint_ = src.fingerprint_;
+ grip_ = src.grip_;
+ uid0_ = src.uid0_;
+ uid0_set_ = src.uid0_set_;
+ revoked_ = src.revoked_;
+ revocation_ = src.revocation_;
+ format = src.format;
+ validity_ = src.validity_;
+ valid_till_ = src.valid_till_;
+}
+
+pgp_key_t::pgp_key_t(const pgp_transferable_key_t &src) : pgp_key_t(src.key)
+{
+ /* add direct-key signatures */
+ for (auto &sig : src.signatures) {
+ add_sig(sig);
+ }
+
+ /* add userids and their signatures */
+ for (auto &uid : src.userids) {
+ add_uid(uid);
+ }
+}
+
+pgp_key_t::pgp_key_t(const pgp_transferable_subkey_t &src, pgp_key_t *primary)
+ : pgp_key_t(src.subkey)
+{
+ /* add subkey binding signatures */
+ for (auto &sig : src.signatures) {
+ add_sig(sig);
+ }
+
+ /* setup key grips if primary is available */
+ if (primary) {
+ primary->link_subkey_fp(*this);
+ }
+}
+
+size_t
+pgp_key_t::sig_count() const
+{
+ return sigs_.size();
+}
+
+pgp_subsig_t &
+pgp_key_t::get_sig(size_t idx)
+{
+ if (idx >= sigs_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return get_sig(sigs_[idx]);
+}
+
+const pgp_subsig_t &
+pgp_key_t::get_sig(size_t idx) const
+{
+ if (idx >= sigs_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return get_sig(sigs_[idx]);
+}
+
+bool
+pgp_key_t::has_sig(const pgp_sig_id_t &id) const
+{
+ return sigs_map_.count(id);
+}
+
+pgp_subsig_t &
+pgp_key_t::get_sig(const pgp_sig_id_t &id)
+{
+ if (!has_sig(id)) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ return sigs_map_.at(id);
+}
+
+const pgp_subsig_t &
+pgp_key_t::get_sig(const pgp_sig_id_t &id) const
+{
+ if (!has_sig(id)) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ return sigs_map_.at(id);
+}
+
+pgp_subsig_t &
+pgp_key_t::replace_sig(const pgp_sig_id_t &id, const pgp_signature_t &newsig)
+{
+ /* save oldsig's uid */
+ size_t uid = get_sig(id).uid;
+ /* delete first old sig since we may have theoretically the same sigid */
+ pgp_sig_id_t oldid = id;
+ sigs_map_.erase(oldid);
+ auto &res = sigs_map_.emplace(std::make_pair(newsig.get_id(), newsig)).first->second;
+ res.uid = uid;
+ auto it = std::find(sigs_.begin(), sigs_.end(), oldid);
+ if (it == sigs_.end()) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+ *it = res.sigid;
+ if (uid == PGP_UID_NONE) {
+ auto it = std::find(keysigs_.begin(), keysigs_.end(), oldid);
+ if (it == keysigs_.end()) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+ *it = res.sigid;
+ } else {
+ uids_[uid].replace_sig(oldid, res.sigid);
+ }
+ return res;
+}
+
+pgp_subsig_t &
+pgp_key_t::add_sig(const pgp_signature_t &sig, size_t uid)
+{
+ const pgp_sig_id_t sigid = sig.get_id();
+ sigs_map_.erase(sigid);
+ pgp_subsig_t &res = sigs_map_.emplace(std::make_pair(sigid, sig)).first->second;
+ res.uid = uid;
+ sigs_.push_back(sigid);
+ if (uid == PGP_UID_NONE) {
+ keysigs_.push_back(sigid);
+ } else {
+ uids_[uid].add_sig(sigid);
+ }
+ return res;
+}
+
+bool
+pgp_key_t::del_sig(const pgp_sig_id_t &sigid)
+{
+ if (!has_sig(sigid)) {
+ return false;
+ }
+ uint32_t uid = get_sig(sigid).uid;
+ if (uid == PGP_UID_NONE) {
+ /* signature over the key itself */
+ auto it = std::find(keysigs_.begin(), keysigs_.end(), sigid);
+ if (it != keysigs_.end()) {
+ keysigs_.erase(it);
+ }
+ } else if (uid < uids_.size()) {
+ /* userid-related signature */
+ uids_[uid].del_sig(sigid);
+ }
+ auto it = std::find(sigs_.begin(), sigs_.end(), sigid);
+ if (it != sigs_.end()) {
+ sigs_.erase(it);
+ }
+ return sigs_map_.erase(sigid);
+}
+
+size_t
+pgp_key_t::del_sigs(const std::vector<pgp_sig_id_t> &sigs)
+{
+ /* delete actual signatures */
+ size_t res = 0;
+ for (auto &sig : sigs) {
+ res += sigs_map_.erase(sig);
+ }
+ /* rebuild vectors with signatures order */
+ keysigs_.clear();
+ for (auto &uid : uids_) {
+ uid.clear_sigs();
+ }
+ std::vector<pgp_sig_id_t> newsigs;
+ newsigs.reserve(sigs_map_.size());
+ for (auto &sigid : sigs_) {
+ if (!sigs_map_.count(sigid)) {
+ continue;
+ }
+ newsigs.push_back(sigid);
+ uint32_t uid = get_sig(sigid).uid;
+ if (uid == PGP_UID_NONE) {
+ keysigs_.push_back(sigid);
+ } else {
+ uids_[uid].add_sig(sigid);
+ }
+ }
+ sigs_ = std::move(newsigs);
+ return res;
+}
+
+size_t
+pgp_key_t::keysig_count() const
+{
+ return keysigs_.size();
+}
+
+pgp_subsig_t &
+pgp_key_t::get_keysig(size_t idx)
+{
+ if (idx >= keysigs_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return get_sig(keysigs_[idx]);
+}
+
+size_t
+pgp_key_t::uid_count() const
+{
+ return uids_.size();
+}
+
+pgp_userid_t &
+pgp_key_t::get_uid(size_t idx)
+{
+ if (idx >= uids_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return uids_[idx];
+}
+
+const pgp_userid_t &
+pgp_key_t::get_uid(size_t idx) const
+{
+ if (idx >= uids_.size()) {
+ throw std::out_of_range("idx");
+ }
+ return uids_[idx];
+}
+
+bool
+pgp_key_t::has_uid(const std::string &uidstr) const
+{
+ for (auto &userid : uids_) {
+ if (!userid.valid) {
+ continue;
+ }
+ if (userid.str == uidstr) {
+ return true;
+ }
+ }
+ return false;
+}
+
+void
+pgp_key_t::del_uid(size_t idx)
+{
+ if (idx >= uids_.size()) {
+ throw std::out_of_range("idx");
+ }
+
+ std::vector<pgp_sig_id_t> newsigs;
+ /* copy sigs which do not belong to uid */
+ newsigs.reserve(sigs_.size());
+ for (auto &id : sigs_) {
+ if (get_sig(id).uid == idx) {
+ sigs_map_.erase(id);
+ continue;
+ }
+ newsigs.push_back(id);
+ }
+ sigs_ = newsigs;
+ uids_.erase(uids_.begin() + idx);
+ /* update uids */
+ if (idx == uids_.size()) {
+ return;
+ }
+ for (auto &sig : sigs_map_) {
+ if ((sig.second.uid == PGP_UID_NONE) || (sig.second.uid <= idx)) {
+ continue;
+ }
+ sig.second.uid--;
+ }
+}
+
+bool
+pgp_key_t::has_primary_uid() const
+{
+ return uid0_set_;
+}
+
+uint32_t
+pgp_key_t::get_primary_uid() const
+{
+ if (!uid0_set_) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ return uid0_;
+}
+
+pgp_userid_t &
+pgp_key_t::add_uid(const pgp_transferable_userid_t &uid)
+{
+ /* construct userid */
+ uids_.emplace_back(uid.uid);
+ /* add certifications */
+ for (auto &sig : uid.signatures) {
