1// Copyright 2011 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package packet implements parsing and serialization of OpenPGP packets, as 6// specified in RFC 4880. 7package packet // import "golang.org/x/crypto/openpgp/packet" 8 9import ( 10 "bufio" 11 "crypto/aes" 12 "crypto/cipher" 13 "crypto/des" 14 "crypto/rsa" 15 "io" 16 "math/big" 17 "math/bits" 18 19 "golang.org/x/crypto/cast5" 20 "golang.org/x/crypto/openpgp/errors" 21) 22 23// readFull is the same as io.ReadFull except that reading zero bytes returns 24// ErrUnexpectedEOF rather than EOF. 25func readFull(r io.Reader, buf []byte) (n int, err error) { 26 n, err = io.ReadFull(r, buf) 27 if err == io.EOF { 28 err = io.ErrUnexpectedEOF 29 } 30 return 31} 32 33// readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2. 34func readLength(r io.Reader) (length int64, isPartial bool, err error) { 35 var buf [4]byte 36 _, err = readFull(r, buf[:1]) 37 if err != nil { 38 return 39 } 40 switch { 41 case buf[0] < 192: 42 length = int64(buf[0]) 43 case buf[0] < 224: 44 length = int64(buf[0]-192) << 8 45 _, err = readFull(r, buf[0:1]) 46 if err != nil { 47 return 48 } 49 length += int64(buf[0]) + 192 50 case buf[0] < 255: 51 length = int64(1) << (buf[0] & 0x1f) 52 isPartial = true 53 default: 54 _, err = readFull(r, buf[0:4]) 55 if err != nil { 56 return 57 } 58 length = int64(buf[0])<<24 | 59 int64(buf[1])<<16 | 60 int64(buf[2])<<8 | 61 int64(buf[3]) 62 } 63 return 64} 65 66// partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths. 67// The continuation lengths are parsed and removed from the stream and EOF is 68// returned at the end of the packet. See RFC 4880, section 4.2.2.4. 69type partialLengthReader struct { 70 r io.Reader 71 remaining int64 72 isPartial bool 73} 74 75func (r *partialLengthReader) Read(p []byte) (n int, err error) { 76 for r.remaining == 0 { 77 if !r.isPartial { 78 return 0, io.EOF 79 } 80 r.remaining, r.isPartial, err = readLength(r.r) 81 if err != nil { 82 return 0, err 83 } 84 } 85 86 toRead := int64(len(p)) 87 if toRead > r.remaining { 88 toRead = r.remaining 89 } 90 91 n, err = r.r.Read(p[:int(toRead)]) 92 r.remaining -= int64(n) 93 if n < int(toRead) && err == io.EOF { 94 err = io.ErrUnexpectedEOF 95 } 96 return 97} 98 99// partialLengthWriter writes a stream of data using OpenPGP partial lengths. 100// See RFC 4880, section 4.2.2.4. 101type partialLengthWriter struct { 102 w io.WriteCloser 103 lengthByte [1]byte 104 sentFirst bool 105 buf []byte 106} 107 108// RFC 4880 4.2.2.4: the first partial length MUST be at least 512 octets long. 109const minFirstPartialWrite = 512 110 111func (w *partialLengthWriter) Write(p []byte) (n int, err error) { 112 off := 0 113 if !w.sentFirst { 114 if len(w.buf) > 0 || len(p) < minFirstPartialWrite { 115 off = len(w.buf) 116 w.buf = append(w.buf, p...) 117 if len(w.buf) < minFirstPartialWrite { 118 return len(p), nil 119 } 120 p = w.buf 121 w.buf = nil 122 } 123 w.sentFirst = true 124 } 125 126 power := uint8(30) 127 for len(p) > 0 { 128 l := 1 << power 129 if len(p) < l { 130 power = uint8(bits.Len32(uint32(len(p)))) - 1 131 l = 1 << power 132 } 133 w.lengthByte[0] = 224 + power 134 _, err = w.w.Write(w.lengthByte[:]) 135 if err == nil { 136 var m int 137 m, err = w.w.Write(p[:l]) 138 n += m 139 } 140 if err != nil { 141 if n < off { 142 return 0, err 143 } 144 return n - off, err 145 } 146 p = p[l:] 147 } 148 return n - off, nil 149} 150 151func (w *partialLengthWriter) Close() error { 152 if len(w.buf) > 0 { 153 // In this case we can't send a 512 byte packet. 154 // Just send what we have. 155 p := w.buf 156 w.sentFirst = true 157 w.buf = nil 158 if _, err := w.Write(p); err != nil { 159 return err 160 } 161 } 162 163 w.lengthByte[0] = 0 164 _, err := w.w.Write(w.lengthByte[:]) 165 if err != nil { 166 return err 167 } 168 return w.w.Close() 169} 170 171// A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the 172// underlying Reader returns EOF before the limit has been reached. 