File: pgp.go

package info (click to toggle)
singularity-container 4.0.3%2Bds1-1
links: PTS, VCS
area: main
in suites: sid
size: 21,672 kB
sloc: asm: 3,857; sh: 2,125; ansic: 1,677; awk: 414; makefile: 110; python: 99
file content (283 lines) | stat: -rw-r--r-- 7,740 bytes
parent folder | download | duplicates (2)
// Copyright (c) 2020, Control Command Inc. All rights reserved.
// Copyright (c) 2020-2021, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
// distributed with the sources of this project regarding your rights to use or distribute this
// software.

package cli

import (
	"encoding/hex"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"os"

	"github.com/sylabs/singularity/v4/internal/pkg/buildcfg"

	"github.com/ProtonMail/go-crypto/openpgp"
	"github.com/ProtonMail/go-crypto/openpgp/packet"
	"github.com/fatih/color"
	"github.com/sylabs/sif/v2/pkg/integrity"
	"github.com/sylabs/sif/v2/pkg/sif"
	sifsignature "github.com/sylabs/singularity/v4/internal/pkg/signature"
	"github.com/sylabs/singularity/v4/internal/pkg/sypgp"
	"github.com/sylabs/singularity/v4/internal/pkg/util/interactive"
	"github.com/sylabs/singularity/v4/pkg/sylog"
)

var (
	errEmptyKeyring    = errors.New("keyring is empty")
	errIndexOutOfRange = errors.New("index out of range")
)

// printEntityAtIndex prints entity e, associated with index i, to w.
func printEntityAtIndex(w io.Writer, i int, e *openpgp.Entity) {
	for _, v := range e.Identities {
		fmt.Fprintf(w, "%d) U: %s (%s) <%s>\n", i, v.UserId.Name, v.UserId.Comment, v.UserId.Email)
	}
	fmt.Fprintf(w, "   C: %s\n", e.PrimaryKey.CreationTime)
	fmt.Fprintf(w, "   F: %0X\n", e.PrimaryKey.Fingerprint)
	bits, _ := e.PrimaryKey.BitLength()
	fmt.Fprintf(w, "   L: %d\n", bits)
	fmt.Fprint(os.Stdout, "   --------\n")
}

// selectEntityInteractive returns an EntitySelector that selects an entity from el, prompting the
// user for a selection if there is more than one entity in el.
func selectEntityInteractive() sypgp.EntitySelector {
	return func(el openpgp.EntityList) (*openpgp.Entity, error) {
		switch len(el) {
		case 0:
			return nil, errEmptyKeyring
		case 1:
			return el[0], nil
		default:
			for i, e := range el {
				printEntityAtIndex(os.Stdout, i, e)
			}

			n, err := interactive.AskNumberInRange(0, len(el)-1, "Enter # of private key to use : ")
			if err != nil {
				return nil, err
			}
			return el[n], nil
		}
	}
}

// selectEntityAtIndex returns an EntitySelector that selects the entity at index i.
func selectEntityAtIndex(i int) sypgp.EntitySelector {
	return func(el openpgp.EntityList) (*openpgp.Entity, error) {
		if i >= len(el) {
			return nil, errIndexOutOfRange
		}
		return el[i], nil
	}
}

// decryptSelectedEntityInteractive wraps f, attempting to decrypt the private key in the selected
// entity with a passpharse provided interactively by the user.
func decryptSelectedEntityInteractive(f sypgp.EntitySelector) sypgp.EntitySelector {
	return func(el openpgp.EntityList) (*openpgp.Entity, error) {
		e, err := f(el)
		if err != nil {
			return nil, err
		}

		if e.PrivateKey.Encrypted {
			if err := decryptPrivateKeyInteractive(e); err != nil {
				return nil, err
			}
		}

		return e, nil
	}
}

// decryptPrivateKeyInteractive decrypts the private key in e, prompting the user for a passphrase.
func decryptPrivateKeyInteractive(e *openpgp.Entity) error {
	passphrase, err := interactive.AskQuestionNoEcho("Enter key passphrase : ")
	if err != nil {
		return err
	}

	return e.PrivateKey.Decrypt([]byte(passphrase))
}

// primaryIdentity returns the Identity marked as primary, or the first identity if none are so
// marked.
func primaryIdentity(e *openpgp.Entity) *openpgp.Identity {
	var first *openpgp.Identity
	for _, id := range e.Identities {
		if first == nil {
			first = id
		}
		if id.SelfSignature.IsPrimaryId != nil && *id.SelfSignature.IsPrimaryId {
			return id
		}
	}
	return first
}

// isLocal returns true if signing entity e is found in the local keyring, and false otherwise.
func isLocal(e *openpgp.Entity) bool {
	kr, err := sypgp.PublicKeyRing()
	if err != nil {
		return false
	}

	keys := kr.KeysByIdUsage(e.PrimaryKey.KeyId, packet.KeyFlagSign)
	return len(keys) > 0
}