+ add_sig(sig, uid_count() - 1);
+ }
+ return uids_.back();
+}
+
+bool
+pgp_key_t::revoked() const
+{
+ return revoked_;
+}
+
+const pgp_revoke_t &
+pgp_key_t::revocation() const
+{
+ if (!revoked_) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ return revocation_;
+}
+
+void
+pgp_key_t::clear_revokes()
+{
+ revoked_ = false;
+ revocation_ = {};
+ for (auto &uid : uids_) {
+ uid.revoked = false;
+ uid.revocation = {};
+ }
+}
+
+const pgp_key_pkt_t &
+pgp_key_t::pkt() const
+{
+ return pkt_;
+}
+
+pgp_key_pkt_t &
+pgp_key_t::pkt()
+{
+ return pkt_;
+}
+
+void
+pgp_key_t::set_pkt(const pgp_key_pkt_t &pkt)
+{
+ pkt_ = pkt;
+}
+
+pgp_key_material_t &
+pgp_key_t::material()
+{
+ return pkt_.material;
+}
+
+pgp_pubkey_alg_t
+pgp_key_t::alg() const
+{
+ return pkt_.alg;
+}
+
+pgp_curve_t
+pgp_key_t::curve() const
+{
+ switch (alg()) {
+ case PGP_PKA_ECDH:
+ case PGP_PKA_ECDSA:
+ case PGP_PKA_EDDSA:
+ case PGP_PKA_SM2:
+ return pkt_.material.ec.curve;
+ default:
+ return PGP_CURVE_UNKNOWN;
+ }
+}
+
+pgp_version_t
+pgp_key_t::version() const
+{
+ return pkt().version;
+}
+
+pgp_pkt_type_t
+pgp_key_t::type() const
+{
+ return pkt().tag;
+}
+
+bool
+pgp_key_t::encrypted() const
+{
+ return is_secret() && !pkt().material.secret;
+}
+
+uint8_t
+pgp_key_t::flags() const
+{
+ return flags_;
+}
+
+bool
+pgp_key_t::can_sign() const
+{
+ return flags_ & PGP_KF_SIGN;
+}
+
+bool
+pgp_key_t::can_certify() const
+{
+ return flags_ & PGP_KF_CERTIFY;
+}
+
+bool
+pgp_key_t::can_encrypt() const
+{
+ return flags_ & PGP_KF_ENCRYPT;
+}
+
+bool
+pgp_key_t::has_secret() const
+{
+ if (!is_secret()) {
+ return false;
+ }
+ if ((format == PGP_KEY_STORE_GPG) && !pkt_.sec_len) {
+ return false;
+ }
+ if (pkt_.sec_protection.s2k.usage == PGP_S2KU_NONE) {
+ return true;
+ }
+ switch (pkt_.sec_protection.s2k.specifier) {
+ case PGP_S2KS_SIMPLE:
+ case PGP_S2KS_SALTED:
+ case PGP_S2KS_ITERATED_AND_SALTED:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool
+pgp_key_t::usable_for(pgp_op_t op, bool if_secret) const
+{
+ switch (op) {
+ case PGP_OP_ADD_SUBKEY:
+ return is_primary() && can_sign() && (if_secret || has_secret());
+ case PGP_OP_SIGN:
+ return can_sign() && valid() && (if_secret || has_secret());
+ case PGP_OP_CERTIFY:
+ return can_certify() && valid() && (if_secret || has_secret());
+ case PGP_OP_DECRYPT:
+ return can_encrypt() && valid() && (if_secret || has_secret());
+ case PGP_OP_UNLOCK:
+ case PGP_OP_PROTECT:
+ case PGP_OP_UNPROTECT:
+ return has_secret();
+ case PGP_OP_VERIFY:
+ return can_sign() && valid();
+ case PGP_OP_ADD_USERID:
+ return is_primary() && can_sign() && (if_secret || has_secret());
+ case PGP_OP_ENCRYPT:
+ return can_encrypt() && valid();
+ default:
+ return false;
+ }
+}
+
+uint32_t
+pgp_key_t::expiration() const
+{
+ if (pkt_.version >= 4) {
+ return expiration_;
+ }
+ /* too large value for pkt.v3_days may overflow uint32_t */
+ if (pkt_.v3_days > (0xffffffffu / 86400)) {
+ return 0xffffffffu;
+ }
+ return (uint32_t) pkt_.v3_days * 86400;
+}
+
+bool
+pgp_key_t::expired() const
+{
+ return validity_.expired;
+}
+
+uint32_t
+pgp_key_t::creation() const
+{
+ return pkt_.creation_time;
+}
+
+bool
+pgp_key_t::is_public() const
+{
+ return is_public_key_pkt(pkt_.tag);
+}
+
+bool
+pgp_key_t::is_secret() const
+{
+ return is_secret_key_pkt(pkt_.tag);
+}
+
+bool
+pgp_key_t::is_primary() const
+{
+ return is_primary_key_pkt(pkt_.tag);
+}
+
+bool
+pgp_key_t::is_subkey() const
+{
+ return is_subkey_pkt(pkt_.tag);
+}
+
+bool
+pgp_key_t::is_locked() const
+{
+ if (!is_secret()) {
+ RNP_LOG("key is not a secret key");
+ return false;
+ }
+ return encrypted();
+}
+
+bool
+pgp_key_t::is_protected() const
+{
+ // sanity check
+ if (!is_secret()) {
+ RNP_LOG("Warning: this is not a secret key");
+ }
+ return pkt_.sec_protection.s2k.usage != PGP_S2KU_NONE;
+}
+
+bool
+pgp_key_t::valid() const
+{
+ return validity_.validated && validity_.valid && !validity_.expired;
+}
+
+bool
+pgp_key_t::validated() const
+{
+ return validity_.validated;
+}
+
+uint64_t
+pgp_key_t::valid_till_common(bool expiry) const
+{
+ if (!validated()) {
+ return 0;
+ }
+ uint64_t till = expiration() ? (uint64_t) creation() + expiration() : UINT64_MAX;
+ if (valid()) {
+ return till;
+ }
+ if (revoked()) {
+ /* we should not believe to the compromised key at all */
+ if (revocation_.code == PGP_REVOCATION_COMPROMISED) {
+ return 0;
+ }
+ const pgp_subsig_t &revsig = get_sig(revocation_.sigid);
+ if (revsig.sig.creation() > creation()) {
+ /* pick less time from revocation time and expiration time */
+ return std::min((uint64_t) revsig.sig.creation(), till);
+ }
+ return 0;
+ }
+ /* if key is not marked as expired then it wasn't valid at all */
+ return expiry ? till : 0;
+}
+
+uint64_t
+pgp_key_t::valid_till() const
+{
+ return valid_till_;
+}
+
+bool
+pgp_key_t::valid_at(uint64_t timestamp) const
+{
+ /* TODO: consider implementing more sophisticated checks, as key validity time could
+ * possibly be non-continuous */
+ return (timestamp >= creation()) && timestamp && (timestamp <= valid_till());
+}
+
+const pgp_key_id_t &
+pgp_key_t::keyid() const
+{
+ return keyid_;
+}
+
+const pgp_fingerprint_t &
+pgp_key_t::fp() const
+{
+ return fingerprint_;
+}
+
+const pgp_key_grip_t &
+pgp_key_t::grip() const
+{
+ return grip_;
+}
+
+const pgp_fingerprint_t &
+pgp_key_t::primary_fp() const
+{
+ if (!primary_fp_set_) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ return primary_fp_;
+}
+
+bool
+pgp_key_t::has_primary_fp() const
+{
+ return primary_fp_set_;
+}
+
+void
+pgp_key_t::unset_primary_fp()
+{
+ primary_fp_set_ = false;
+ primary_fp_ = {};
+}
+
+void
+pgp_key_t::link_subkey_fp(pgp_key_t &subkey)
+{
+ if (!is_primary() || !subkey.is_subkey()) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ subkey.primary_fp_ = fp();
+ subkey.primary_fp_set_ = true;
+ add_subkey_fp(subkey.fp());
+}
+
+void
+pgp_key_t::add_subkey_fp(const pgp_fingerprint_t &fp)
+{
+ if (std::find(subkey_fps_.begin(), subkey_fps_.end(), fp) == subkey_fps_.end()) {