173type spanReader struct { 174 r io.Reader 175 n int64 176} 177 178func (l *spanReader) Read(p []byte) (n int, err error) { 179 if l.n <= 0 { 180 return 0, io.EOF 181 } 182 if int64(len(p)) > l.n { 183 p = p[0:l.n] 184 } 185 n, err = l.r.Read(p) 186 l.n -= int64(n) 187 if l.n > 0 && err == io.EOF { 188 err = io.ErrUnexpectedEOF 189 } 190 return 191} 192 193// readHeader parses a packet header and returns an io.Reader which will return 194// the contents of the packet. See RFC 4880, section 4.2. 195func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) { 196 var buf [4]byte 197 _, err = io.ReadFull(r, buf[:1]) 198 if err != nil { 199 return 200 } 201 if buf[0]&0x80 == 0 { 202 err = errors.StructuralError("tag byte does not have MSB set") 203 return 204 } 205 if buf[0]&0x40 == 0 { 206 // Old format packet 207 tag = packetType((buf[0] & 0x3f) >> 2) 208 lengthType := buf[0] & 3 209 if lengthType == 3 { 210 length = -1 211 contents = r 212 return 213 } 214 lengthBytes := 1 << lengthType 215 _, err = readFull(r, buf[0:lengthBytes]) 216 if err != nil { 217 return 218 } 219 for i := 0; i < lengthBytes; i++ { 220 length <<= 8 221 length |= int64(buf[i]) 222 } 223 contents = &spanReader{r, length} 224 return 225 } 226 227 // New format packet 228 tag = packetType(buf[0] & 0x3f) 229 length, isPartial, err := readLength(r) 230 if err != nil { 231 return 232 } 233 if isPartial { 234 contents = &partialLengthReader{ 235 remaining: length, 236 isPartial: true, 237 r: r, 238 } 239 length = -1 240 } else { 241 contents = &spanReader{r, length} 242 } 243 return 244} 245 246// serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section 247// 4.2. 248func serializeHeader(w io.Writer, ptype packetType, length int) (err error) { 249 var buf [6]byte 250 var n int 251 252 buf[0] = 0x80 | 0x40 | byte(ptype) 253 if length < 192 { 254 buf[1] = byte(length) 255 n = 2 256 } else if length < 8384 { 257 length -= 192 258 buf[1] = 192 + byte(length>>8) 259 buf[2] = byte(length) 260 n = 3 261 } else { 262 buf[1] = 255 263 buf[2] = byte(length >> 24) 264 buf[3] = byte(length >> 16) 265 buf[4] = byte(length >> 8) 266 buf[5] = byte(length) 267 n = 6 268 } 269 270 _, err = w.Write(buf[:n]) 271 return 272} 273 274// serializeStreamHeader writes an OpenPGP packet header to w where the 275// length of the packet is unknown. It returns a io.WriteCloser which can be 276// used to write the contents of the packet. See RFC 4880, section 4.2. 277func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) { 278 var buf [1]byte 279 buf[0] = 0x80 | 0x40 | byte(ptype) 280 _, err = w.Write(buf[:]) 281 if err != nil { 282 return 283 } 284 out = &partialLengthWriter{w: w} 285 return 286} 287 288// Packet represents an OpenPGP packet. Users are expected to try casting 289// instances of this interface to specific packet types. 290type Packet interface { 291 parse(io.Reader) error 292} 293 294// consumeAll reads from the given Reader until error, returning the number of 295// bytes read. 296func consumeAll(r io.Reader) (n int64, err error) { 297 var m int 298 var buf [1024]byte 299 300 for { 301 m, err = r.Read(buf[:]) 302 n += int64(m) 303 if err == io.EOF { 304 err = nil 305 return 306 } 307 if err != nil { 308 return 309 } 310 } 311} 312 313// packetType represents the numeric ids of the different OpenPGP packet types. See 314// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2 315type packetType uint8 316 317const ( 318 packetTypeEncryptedKey packetType = 1 319 packetTypeSignature packetType = 2 320 packetTypeSymmetricKeyEncrypted packetType = 3 321 packetTypeOnePassSignature packetType = 4 322 packetTypePrivateKey packetType = 5 323 packetTypePublicKey packetType = 6 324 packetTypePrivateSubkey packetType = 7 325 packetTypeCompressed packetType = 8 326 packetTypeSymmetricallyEncrypted packetType = 9 327 packetTypeLiteralData packetType = 11 328 packetTypeUserId packetType = 13 329 packetTypePublicSubkey packetType = 14 330 packetTypeUserAttribute packetType = 17 331 packetTypeSymmetricallyEncryptedMDC packetType = 18 332) 333 334// peekVersion detects the version of a public key packet about to 335// be read. A bufio.Reader at the original position of the io.Reader 336// is returned. 