// isGlobal returns true if signing entity e is found in the global keyring, and false otherwise.
func isGlobal(e *openpgp.Entity) bool {
	keyring := sypgp.NewHandle(buildcfg.SINGULARITY_CONFDIR, sypgp.GlobalHandleOpt())
	kr, err := keyring.LoadPubKeyring()
	if err != nil {
		return false
	}

	keys := kr.KeysByIdUsage(e.PrimaryKey.KeyId, packet.KeyFlagSign)
	return len(keys) > 0
}

// outputVerify outputs a textual representation of r to stdout.
func outputVerify(_ *sif.FileImage, r integrity.VerifyResult) bool {
	e := r.Entity()

	// Print signing entity info.
	if e != nil {
		prefix := color.New(color.FgYellow).Sprint("[REMOTE]")

		if isGlobal(e) {
			prefix = color.New(color.FgCyan).Sprint("[GLOBAL]")
		} else if isLocal(e) {
			prefix = color.New(color.FgGreen).Sprint("[LOCAL]")
		}

		// Print identity, if possible.
		if id := primaryIdentity(e); id != nil {
			fmt.Printf("%-18v Signing entity: %v\n", prefix, id.Name)
		} else {
			sylog.Warningf("Primary identity unknown")
		}

		// Always print fingerprint.
		fmt.Printf("%-18v Fingerprint: %X\n", prefix, e.PrimaryKey.Fingerprint)
	}

	// Print table of signed objects.
	if len(r.Verified()) > 0 {
		fmt.Printf("Objects verified:\n")
		fmt.Printf("%-4s|%-8s|%-8s|%s\n", "ID", "GROUP", "LINK", "TYPE")
		fmt.Print("------------------------------------------------\n")
	}
	for _, od := range r.Verified() {
		group := "NONE"
		if gid := od.GroupID(); gid != 0 {
			group = fmt.Sprintf("%d", gid)
		}

		link := "NONE"
		if l, isGroup := od.LinkedID(); l != 0 {
			if isGroup {
				link = fmt.Sprintf("%d (G)", l)
			} else {
				link = fmt.Sprintf("%d", l)
			}
		}

		fmt.Printf("%-4d|%-8s|%-8s|%s\n", od.ID(), group, link, od.DataType())
	}

	if err := r.Error(); err != nil {
		fmt.Printf("\nError encountered during signature verification: %v\n", err)
	}

	return false
}

type key struct {
	Signer keyEntity
}

// keyEntity holds all the key info, used for json output.
type keyEntity struct {
	Partition   string
	Name        string
	Fingerprint string
	KeyLocal    bool
	KeyCheck    bool
	DataCheck   bool
}

// keyList is a list of one or more keys.
type keyList struct {
	Signatures int
	SignerKeys []*key
}

// getJSONCallback returns a signature.VerifyCallback that appends to kl.
func getJSONCallback(kl *keyList) sifsignature.VerifyCallback {
	return func(f *sif.FileImage, r integrity.VerifyResult) bool {
		name, fp := "unknown", ""
		var keyLocal, keyCheck bool

		// Increment signature count.
		kl.Signatures++

		// If entity is determined, note a few values.
		if e := r.Entity(); e != nil {
			if id := primaryIdentity(e); id != nil {
				name = id.Name
			}
			fp = hex.EncodeToString(e.PrimaryKey.Fingerprint[:])
			keyLocal = isLocal(e)
			keyCheck = true
		}

		// For each verified object, append an entry to the list.
		for _, od := range r.Verified() {
			ke := keyEntity{
				Partition:   od.DataType().String(),
				Name:        name,
				Fingerprint: fp,
				KeyLocal:    keyLocal,
				KeyCheck:    keyCheck,
				DataCheck:   true,
			}
			kl.SignerKeys = append(kl.SignerKeys, &key{ke})
		}

		var integrityError *integrity.ObjectIntegrityError
		if errors.As(r.Error(), &integrityError) {
			od, err := f.GetDescriptor(sif.WithID(integrityError.ID))
			if err != nil {
				sylog.Errorf("failed to get descriptor: %v", err)
				return false
			}

			ke := keyEntity{
				Partition:   od.DataType().String(),
				Name:        name,
				Fingerprint: fp,
				KeyLocal:    keyLocal,
				KeyCheck:    keyCheck,
				DataCheck:   false,
			}
			kl.SignerKeys = append(kl.SignerKeys, &key{ke})
		}

		return false
	}
}

// outputJSON outputs a JSON representation of kl to w.
func outputJSON(w io.Writer, kl keyList) error {
	e := json.NewEncoder(w)
	e.SetIndent("", "  ")
	return e.Encode(kl)
}