+ subkey_fps_.push_back(fp);
+ }
+}
+
+size_t
+pgp_key_t::subkey_count() const
+{
+ return subkey_fps_.size();
+}
+
+void
+pgp_key_t::remove_subkey_fp(const pgp_fingerprint_t &fp)
+{
+ auto it = std::find(subkey_fps_.begin(), subkey_fps_.end(), fp);
+ if (it != subkey_fps_.end()) {
+ subkey_fps_.erase(it);
+ }
+}
+
+const pgp_fingerprint_t &
+pgp_key_t::get_subkey_fp(size_t idx) const
+{
+ return subkey_fps_[idx];
+}
+
+const std::vector<pgp_fingerprint_t> &
+pgp_key_t::subkey_fps() const
+{
+ return subkey_fps_;
+}
+
+size_t
+pgp_key_t::rawpkt_count() const
+{
+ if (format == PGP_KEY_STORE_G10) {
+ return 1;
+ }
+ return 1 + uid_count() + sig_count();
+}
+
+pgp_rawpacket_t &
+pgp_key_t::rawpkt()
+{
+ return rawpkt_;
+}
+
+const pgp_rawpacket_t &
+pgp_key_t::rawpkt() const
+{
+ return rawpkt_;
+}
+
+void
+pgp_key_t::set_rawpkt(const pgp_rawpacket_t &src)
+{
+ rawpkt_ = src;
+}
+
+bool
+pgp_key_t::unlock(const pgp_password_provider_t &provider, pgp_op_t op)
+{
+ // sanity checks
+ if (!usable_for(PGP_OP_UNLOCK)) {
+ return false;
+ }
+ // see if it's already unlocked
+ if (!is_locked()) {
+ return true;
+ }
+
+ pgp_password_ctx_t ctx(op, this);
+ pgp_key_pkt_t * decrypted_seckey = pgp_decrypt_seckey(*this, provider, ctx);
+ if (!decrypted_seckey) {
+ return false;
+ }
+
+ // this shouldn't really be necessary, but just in case
+ forget_secret_key_fields(&pkt_.material);
+ // copy the decrypted mpis into the pgp_key_t
+ pkt_.material = decrypted_seckey->material;
+ pkt_.material.secret = true;
+ delete decrypted_seckey;
+ return true;
+}
+
+bool
+pgp_key_t::lock()
+{
+ // sanity checks
+ if (!is_secret()) {
+ RNP_LOG("invalid args");
+ return false;
+ }
+
+ // see if it's already locked
+ if (is_locked()) {
+ return true;
+ }
+
+ forget_secret_key_fields(&pkt_.material);
+ return true;
+}
+
+bool
+pgp_key_t::protect(const rnp_key_protection_params_t &protection,
+ const pgp_password_provider_t & password_provider,
+ rnp::SecurityContext & sctx)
+{
+ pgp_password_ctx_t ctx(PGP_OP_PROTECT, this);
+
+ // ask the provider for a password
+ rnp::secure_array<char, MAX_PASSWORD_LENGTH> password;
+ if (!pgp_request_password(&password_provider, &ctx, password.data(), password.size())) {
+ return false;
+ }
+ return protect(pkt_, protection, password.data(), sctx);
+}
+
+bool
+pgp_key_t::protect(pgp_key_pkt_t & decrypted,
+ const rnp_key_protection_params_t &protection,
+ const std::string & new_password,
+ rnp::SecurityContext & ctx)
+{
+ if (!is_secret()) {
+ RNP_LOG("Warning: this is not a secret key");
+ return false;
+ }
+ bool ownpkt = &decrypted == &pkt_;
+ if (!decrypted.material.secret) {
+ RNP_LOG("Decrypted secret key must be provided");
+ return false;
+ }
+
+ /* force encrypted-and-hashed and iterated-and-salted as it's the only method we support*/
+ pkt_.sec_protection.s2k.usage = PGP_S2KU_ENCRYPTED_AND_HASHED;
+ pkt_.sec_protection.s2k.specifier = PGP_S2KS_ITERATED_AND_SALTED;
+ /* use default values where needed */
+ pkt_.sec_protection.symm_alg =
+ protection.symm_alg ? protection.symm_alg : DEFAULT_PGP_SYMM_ALG;
+ pkt_.sec_protection.cipher_mode =
+ protection.cipher_mode ? protection.cipher_mode : DEFAULT_PGP_CIPHER_MODE;
+ pkt_.sec_protection.s2k.hash_alg =
+ protection.hash_alg ? protection.hash_alg : DEFAULT_PGP_HASH_ALG;
+ auto iter = protection.iterations;
+ if (!iter) {
+ iter = ctx.s2k_iterations(pkt_.sec_protection.s2k.hash_alg);
+ }
+ pkt_.sec_protection.s2k.iterations = pgp_s2k_round_iterations(iter);
+ if (!ownpkt) {
+ /* decrypted is assumed to be temporary variable so we may modify it */
+ decrypted.sec_protection = pkt_.sec_protection;
+ }
+
+ /* write the protected key to raw packet */
+ return write_sec_rawpkt(decrypted, new_password, ctx);
+}
+
+bool
+pgp_key_t::unprotect(const pgp_password_provider_t &password_provider,
+ rnp::SecurityContext & secctx)
+{
+ /* sanity check */
+ if (!is_secret()) {
+ RNP_LOG("Warning: this is not a secret key");
+ return false;
+ }
+ /* already unprotected */
+ if (!is_protected()) {
+ return true;
+ }
+ /* simple case */
+ if (!encrypted()) {
+ pkt_.sec_protection.s2k.usage = PGP_S2KU_NONE;
+ return write_sec_rawpkt(pkt_, "", secctx);
+ }
+
+ pgp_password_ctx_t ctx(PGP_OP_UNPROTECT, this);
+
+ pgp_key_pkt_t *decrypted_seckey = pgp_decrypt_seckey(*this, password_provider, ctx);
+ if (!decrypted_seckey) {
+ return false;
+ }
+ decrypted_seckey->sec_protection.s2k.usage = PGP_S2KU_NONE;
+ if (!write_sec_rawpkt(*decrypted_seckey, "", secctx)) {
+ delete decrypted_seckey;
+ return false;
+ }
+ pkt_ = std::move(*decrypted_seckey);
+ /* current logic is that unprotected key should be additionally unlocked */
+ forget_secret_key_fields(&pkt_.material);
+ delete decrypted_seckey;
+ return true;
+}
+
+void
+pgp_key_t::write(pgp_dest_t &dst) const
+{
+ /* write key rawpacket */
+ rawpkt_.write(dst);
+
+ if (format == PGP_KEY_STORE_G10) {
+ return;
+ }
+
+ /* write signatures on key */
+ for (auto &sigid : keysigs_) {
+ get_sig(sigid).rawpkt.write(dst);
+ }
+
+ /* write uids and their signatures */
+ for (const auto &uid : uids_) {
+ uid.rawpkt.write(dst);
+ for (size_t idx = 0; idx < uid.sig_count(); idx++) {
+ get_sig(uid.get_sig(idx)).rawpkt.write(dst);
+ }
+ }
+}
+
+void
+pgp_key_t::write_xfer(pgp_dest_t &dst, const rnp_key_store_t *keyring) const
+{
+ write(dst);
+ if (dst.werr) {
+ RNP_LOG("Failed to export primary key");
+ return;
+ }
+
+ if (!keyring) {
+ return;
+ }
+
+ // Export subkeys
+ for (auto &fp : subkey_fps_) {
+ const pgp_key_t *subkey = rnp_key_store_get_key_by_fpr(keyring, fp);
+ if (!subkey) {
+ char fphex[PGP_FINGERPRINT_SIZE * 2 + 1] = {0};
+ rnp::hex_encode(
+ fp.fingerprint, fp.length, fphex, sizeof(fphex), rnp::HEX_LOWERCASE);
+ RNP_LOG("Warning! Subkey %s not found.", fphex);
+ continue;
+ }
+ subkey->write(dst);
+ if (dst.werr) {
+ RNP_LOG("Error occurred when exporting a subkey");
+ return;
+ }
+ }
+}
+
+bool
+pgp_key_t::write_autocrypt(pgp_dest_t &dst, pgp_key_t &sub, uint32_t uid)