337func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) { 338 bufr = bufio.NewReader(r) 339 var verBuf []byte 340 if verBuf, err = bufr.Peek(1); err != nil { 341 return 342 } 343 ver = verBuf[0] 344 return 345} 346 347// Read reads a single OpenPGP packet from the given io.Reader. If there is an 348// error parsing a packet, the whole packet is consumed from the input. 349func Read(r io.Reader) (p Packet, err error) { 350 tag, _, contents, err := readHeader(r) 351 if err != nil { 352 return 353 } 354 355 switch tag { 356 case packetTypeEncryptedKey: 357 p = new(EncryptedKey) 358 case packetTypeSignature: 359 var version byte 360 // Detect signature version 361 if contents, version, err = peekVersion(contents); err != nil { 362 return 363 } 364 if version < 4 { 365 p = new(SignatureV3) 366 } else { 367 p = new(Signature) 368 } 369 case packetTypeSymmetricKeyEncrypted: 370 p = new(SymmetricKeyEncrypted) 371 case packetTypeOnePassSignature: 372 p = new(OnePassSignature) 373 case packetTypePrivateKey, packetTypePrivateSubkey: 374 pk := new(PrivateKey) 375 if tag == packetTypePrivateSubkey { 376 pk.IsSubkey = true 377 } 378 p = pk 379 case packetTypePublicKey, packetTypePublicSubkey: 380 var version byte 381 if contents, version, err = peekVersion(contents); err != nil { 382 return 383 } 384 isSubkey := tag == packetTypePublicSubkey 385 if version < 4 { 386 p = &PublicKeyV3{IsSubkey: isSubkey} 387 } else { 388 p = &PublicKey{IsSubkey: isSubkey} 389 } 390 case packetTypeCompressed: 391 p = new(Compressed) 392 case packetTypeSymmetricallyEncrypted: 393 p = new(SymmetricallyEncrypted) 394 case packetTypeLiteralData: 395 p = new(LiteralData) 396 case packetTypeUserId: 397 p = new(UserId) 398 case packetTypeUserAttribute: 399 p = new(UserAttribute) 400 case packetTypeSymmetricallyEncryptedMDC: 401 se := new(SymmetricallyEncrypted) 402 se.MDC = true 403 p = se 404 default: 405 err = errors.UnknownPacketTypeError(tag) 406 } 407 if p != nil { 408 err = p.parse(contents) 409 } 410 if err != nil { 411 consumeAll(contents) 412 } 413 return 414} 415 416// SignatureType represents the different semantic meanings of an OpenPGP 417// signature. See RFC 4880, section 5.2.1. 418type SignatureType uint8 419 420const ( 421 SigTypeBinary SignatureType = 0 422 SigTypeText = 1 423 SigTypeGenericCert = 0x10 424 SigTypePersonaCert = 0x11 425 SigTypeCasualCert = 0x12 426 SigTypePositiveCert = 0x13 427 SigTypeSubkeyBinding = 0x18 428 SigTypePrimaryKeyBinding = 0x19 429 SigTypeDirectSignature = 0x1F 430 SigTypeKeyRevocation = 0x20 431 SigTypeSubkeyRevocation = 0x28 432) 433 434// PublicKeyAlgorithm represents the different public key system specified for 435// OpenPGP. See 436// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12 437type PublicKeyAlgorithm uint8 438 439const ( 440 PubKeyAlgoRSA PublicKeyAlgorithm = 1 441 PubKeyAlgoElGamal PublicKeyAlgorithm = 16 442 PubKeyAlgoDSA PublicKeyAlgorithm = 17 443 // RFC 6637, Section 5. 444 PubKeyAlgoECDH PublicKeyAlgorithm = 18 445 PubKeyAlgoECDSA PublicKeyAlgorithm = 19 446 447 // Deprecated in RFC 4880, Section 13.5. Use key flags instead. 448 PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2 449 PubKeyAlgoRSASignOnly PublicKeyAlgorithm = 3 450) 451 452// CanEncrypt returns true if it's possible to encrypt a message to a public 453// key of the given type. 454func (pka PublicKeyAlgorithm) CanEncrypt() bool { 455 switch pka { 456 case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal: 457 return true 458 } 459 return false 460} 461 462// CanSign returns true if it's possible for a public key of the given type to 463// sign a message. 