|
|
|
@ -1,8 +1,9 @@
|
|
|
|
|
"""Create GPG ECDSA signatures and public keys using TREZOR device."""
|
|
|
|
|
import io
|
|
|
|
|
import logging
|
|
|
|
|
import time
|
|
|
|
|
|
|
|
|
|
from . import decode, device, keyring, protocol
|
|
|
|
|
from . import decode, keyring, protocol
|
|
|
|
|
from .. import util
|
|
|
|
|
|
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
@ -21,7 +22,6 @@ def create_primary(user_id, pubkey, signer_func):
|
|
|
|
|
data_to_sign = (pubkey.data_to_hash() +
|
|
|
|
|
user_id_packet[:1] +
|
|
|
|
|
util.prefix_len('>L', user_id.encode('ascii')))
|
|
|
|
|
log.info('creating primary GPG key "%s"', user_id)
|
|
|
|
|
hashed_subpackets = [
|
|
|
|
|
protocol.subpacket_time(pubkey.created), # signature time
|
|
|
|
|
# https://tools.ietf.org/html/rfc4880#section-5.2.3.7
|
|
|
|
@ -40,7 +40,6 @@ def create_primary(user_id, pubkey, signer_func):
|
|
|
|
|
protocol.subpacket(16, pubkey.key_id()), # issuer key id
|
|
|
|
|
protocol.CUSTOM_SUBPACKET]
|
|
|
|
|
|
|
|
|
|
log.info('confirm signing with primary key')
|
|
|
|
|
signature = protocol.make_signature(
|
|
|
|
|
signer_func=signer_func,
|
|
|
|
|
public_algo=pubkey.algo_id,
|
|
|
|
@ -53,26 +52,26 @@ def create_primary(user_id, pubkey, signer_func):
|
|
|
|
|
return pubkey_packet + user_id_packet + sign_packet
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def create_subkey(primary_bytes, pubkey, signer_func):
|
|
|
|
|
def create_subkey(primary_bytes, subkey, signer_func, user_id=None):
|
|
|
|
|
"""Export new subkey to GPG primary key."""
|
|
|
|
|
subkey_packet = protocol.packet(tag=14, blob=pubkey.data())
|
|
|
|
|
primary = decode.load_public_key(primary_bytes)
|
|
|
|
|
log.info('adding subkey to primary GPG key "%s"', primary['user_id'])
|
|
|
|
|
data_to_sign = primary['_to_hash'] + pubkey.data_to_hash()
|
|
|
|
|
subkey_packet = protocol.packet(tag=14, blob=subkey.data())
|
|
|
|
|
packets = list(decode.parse_packets(io.BytesIO(primary_bytes)))
|
|
|
|
|
primary, user_id, signature = packets[:3]
|
|
|
|
|
|
|
|
|
|
if pubkey.ecdh:
|
|
|
|
|
data_to_sign = primary['_to_hash'] + subkey.data_to_hash()
|
|
|
|
|
|
|
|
|
|
if subkey.ecdh:
|
|
|
|
|
embedded_sig = None
|
|
|
|
|
else:
|
|
|
|
|
# Primary Key Binding Signature
|
|
|
|
|
hashed_subpackets = [
|
|
|
|
|
protocol.subpacket_time(pubkey.created)] # signature time
|
|
|
|
|
protocol.subpacket_time(subkey.created)] # signature time
|
|
|
|
|
unhashed_subpackets = [
|
|
|
|
|
protocol.subpacket(16, pubkey.key_id())] # issuer key id
|
|
|
|
|
log.info('confirm signing with new subkey')
|
|
|
|
|
protocol.subpacket(16, subkey.key_id())] # issuer key id
|
|
|
|
|
embedded_sig = protocol.make_signature(
|
|
|
|
|
signer_func=signer_func,
|
|
|
|
|
data_to_sign=data_to_sign,
|
|
|
|
|
public_algo=pubkey.algo_id,
|
|
|
|
|
public_algo=subkey.algo_id,
|
|
|
|
|
sig_type=0x19,
|
|
|
|
|
hashed_subpackets=hashed_subpackets,
|
|
|
|
|
unhashed_subpackets=unhashed_subpackets)
|
|
|
|
@ -81,10 +80,10 @@ def create_subkey(primary_bytes, pubkey, signer_func):
|
|
|
|
|
|
|
|
|
|
# Key flags: https://tools.ietf.org/html/rfc4880#section-5.2.3.21
|
|
|
|
|
# (certify & sign) (encrypt)
|
|
|
|
|
flags = (2) if (not pubkey.ecdh) else (4 | 8)
|
|
|
|
|
flags = (2) if (not subkey.ecdh) else (4 | 8)
|
|
|
|
|
|
|
|
|
|
hashed_subpackets = [
|
|
|
|
|
protocol.subpacket_time(pubkey.created), # signature time
|
|
|
|
|
protocol.subpacket_time(subkey.created), # signature time
|
|
|
|
|
protocol.subpacket_byte(0x1B, flags)]
|
|
|
|
|
|
|
|
|
|
unhashed_subpackets = []
|
|
|
|
@ -93,9 +92,8 @@ def create_subkey(primary_bytes, pubkey, signer_func):
|
|
|
|
|
unhashed_subpackets.append(protocol.subpacket(32, embedded_sig))
|
|
|
|
|
unhashed_subpackets.append(protocol.CUSTOM_SUBPACKET)
|
|
|
|
|
|
|
|
|
|
log.info('confirm signing with primary key')
|
|
|
|
|
if not primary['_is_custom']:
|
|
|
|
|
signer_func = keyring.create_agent_signer(primary['user_id'])
|
|
|
|
|
if not signature['_is_custom']:
|
|
|
|
|
signer_func = keyring.create_agent_signer(user_id['value'])
|
|
|
|
|
|
|
|
|
|
signature = protocol.make_signature(
|
|
|
|
|
signer_func=signer_func,
|
|
|
|
@ -106,22 +104,3 @@ def create_subkey(primary_bytes, pubkey, signer_func):
|
|
|
|
|
unhashed_subpackets=unhashed_subpackets)
|
|
|
|
|
sign_packet = protocol.packet(tag=2, blob=signature)
|
|
|
|
|
return primary_bytes + subkey_packet + sign_packet
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def load_from_public_key(pubkey_dict):
|
|
|
|
|
"""Load correct public key from the device."""
|
|
|
|
|
log.debug('pubkey_dict: %s', pubkey_dict)
|
|
|
|
|
user_id = pubkey_dict['user_id']
|
|
|
|
|
created = pubkey_dict['created']
|
|
|
|
|
curve_name = protocol.get_curve_name_by_oid(pubkey_dict['curve_oid'])
|
|
|
|
|
ecdh = (pubkey_dict['algo'] == protocol.ECDH_ALGO_ID)
|
|
|
|
|
|
|
|
|
|
conn = device.HardwareSigner(user_id, curve_name=curve_name)
|
|
|
|
|
pubkey = protocol.PublicKey(
|
|
|
|
|
curve_name=curve_name, created=created,
|
|
|
|
|
verifying_key=conn.pubkey(ecdh=ecdh), ecdh=ecdh)
|
|
|
|
|
assert pubkey.key_id() == pubkey_dict['key_id']
|
|
|
|
|
log.info('%s created at %s for "%s"',
|
|
|
|
|
pubkey, _time_format(pubkey.created), user_id)
|
|
|
|
|
|
|
|
|
|
return pubkey, conn
|
|
|
|
|