+{
+ pgp_subsig_t *cert = latest_uid_selfcert(uid);
+ if (!cert) {
+ RNP_LOG("No valid uid certification");
+ return false;
+ }
+ pgp_subsig_t *binding = sub.latest_binding();
+ if (!binding) {
+ RNP_LOG("No valid binding for subkey");
+ return false;
+ }
+ if (is_secret() || sub.is_secret()) {
+ RNP_LOG("Public key required");
+ return false;
+ }
+
+ try {
+ /* write all or nothing */
+ rnp::MemoryDest memdst;
+ pkt().write(memdst.dst());
+ get_uid(uid).pkt.write(memdst.dst());
+ cert->sig.write(memdst.dst());
+ sub.pkt().write(memdst.dst());
+ binding->sig.write(memdst.dst());
+ dst_write(&dst, memdst.memory(), memdst.writeb());
+ return !dst.werr;
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+}
+
+/* look only for primary userids */
+#define PGP_UID_PRIMARY ((uint32_t) -2)
+/* look for any uid, except PGP_UID_NONE) */
+#define PGP_UID_ANY ((uint32_t) -3)
+
+pgp_subsig_t *
+pgp_key_t::latest_selfsig(uint32_t uid)
+{
+ uint32_t latest = 0;
+ pgp_subsig_t *res = nullptr;
+
+ for (auto &sigid : sigs_) {
+ auto &sig = get_sig(sigid);
+ if (!sig.valid()) {
+ continue;
+ }
+ bool skip = false;
+ switch (uid) {
+ case PGP_UID_NONE:
+ skip = (sig.uid != PGP_UID_NONE) || !is_direct_self(sig);
+ break;
+ case PGP_UID_PRIMARY: {
+ pgp_sig_subpkt_t *subpkt = sig.sig.get_subpkt(PGP_SIG_SUBPKT_PRIMARY_USER_ID);
+ skip = !is_self_cert(sig) || !subpkt || !subpkt->fields.primary_uid ||
+ (sig.uid == PGP_UID_NONE);
+ break;
+ }
+ case PGP_UID_ANY:
+ skip = !is_self_cert(sig) || (sig.uid == PGP_UID_NONE);
+ break;
+ default:
+ skip = (sig.uid != uid) || !is_self_cert(sig);
+ break;
+ }
+ if (skip) {
+ continue;
+ }
+
+ uint32_t creation = sig.sig.creation();
+ if (creation >= latest) {
+ latest = creation;
+ res = &sig;
+ }
+ }
+
+ /* if there is later self-sig for the same uid without primary flag, then drop res */
+ if ((uid == PGP_UID_PRIMARY) && res) {
+ pgp_subsig_t *overres = latest_selfsig(res->uid);
+ if (overres && (overres->sig.creation() > res->sig.creation())) {
+ res = nullptr;
+ }
+ }
+ return res;
+}
+
+pgp_subsig_t *
+pgp_key_t::latest_binding(bool validated)
+{
+ uint32_t latest = 0;
+ pgp_subsig_t *res = NULL;
+
+ for (auto &sigid : sigs_) {
+ auto &sig = get_sig(sigid);
+ if (validated && !sig.valid()) {
+ continue;
+ }
+ if (!is_binding(sig)) {
+ continue;
+ }
+
+ uint32_t creation = sig.sig.creation();
+ if (creation >= latest) {
+ latest = creation;
+ res = &sig;
+ }
+ }
+ return res;
+}
+
+pgp_subsig_t *
+pgp_key_t::latest_uid_selfcert(uint32_t uid)
+{
+ uint32_t latest = 0;
+ pgp_subsig_t *res = NULL;
+
+ if (uid >= uids_.size()) {
+ return NULL;
+ }
+
+ for (size_t idx = 0; idx < uids_[uid].sig_count(); idx++) {
+ auto &sig = get_sig(uids_[uid].get_sig(idx));
+ if (!sig.valid() || (sig.uid != uid)) {
+ continue;
+ }
+ if (!is_self_cert(sig)) {
+ continue;
+ }
+
+ uint32_t creation = sig.sig.creation();
+ if (creation >= latest) {
+ latest = creation;
+ res = &sig;
+ }
+ }
+ return res;
+}
+
+bool
+pgp_key_t::is_signer(const pgp_subsig_t &sig) const
+{
+ /* if we have fingerprint let's check it */
+ if (sig.sig.has_keyfp()) {
+ return sig.sig.keyfp() == fp();
+ }
+ if (!sig.sig.has_keyid()) {
+ return false;
+ }
+ return keyid() == sig.sig.keyid();
+}
+
+bool
+pgp_key_t::expired_with(const pgp_subsig_t &sig, uint64_t at) const
+{
+ /* key expiration: absence of subpkt or 0 means it never expires */
+ uint64_t expiration = sig.sig.key_expiration();
+ if (!expiration) {
+ return false;
+ }
+ return expiration + creation() < at;
+}
+
+bool
+pgp_key_t::is_self_cert(const pgp_subsig_t &sig) const
+{
+ return is_primary() && sig.is_cert() && is_signer(sig);
+}
+
+bool
+pgp_key_t::is_direct_self(const pgp_subsig_t &sig) const
+{
+ return is_primary() && (sig.sig.type() == PGP_SIG_DIRECT) && is_signer(sig);
+}
+
+bool
+pgp_key_t::is_revocation(const pgp_subsig_t &sig) const
+{
+ return is_primary() ? (sig.sig.type() == PGP_SIG_REV_KEY) :
+ (sig.sig.type() == PGP_SIG_REV_SUBKEY);
+}
+
+bool
+pgp_key_t::is_uid_revocation(const pgp_subsig_t &sig) const
+{
+ return is_primary() && (sig.sig.type() == PGP_SIG_REV_CERT);
+}
+
+bool
+pgp_key_t::is_binding(const pgp_subsig_t &sig) const
+{
+ return is_subkey() && (sig.sig.type() == PGP_SIG_SUBKEY);
+}
+
+void
+pgp_key_t::validate_sig(const pgp_key_t & key,
+ pgp_subsig_t & sig,
+ const rnp::SecurityContext &ctx) const noexcept
+{
+ sig.validity.reset();
+
+ pgp_signature_info_t sinfo = {};
+ sinfo.sig = &sig.sig;
+ sinfo.signer_valid = true;
+ if (key.is_self_cert(sig) || key.is_binding(sig)) {
+ sinfo.ignore_expiry = true;
+ }
+
+ pgp_sig_type_t stype = sig.sig.type();
+ try {
+ switch (stype) {
+ case PGP_SIG_BINARY:
+ case PGP_SIG_TEXT:
+ case PGP_SIG_STANDALONE:
+ case PGP_SIG_PRIMARY:
+ RNP_LOG("Invalid key signature type: %d", (int) stype);
+ return;
+ case PGP_CERT_GENERIC:
+ case PGP_CERT_PERSONA:
+ case PGP_CERT_CASUAL:
+ case PGP_CERT_POSITIVE:
+ case PGP_SIG_REV_CERT: {
+ if (sig.uid >= key.uid_count()) {
+ RNP_LOG("Userid not found");
+ return;
+ }
+ validate_cert(sinfo, key.pkt(), key.get_uid(sig.uid).pkt, ctx);
+ break;
+ }
+ case PGP_SIG_SUBKEY:
+ if (!is_signer(sig)) {
+ RNP_LOG("Invalid subkey binding's signer.");
+ return;
+ }
+ validate_binding(sinfo, key, ctx);
+ break;
+ case PGP_SIG_DIRECT:
+ case PGP_SIG_REV_KEY:
+ validate_direct(sinfo, ctx);
+ break;
+ case PGP_SIG_REV_SUBKEY:
+ if (!is_signer(sig)) {
+ RNP_LOG("Invalid subkey revocation's signer.");
+ return;
+ }
+ validate_sub_rev(sinfo, key.pkt(), ctx);
+ break;
+ default:
+ RNP_LOG("Unsupported key signature type: %d", (int) stype);
+ return;
+ }
+ } catch (const std::exception &e) {
+ RNP_LOG("Key signature validation failed: %s", e.what());
+ }
+
+ sig.validity.validated = true;
+ sig.validity.valid = sinfo.valid;
+ /* revocation signature cannot expire */
+ if ((stype != PGP_SIG_REV_KEY) && (stype != PGP_SIG_REV_SUBKEY) &&
+ (stype != PGP_SIG_REV_CERT)) {
+ sig.validity.expired = sinfo.expired;