464func (pka PublicKeyAlgorithm) CanSign() bool { 465 switch pka { 466 case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA: 467 return true 468 } 469 return false 470} 471 472// CipherFunction represents the different block ciphers specified for OpenPGP. See 473// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13 474type CipherFunction uint8 475 476const ( 477 Cipher3DES CipherFunction = 2 478 CipherCAST5 CipherFunction = 3 479 CipherAES128 CipherFunction = 7 480 CipherAES192 CipherFunction = 8 481 CipherAES256 CipherFunction = 9 482) 483 484// KeySize returns the key size, in bytes, of cipher. 485func (cipher CipherFunction) KeySize() int { 486 switch cipher { 487 case Cipher3DES: 488 return 24 489 case CipherCAST5: 490 return cast5.KeySize 491 case CipherAES128: 492 return 16 493 case CipherAES192: 494 return 24 495 case CipherAES256: 496 return 32 497 } 498 return 0 499} 500 501// blockSize returns the block size, in bytes, of cipher. 502func (cipher CipherFunction) blockSize() int { 503 switch cipher { 504 case Cipher3DES: 505 return des.BlockSize 506 case CipherCAST5: 507 return 8 508 case CipherAES128, CipherAES192, CipherAES256: 509 return 16 510 } 511 return 0 512} 513 514// new returns a fresh instance of the given cipher. 515func (cipher CipherFunction) new(key []byte) (block cipher.Block) { 516 switch cipher { 517 case Cipher3DES: 518 block, _ = des.NewTripleDESCipher(key) 519 case CipherCAST5: 520 block, _ = cast5.NewCipher(key) 521 case CipherAES128, CipherAES192, CipherAES256: 522 block, _ = aes.NewCipher(key) 523 } 524 return 525} 526 527// readMPI reads a big integer from r. The bit length returned is the bit 528// length that was specified in r. This is preserved so that the integer can be 529// reserialized exactly. 530func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) { 531 var buf [2]byte 532 _, err = readFull(r, buf[0:]) 533 if err != nil { 534 return 535 } 536 bitLength = uint16(buf[0])<<8 | uint16(buf[1]) 537 numBytes := (int(bitLength) + 7) / 8 538 mpi = make([]byte, numBytes) 539 _, err = readFull(r, mpi) 540 // According to RFC 4880 3.2. we should check that the MPI has no leading 541 // zeroes (at least when not an encrypted MPI?), but this implementation 542 // does generate leading zeroes, so we keep accepting them. 543 return 544} 545 546// writeMPI serializes a big integer to w. 547func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) { 548 // Note that we can produce leading zeroes, in violation of RFC 4880 3.2. 549 // Implementations seem to be tolerant of them, and stripping them would 550 // make it complex to guarantee matching re-serialization. 551 _, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)}) 552 if err == nil { 553 _, err = w.Write(mpiBytes) 554 } 555 return 556} 557 558// writeBig serializes a *big.Int to w. 559func writeBig(w io.Writer, i *big.Int) error { 560 return writeMPI(w, uint16(i.BitLen()), i.Bytes()) 561} 562 563// padToKeySize left-pads a MPI with zeroes to match the length of the 564// specified RSA public. 565func padToKeySize(pub *rsa.PublicKey, b []byte) []byte { 566 k := (pub.N.BitLen() + 7) / 8 567 if len(b) >= k { 568 return b 569 } 570 bb := make([]byte, k) 571 copy(bb[len(bb)-len(b):], b) 572 return bb 573} 574 575// CompressionAlgo Represents the different compression algorithms 576// supported by OpenPGP (except for BZIP2, which is not currently 577// supported). See Section 9.3 of RFC 4880. 578type CompressionAlgo uint8 579 580const ( 581 CompressionNone CompressionAlgo = 0 582 CompressionZIP CompressionAlgo = 1 583 CompressionZLIB CompressionAlgo = 2 584) 585