+ }
+}
+
+void
+pgp_key_t::validate_sig(pgp_signature_info_t & sinfo,
+ rnp::Hash & hash,
+ const rnp::SecurityContext &ctx) const noexcept
+{
+ sinfo.no_signer = false;
+ sinfo.valid = false;
+ sinfo.expired = false;
+
+ /* Validate signature itself */
+ if (sinfo.signer_valid || valid_at(sinfo.sig->creation())) {
+ sinfo.valid = !signature_validate(*sinfo.sig, pkt_.material, hash, ctx);
+ } else {
+ sinfo.valid = false;
+ RNP_LOG("invalid or untrusted key");
+ }
+
+ /* Check signature's expiration time */
+ uint32_t now = ctx.time();
+ uint32_t create = sinfo.sig->creation();
+ uint32_t expiry = sinfo.sig->expiration();
+ if (create > now) {
+ /* signature created later then now */
+ RNP_LOG("signature created %d seconds in future", (int) (create - now));
+ sinfo.expired = true;
+ }
+ if (create && expiry && (create + expiry < now)) {
+ /* signature expired */
+ RNP_LOG("signature expired");
+ sinfo.expired = true;
+ }
+
+ /* check key creation time vs signature creation */
+ if (creation() > create) {
+ RNP_LOG("key is newer than signature");
+ sinfo.valid = false;
+ }
+
+ /* check whether key was not expired when sig created */
+ if (!sinfo.ignore_expiry && expiration() && (creation() + expiration() < create)) {
+ RNP_LOG("signature made after key expiration");
+ sinfo.valid = false;
+ }
+
+ /* Check signer's fingerprint */
+ if (sinfo.sig->has_keyfp() && (sinfo.sig->keyfp() != fp())) {
+ RNP_LOG("issuer fingerprint doesn't match signer's one");
+ sinfo.valid = false;
+ }
+
+ /* Check for unknown critical notations */
+ for (auto &subpkt : sinfo.sig->subpkts) {
+ if (!subpkt.critical || (subpkt.type != PGP_SIG_SUBPKT_NOTATION_DATA)) {
+ continue;
+ }
+ std::string name(subpkt.fields.notation.name,
+ subpkt.fields.notation.name + subpkt.fields.notation.nlen);
+ RNP_LOG("unknown critical notation: %s", name.c_str());
+ sinfo.valid = false;
+ }
+}
+
+void
+pgp_key_t::validate_cert(pgp_signature_info_t & sinfo,
+ const pgp_key_pkt_t & key,
+ const pgp_userid_pkt_t & uid,
+ const rnp::SecurityContext &ctx) const
+{
+ auto hash = signature_hash_certification(*sinfo.sig, key, uid);
+ validate_sig(sinfo, *hash, ctx);
+}
+
+void
+pgp_key_t::validate_binding(pgp_signature_info_t & sinfo,
+ const pgp_key_t & subkey,
+ const rnp::SecurityContext &ctx) const
+{
+ if (!is_primary() || !subkey.is_subkey()) {
+ RNP_LOG("Invalid binding signature key type(s)");
+ sinfo.valid = false;
+ return;
+ }
+ auto hash = signature_hash_binding(*sinfo.sig, pkt(), subkey.pkt());
+ validate_sig(sinfo, *hash, ctx);
+ if (!sinfo.valid || !(sinfo.sig->key_flags() & PGP_KF_SIGN)) {
+ return;
+ }
+
+ /* check primary key binding signature if any */
+ sinfo.valid = false;
+ pgp_sig_subpkt_t *subpkt = sinfo.sig->get_subpkt(PGP_SIG_SUBPKT_EMBEDDED_SIGNATURE, false);
+ if (!subpkt) {
+ RNP_LOG("error! no primary key binding signature");
+ return;
+ }
+ if (!subpkt->parsed) {
+ RNP_LOG("invalid embedded signature subpacket");
+ return;
+ }
+ if (subpkt->fields.sig->type() != PGP_SIG_PRIMARY) {
+ RNP_LOG("invalid primary key binding signature");
+ return;
+ }
+ if (subpkt->fields.sig->version < PGP_V4) {
+ RNP_LOG("invalid primary key binding signature version");
+ return;
+ }
+
+ hash = signature_hash_binding(*subpkt->fields.sig, pkt(), subkey.pkt());
+ pgp_signature_info_t bindinfo = {};
+ bindinfo.sig = subpkt->fields.sig;
+ bindinfo.signer_valid = true;
+ bindinfo.ignore_expiry = true;
+ subkey.validate_sig(bindinfo, *hash, ctx);
+ sinfo.valid = bindinfo.valid && !bindinfo.expired;
+}
+
+void
+pgp_key_t::validate_sub_rev(pgp_signature_info_t & sinfo,
+ const pgp_key_pkt_t & subkey,
+ const rnp::SecurityContext &ctx) const
+{
+ auto hash = signature_hash_binding(*sinfo.sig, pkt(), subkey);
+ validate_sig(sinfo, *hash, ctx);
+}
+
+void
+pgp_key_t::validate_direct(pgp_signature_info_t &sinfo, const rnp::SecurityContext &ctx) const
+{
+ auto hash = signature_hash_direct(*sinfo.sig, pkt());
+ validate_sig(sinfo, *hash, ctx);
+}
+
+void
+pgp_key_t::validate_self_signatures(const rnp::SecurityContext &ctx)
+{
+ for (auto &sigid : sigs_) {
+ pgp_subsig_t &sig = get_sig(sigid);
+ if (sig.validity.validated) {
+ continue;
+ }
+
+ if (is_direct_self(sig) || is_self_cert(sig) || is_uid_revocation(sig) ||
+ is_revocation(sig)) {
+ validate_sig(*this, sig, ctx);
+ }
+ }
+}
+
+void
+pgp_key_t::validate_self_signatures(pgp_key_t &primary, const rnp::SecurityContext &ctx)
+{
+ for (auto &sigid : sigs_) {
+ pgp_subsig_t &sig = get_sig(sigid);
+ if (sig.validity.validated) {
+ continue;
+ }
+
+ if (is_binding(sig) || is_revocation(sig)) {
+ primary.validate_sig(*this, sig, ctx);
+ }
+ }
+}
+
+void
+pgp_key_t::validate_primary(rnp_key_store_t &keyring)
+{
+ /* validate signatures if needed */
+ validate_self_signatures(keyring.secctx);
+
+ /* consider public key as valid on this level if it is not expired and has at least one
+ * valid self-signature, and is not revoked */
+ validity_.reset();
+ validity_.validated = true;
+ bool has_cert = false;
+ bool has_expired = false;
+ /* check whether key is revoked */
+ for (auto &sigid : sigs_) {
+ pgp_subsig_t &sig = get_sig(sigid);
+ if (!sig.valid()) {
+ continue;
+ }
+ if (is_revocation(sig)) {
+ return;
+ }
+ }
+ /* if we have direct-key signature, then it has higher priority for expiration check */
+ uint64_t now = keyring.secctx.time();
+ pgp_subsig_t *dirsig = latest_selfsig(PGP_UID_NONE);
+ if (dirsig) {
+ has_expired = expired_with(*dirsig, now);
+ has_cert = !has_expired;
+ }
+ /* if we have primary uid and it is more restrictive, then use it as well */
+ pgp_subsig_t *prisig = NULL;
+ if (!has_expired && (prisig = latest_selfsig(PGP_UID_PRIMARY))) {
+ has_expired = expired_with(*prisig, now);
+ has_cert = !has_expired;
+ }
+ /* if we don't have direct-key sig and primary uid, use the latest self-cert */
+ pgp_subsig_t *latest = NULL;
+ if (!dirsig && !prisig && (latest = latest_selfsig(PGP_UID_ANY))) {
+ has_expired = expired_with(*latest, now);
+ has_cert = !has_expired;
+ }
+
+ /* we have at least one non-expiring key self-signature */
+ if (has_cert) {
+ validity_.valid = true;
+ return;
+ }
+ /* we have valid self-signature which expires key */
+ if (has_expired) {
+ validity_.expired = true;
+ return;
+ }
+
+ /* let's check whether key has at least one valid subkey binding */
+ for (size_t i = 0; i < subkey_count(); i++) {
+ pgp_key_t *sub = pgp_key_get_subkey(this, &keyring, i);
+ if (!sub) {
+ continue;
+ }
+ sub->validate_self_signatures(*this, keyring.secctx);
+ pgp_subsig_t *sig = sub->latest_binding();
+ if (!sig) {
+ continue;
+ }
+ /* check whether subkey is expired - then do not mark key as valid */
+ if (sub->expired_with(*sig, now)) {
+ continue;
+ }
+ validity_.valid = true;
+ return;
+ }
+}
+
+void
+pgp_key_t::validate_subkey(pgp_key_t *primary, const rnp::SecurityContext &ctx)
+{
+ /* consider subkey as valid on this level if it has valid primary key, has at least one
+ * non-expired binding signature, and is not revoked. */
+ validity_.reset();
+ validity_.validated = true;
+ if (!primary || (!primary->valid() && !primary->expired())) {
+ return;
+ }
+ /* validate signatures if needed */
+ validate_self_signatures(*primary, ctx);
+
+ bool has_binding = false;
+ bool has_expired = false;
+ for (auto &sigid : sigs_) {
+ pgp_subsig_t &sig = get_sig(sigid);
+ if (!sig.valid()) {
+ continue;
+ }
+
+ if (is_binding(sig) && !has_binding) {
+ /* check whether subkey is expired */
+ if (expired_with(sig, ctx.time())) {
+ has_expired = true;
+ continue;
+ }
+ has_binding = true;
+ } else if (is_revocation(sig)) {
+ return;
+ }
+ }
+ validity_.valid = has_binding && primary->valid();
+ if (!validity_.valid) {
+ validity_.expired = has_expired;
+ }
+}
+
+void
+pgp_key_t::validate(rnp_key_store_t &keyring)
+{
+ validity_.reset();
+ if (!is_subkey()) {
+ validate_primary(keyring);
+ } else {
+ pgp_key_t *primary = NULL;
+ if (has_primary_fp()) {
+ primary = rnp_key_store_get_key_by_fpr(&keyring, primary_fp());
+ }
+ validate_subkey(primary, keyring.secctx);
+ }
+}
+
+void
+pgp_key_t::revalidate(rnp_key_store_t &keyring)
+{
+ if (is_subkey()) {
+ pgp_key_t *primary = rnp_key_store_get_primary_key(&keyring, this);
+ if (primary) {
+ primary->revalidate(keyring);
+ } else {
+ validate_subkey(NULL, keyring.secctx);
+ }
+ return;
+ }
+
+ validate(keyring);
+ if (!refresh_data(keyring.secctx)) {
+ RNP_LOG("Failed to refresh key data");
+ }
+ /* validate/re-validate all subkeys as well */
+ for (auto &fp : subkey_fps_) {
+ pgp_key_t *subkey = rnp_key_store_get_key_by_fpr(&keyring, fp);
+ if (subkey) {
+ subkey->validate_subkey(this, keyring.secctx);
+ if (!subkey->refresh_data(this, keyring.secctx)) {
+ RNP_LOG("Failed to refresh subkey data");
+ }
+ }
+ }
+}
+
+void
+pgp_key_t::mark_valid()
+{
+ validity_.mark_valid();
+ for (size_t i = 0; i < sig_count(); i++) {
+ get_sig(i).validity.mark_valid();
+ }
+}
+
+void
+pgp_key_t::sign_init(pgp_signature_t &sig, pgp_hash_alg_t hash, uint64_t creation) const
+{
+ sig.version = PGP_V4;
+ sig.halg = pgp_hash_adjust_alg_to_key(hash, &pkt_);
+ sig.palg = alg();
+ sig.set_keyfp(fp());
+ sig.set_creation(creation);
+ sig.set_keyid(keyid());
+}
+
+void
+pgp_key_t::sign_cert(const pgp_key_pkt_t & key,
+ const pgp_userid_pkt_t &uid,
+ pgp_signature_t & sig,
+ rnp::SecurityContext & ctx)
+{
+ sig.fill_hashed_data();
+ auto hash = signature_hash_certification(sig, key, uid);
+ signature_calculate(sig, pkt_.material, *hash, ctx);
+}
+
+void
+pgp_key_t::sign_direct(const pgp_key_pkt_t & key,
+ pgp_signature_t & sig,
+ rnp::SecurityContext &ctx)
+{
+ sig.fill_hashed_data();
+ auto hash = signature_hash_direct(sig, key);
+ signature_calculate(sig, pkt_.material, *hash, ctx);
+}
+
+void
+pgp_key_t::sign_binding(const pgp_key_pkt_t & key,
+ pgp_signature_t & sig,
+ rnp::SecurityContext &ctx)
+{
+ sig.fill_hashed_data();
+ auto hash = is_primary() ? signature_hash_binding(sig, pkt(), key) :
+ signature_hash_binding(sig, key, pkt());
+ signature_calculate(sig, pkt_.material, *hash, ctx);
+}
+
+void
+pgp_key_t::gen_revocation(const pgp_revoke_t & revoke,
+ pgp_hash_alg_t hash,
+ const pgp_key_pkt_t & key,
+ pgp_signature_t & sig,
+ rnp::SecurityContext &ctx)
+{
+ sign_init(sig, hash, ctx.time());
+ sig.set_type(is_primary_key_pkt(key.tag) ? PGP_SIG_REV_KEY : PGP_SIG_REV_SUBKEY);
+ sig.set_revocation_reason(revoke.code, revoke.reason);
+
+ if (is_primary_key_pkt(key.tag)) {
+ sign_direct(key, sig, ctx);
+ } else {
+ sign_binding(key, sig, ctx);
+ }
+}
+
+void
+pgp_key_t::sign_subkey_binding(pgp_key_t & sub,
+ pgp_signature_t & sig,
+ rnp::SecurityContext &ctx,
+ bool subsign)
+{
+ if (!is_primary()) {
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ sign_binding(sub.pkt(), sig, ctx);
+ /* add primary key binding subpacket if requested */
+ if (subsign) {
+ pgp_signature_t embsig;
+ sub.sign_init(embsig, sig.halg, ctx.time());
+ embsig.set_type(PGP_SIG_PRIMARY);
+ sub.sign_binding(pkt(), embsig, ctx);
+ sig.set_embedded_sig(embsig);
+ }
+}
+
+void
+pgp_key_t::add_uid_cert(rnp_selfsig_cert_info_t &cert,
+ pgp_hash_alg_t hash,
+ rnp::SecurityContext & ctx,
+ pgp_key_t * pubkey)
+{
+ if (cert.userid.empty()) {
+ /* todo: why not to allow empty uid? */
+ RNP_LOG("wrong parameters");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ // userids are only valid for primary keys, not subkeys
+ if (!is_primary()) {
+ RNP_LOG("cannot add a userid to a subkey");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+ // see if the key already has this userid
+ if (has_uid(cert.userid)) {
+ RNP_LOG("key already has this userid");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+ }
+ // this isn't really valid for this format
+ if (format == PGP_KEY_STORE_G10) {
+ RNP_LOG("Unsupported key store type");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+ // We only support modifying v4 and newer keys
+ if (pkt().version < PGP_V4) {
+ RNP_LOG("adding a userid to V2/V3 key is not supported");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+ /* TODO: if key has at least one uid then has_primary_uid() will be always true! */
+ if (has_primary_uid() && cert.primary) {
+ RNP_LOG("changing the primary userid is not supported");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+
+ /* Fill the transferable userid */
+ pgp_userid_pkt_t uid;
+ pgp_signature_t sig;
+ sign_init(sig, hash, ctx.time());
+ cert.populate(uid, sig);
+ try {
+ sign_cert(pkt_, uid, sig, ctx);
+ } catch (const std::exception &e) {
+ RNP_LOG("Failed to certify: %s", e.what());
+ throw;
+ }
+ /* add uid and signature to the key and pubkey, if non-NULL */
+ uids_.emplace_back(uid);
+ add_sig(sig, uid_count() - 1);
+ refresh_data(ctx);
+ if (!pubkey) {
+ return;
+ }
+ pubkey->uids_.emplace_back(uid);
+ pubkey->add_sig(sig, pubkey->uid_count() - 1);
+ pubkey->refresh_data(ctx);
+}
+
+void
+pgp_key_t::add_sub_binding(pgp_key_t & subsec,
+ pgp_key_t & subpub,
+ const rnp_selfsig_binding_info_t &binding,
+ pgp_hash_alg_t hash,
+ rnp::SecurityContext & ctx)
+{
+ if (!is_primary()) {
+ RNP_LOG("must be called on primary key");
+ throw rnp::rnp_exception(RNP_ERROR_BAD_STATE);
+ }
+
+ /* populate signature */
+ pgp_signature_t sig;
+ sign_init(sig, hash, ctx.time());
+ sig.set_type(PGP_SIG_SUBKEY);
+ if (binding.key_expiration) {
+ sig.set_key_expiration(binding.key_expiration);
+ }
+ if (binding.key_flags) {
+ sig.set_key_flags(binding.key_flags);
+ }
+ /* calculate binding */
+ pgp_key_flags_t realkf = (pgp_key_flags_t) binding.key_flags;
+ if (!realkf) {
+ realkf = pgp_pk_alg_capabilities(subsec.alg());
+ }
+ sign_subkey_binding(subsec, sig, ctx, realkf & PGP_KF_SIGN);
+ /* add to the secret and public key */
+ subsec.add_sig(sig);
+ subpub.add_sig(sig);
+}
+
+bool
+pgp_key_t::refresh_data(const rnp::SecurityContext &ctx)
+{
+ if (!is_primary()) {
+ RNP_LOG("key must be primary");
+ return false;
+ }
+ /* validate self-signatures if not done yet */
+ validate_self_signatures(ctx);
+ /* key expiration */
+ expiration_ = 0;
+ /* if we have direct-key signature, then it has higher priority */
+ pgp_subsig_t *dirsig = latest_selfsig(PGP_UID_NONE);
+ if (dirsig) {
+ expiration_ = dirsig->sig.key_expiration();
+ }
+ /* if we have primary uid and it is more restrictive, then use it as well */
+ pgp_subsig_t *prisig = latest_selfsig(PGP_UID_PRIMARY);
+ if (prisig && prisig->sig.key_expiration() &&
+ (!expiration_ || (prisig->sig.key_expiration() < expiration_))) {
+ expiration_ = prisig->sig.key_expiration();
+ }
+ /* if we don't have direct-key sig and primary uid, use the latest self-cert */
+ pgp_subsig_t *latest = latest_selfsig(PGP_UID_ANY);
+ if (!dirsig && !prisig && latest) {
+ expiration_ = latest->sig.key_expiration();
+ }
+ /* key flags: check in direct-key sig first, then primary uid, and then latest */
+ if (dirsig && dirsig->sig.has_subpkt(PGP_SIG_SUBPKT_KEY_FLAGS)) {
+ flags_ = dirsig->key_flags;
+ } else if (prisig && prisig->sig.has_subpkt(PGP_SIG_SUBPKT_KEY_FLAGS)) {
+ flags_ = prisig->key_flags;
+ } else if (latest && latest->sig.has_subpkt(PGP_SIG_SUBPKT_KEY_FLAGS)) {
+ flags_ = latest->key_flags;
+ } else {
+ flags_ = pgp_pk_alg_capabilities(alg());
+ }
+ /* revocation(s) */
+ clear_revokes();
+ for (size_t i = 0; i < sig_count(); i++) {
+ pgp_subsig_t &sig = get_sig(i);
+ if (!sig.valid()) {
+ continue;
+ }
+ try {
+ if (is_revocation(sig)) {
+ if (revoked_) {
+ continue;
+ }
+ revoked_ = true;
+ revocation_ = pgp_revoke_t(sig);
+ } else if (is_uid_revocation(sig)) {
+ if (sig.uid >= uid_count()) {
+ RNP_LOG("Invalid uid index");
+ continue;
+ }
+ pgp_userid_t &uid = get_uid(sig.uid);
+ if (uid.revoked) {
+ continue;
+ }
+ uid.revoked = true;
+ uid.revocation = pgp_revoke_t(sig);
+ }
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+ }
+ /* valid till */
+ valid_till_ = valid_till_common(expired());
+ /* userid validities */
+ for (size_t i = 0; i < uid_count(); i++) {
+ get_uid(i).valid = false;
+ }
+ for (size_t i = 0; i < sig_count(); i++) {
+ pgp_subsig_t &sig = get_sig(i);
+ /* consider userid as valid if it has at least one non-expired self-sig */
+ if (!sig.valid() || !sig.is_cert() || !is_signer(sig) || sig.expired(ctx.time())) {
+ continue;
+ }
+ if (sig.uid >= uid_count()) {
+ continue;
+ }
+ get_uid(sig.uid).valid = true;
+ }
+ /* check whether uid is revoked */
+ for (size_t i = 0; i < uid_count(); i++) {
+ pgp_userid_t &uid = get_uid(i);
+ if (uid.revoked) {
+ uid.valid = false;
+ }
+ }
+ /* primary userid: use latest one which is not overridden by later non-primary selfsig */
+ uid0_set_ = false;
+ if (prisig && get_uid(prisig->uid).valid) {
+ uid0_ = prisig->uid;
+ uid0_set_ = true;
+ }
+ return true;
+}
+
+bool
+pgp_key_t::refresh_data(pgp_key_t *primary, const rnp::SecurityContext &ctx)
+{
+ /* validate self-signatures if not done yet */
+ if (primary) {
+ validate_self_signatures(*primary, ctx);
+ }
+ pgp_subsig_t *sig = latest_binding(primary);
+ /* subkey expiration */
+ expiration_ = sig ? sig->sig.key_expiration() : 0;
+ /* subkey flags */
+ if (sig && sig->sig.has_subpkt(PGP_SIG_SUBPKT_KEY_FLAGS)) {
+ flags_ = sig->key_flags;
+ } else {
+ flags_ = pgp_pk_alg_capabilities(alg());
+ }
+ /* revocation */
+ clear_revokes();
+ for (size_t i = 0; i < sig_count(); i++) {
+ pgp_subsig_t &sig = get_sig(i);
+ if (!sig.valid() || !is_revocation(sig)) {
+ continue;
+ }
+ revoked_ = true;
+ try {
+ revocation_ = pgp_revoke_t(sig);
+ } catch (const std::exception &e) {
+ RNP_LOG("%s", e.what());
+ return false;
+ }
+ break;
+ }
+ /* valid till */
+ if (primary) {
+ valid_till_ =
+ std::min(primary->valid_till(), valid_till_common(expired() || primary->expired()));
+ } else {
+ valid_till_ = valid_till_common(expired());
+ }
+ return true;
+}
+
+void
+pgp_key_t::merge_validity(const pgp_validity_t &src)
+{
+ validity_.valid = validity_.valid && src.valid;
+ /* We may safely leave validated status only if both merged keys are valid && validated.
+ * Otherwise we'll need to revalidate. For instance, one validated but invalid key may add
+ * revocation signature, or valid key may add certification to the invalid one. */
+ validity_.validated = validity_.valid && validity_.validated && src.validated;
+ /* if expired is true at least in one case then valid and validated are false */
+ validity_.expired = false;
+}
+
+bool
+pgp_key_t::merge(const pgp_key_t &src)
+{
+ if (is_subkey() || src.is_subkey()) {
+ RNP_LOG("wrong key merge call");
+ return false;
+ }
+
+ pgp_transferable_key_t dstkey;
+ if (transferable_key_from_key(dstkey, *this)) {
+ RNP_LOG("failed to get transferable key from dstkey");
+ return false;
+ }
+
+ pgp_transferable_key_t srckey;
+ if (transferable_key_from_key(srckey, src)) {
+ RNP_LOG("failed to get transferable key from srckey");
+ return false;
+ }
+
+ /* if src is secret key then merged key will become secret as well. */
+ if (is_secret_key_pkt(srckey.key.tag) && !is_secret_key_pkt(dstkey.key.tag)) {
+ pgp_key_pkt_t tmp = dstkey.key;
+ dstkey.key = srckey.key;
+ srckey.key = tmp;
+ /* no subkey processing here - they are separated from the main key */
+ }
+
+ if (transferable_key_merge(dstkey, srckey)) {
+ RNP_LOG("failed to merge transferable keys");
+ return false;
+ }
+
+ pgp_key_t tmpkey;
+ try {
+ tmpkey = std::move(dstkey);
+ for (auto &fp : subkey_fps()) {
+ tmpkey.add_subkey_fp(fp);
+ }
+ for (auto &fp : src.subkey_fps()) {
+ tmpkey.add_subkey_fp(fp);
+ }
+ } catch (const std::exception &e) {
+ RNP_LOG("failed to process key/add subkey fps: %s", e.what());
+ return false;
+ }
+ /* check whether key was unlocked and assign secret key data */
+ if (is_secret() && !is_locked()) {
+ /* we may do thing below only because key material is opaque structure without
+ * pointers! */
+ tmpkey.pkt().material = pkt().material;
+ } else if (src.is_secret() && !src.is_locked()) {
+ tmpkey.pkt().material = src.pkt().material;
+ }
+ /* copy validity status */
+ tmpkey.validity_ = validity_;
+ tmpkey.merge_validity(src.validity_);
+
+ *this = std::move(tmpkey);
+ return true;
+}
+
+bool
+pgp_key_t::merge(const pgp_key_t &src, pgp_key_t *primary)
+{
+ if (!is_subkey() || !src.is_subkey()) {
+ RNP_LOG("wrong subkey merge call");
+ return false;
+ }
+
+ pgp_transferable_subkey_t dstkey;
+ if (transferable_subkey_from_key(dstkey, *this)) {
+ RNP_LOG("failed to get transferable key from dstkey");
+ return false;
+ }
+
+ pgp_transferable_subkey_t srckey;
+ if (transferable_subkey_from_key(srckey, src)) {
+ RNP_LOG("failed to get transferable key from srckey");
+ return false;
+ }
+
+ /* if src is secret key then merged key will become secret as well. */
+ if (is_secret_key_pkt(srckey.subkey.tag) && !is_secret_key_pkt(dstkey.subkey.tag)) {
+ pgp_key_pkt_t tmp = dstkey.subkey;
+ dstkey.subkey = srckey.subkey;
+ srckey.subkey = tmp;
+ }
+
+ if (transferable_subkey_merge(dstkey, srckey)) {
+ RNP_LOG("failed to merge transferable subkeys");
+ return false;
+ }
+
+ pgp_key_t tmpkey;
+ try {
+ tmpkey = pgp_key_t(dstkey, primary);
+ } catch (const std::exception &e) {
+ RNP_LOG("failed to process subkey: %s", e.what());
+ return false;
+ }
+
+ /* check whether key was unlocked and assign secret key data */
+ if (is_secret() && !is_locked()) {
+ /* we may do thing below only because key material is opaque structure without
+ * pointers! */
+ tmpkey.pkt().material = pkt().material;
+ } else if (src.is_secret() && !src.is_locked()) {
+ tmpkey.pkt().material = src.pkt().material;
+ }
+ /* copy validity status */
+ tmpkey.validity_ = validity_;
+ tmpkey.merge_validity(src.validity_);
+
+ *this = std::move(tmpkey);
+ return true;
+}
+
+size_t
+pgp_key_material_t::bits() const
+{
+ switch (alg) {
+ case PGP_PKA_RSA:
+ case PGP_PKA_RSA_ENCRYPT_ONLY:
+ case PGP_PKA_RSA_SIGN_ONLY:
+ return 8 * mpi_bytes(&rsa.n);
+ case PGP_PKA_DSA:
+ return 8 * mpi_bytes(&dsa.p);
+ case PGP_PKA_ELGAMAL:
+ case PGP_PKA_ELGAMAL_ENCRYPT_OR_SIGN:
+ return 8 * mpi_bytes(&eg.y);
+ case PGP_PKA_ECDH:
+ case PGP_PKA_ECDSA:
+ case PGP_PKA_EDDSA:
+ case PGP_PKA_SM2: {
+ // bn_num_bytes returns value <= curve order
+ const ec_curve_desc_t *curve = get_curve_desc(ec.curve);
+ return curve ? curve->bitlen : 0;
+ }
+ default:
+ RNP_LOG("Unknown public key alg: %d", (int) alg);
+ return 0;
+ }
+}
+
+size_t
+pgp_key_material_t::qbits() const
+{
+ if (alg != PGP_PKA_DSA) {
+ return 0;
+ }
+ return 8 * mpi_bytes(&dsa.q);
+}
+
+void
+pgp_key_material_t::validate(rnp::SecurityContext &ctx, bool reset)
+{
+ if (!reset && validity.validated) {
+ return;
+ }
+ validity.reset();
+ validity.valid = !validate_pgp_key_material(this, &ctx.rng);
+ validity.validated = true;
+}
+
+bool
+pgp_key_material_t::valid() const
+{
+ return validity.validated && validity.valid;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 00:02:40 +0000