Merge pull request keybase#59 from keybase/zapu/nested-sigs

Support multiple (nested) signatures

Author: zapu

openpgp/nested_sig_test.go

@@ -0,0 +1,181 @@
+package openpgp
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/keybase/go-crypto/openpgp/armor"
+)
+
+func TestMultisig(t *testing.T) {
+	kring1, err := ReadArmoredKeyRing(bytes.NewBufferString(testKey1))
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	kring2, err := ReadArmoredKeyRing(bytes.NewBufferString(testKey2))
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if len(kring1) != 1 && len(kring2) != 1 {
+		t.Fatalf("Expected both keyrings to only have one key each: len 1: %d len 2: %d", len(kring1), len(kring2))
+	}
+
+	tryWithKey := func(keys EntityList) error {
+		sig, err := armor.Decode(strings.NewReader(testSignature))
+		if err != nil {
+			return err
+		}
+
+		md, err := ReadMessage(sig.Body, keys, nil, nil)
+		if err != nil {
+			return err
+		}
+
+		if !md.MultiSig {
+			return fmt.Errorf("Expected MultiSig to be true")
+		}
+
+		if md.SignedByKeyId == 0 {
+			return fmt.Errorf("SignedByKeyId should never be zero, even if keyring doesn't contain good key")
+		}
+
+		if md.SignedBy == nil {
+			return fmt.Errorf("Couldn't find key message was signed with or message wasn't signed (md is %+v)", md)
+		}
+
+		if md.SignedBy.PublicKey != keys[0].PrimaryKey {
+			return fmt.Errorf("Message wasn't by expected key (SignedBy is %p)", md.SignedBy)
+		}
+
+		_, err = ioutil.ReadAll(md.UnverifiedBody)
+		if err != nil {
+			return err
+		}
+
+		if md.SignatureError != nil {
+			return fmt.Errorf("md.SignatureError: %s", md.SignatureError)
+		}
+
+		if md.Signature == nil && md.SignatureV3 == nil {
+			return fmt.Errorf("Signature is nil after reading (md is %+v)", md)
+		}
+
+		return nil
+	}
+
+	badkey, err := ReadArmoredKeyRing(bytes.NewBufferString(matthiasuKey))
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	t.Logf("Trying keyring 1")
+	if err := tryWithKey(kring1); err != nil {
+		t.Error(err)
+	}
+
+	t.Logf("Trying keyring 2")
+	if err := tryWithKey(kring2); err != nil {
+		t.Error(err)
+	}
+
+	t.Logf("Trying entirely unrelated key from different test file")
+	err = tryWithKey(badkey)
+	if err == nil {
+		t.Error("Expected an error but got nil when trying unrelated key.")
+	}
+	t.Logf("When trying with bad key, error was: %s", err)
+}
+
+func TestMultisigMalformed(t *testing.T) {
+	keys, err := ReadArmoredKeyRing(bytes.NewBufferString(testKey2))
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	sig, err := armor.Decode(strings.NewReader(testSignatureMalformed))
+	if err != nil {
+		t.Fatalf("Got error during decode: %v", err)
+	}
+
+	md, err := ReadMessage(sig.Body, keys, nil, nil)
+	if err != nil {
+		t.Fatalf("Got error during ReadMessage: %v", err)
+	}
+
+	if !md.MultiSig {
+		t.Fatal("Expected MultiSig to be true")
+	}
+
+	_, err = ioutil.ReadAll(md.UnverifiedBody)
+	if err != nil {
+		t.Fatalf("Got error during ReadAll: %v", err)
+	}
+
+	if md.SignatureError == nil || md.Signature != nil {
+		t.Fatalf("Expected SignatureError, got nil")
+	}
+
+	t.Logf("SignatureError is: %v", md.SignatureError)
+}
+
+const testKey1 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEWfcV/BYJKwYBBAHaRw8BAQdAYhAuI4LPgxnu8MDU/XJpSlfCFPelz58v5QpU
+9R9MtFa0ClRlc3QgS2V5IDGIeQQTFggAIQUCWfcV/AIbAwULCQgHAgYVCAkKCwIE
+FgIDAQIeAQIXgAAKCRCc9gMcYqzhOWz5AP91QOM2xFiy5FZ+suqpP5zbygMNe/PJ
+wunDkjryQRaWqgEAjalogSO20NeTEbDBWiglggMvJrTFXMqdsZ5bdUkoSQi4OARZ
+9xX8EgorBgEEAZdVAQUBAQdAIXy/6CNrP/Tq6uDnTu9Vra8Qc05uGY18gUqou9/0
+m1wDAQgHiGEEGBYIAAkFAln3FfwCGwwACgkQnPYDHGKs4TkTYwEA9JWX8sASAY6u
+NSuMuq3f3fKwYVR3kB0hYRd7ffic+aABALBDGedfGTfjKLWAqd+NFO4fKlQJjg0Y
++EnrmcTzas4G
+=JK7o
+-----END PGP PUBLIC KEY BLOCK-----
+`
+
+const testKey2 = `-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEWfcWjxYJKwYBBAHaRw8BAQdAxsmWcp2FwAiRHylbOrDnoKKUBAa1wgQlE1mJ
+fNj4EFS0ClRlc3QgS2V5IDKIeQQTFggAIQUCWfcWjwIbAwULCQgHAgYVCAkKCwIE
+FgIDAQIeAQIXgAAKCRCIHHukx/1YbM3dAQDNiAF2ZqxrDvxv5chMeazuvsu9o5J8
+mtpPludqpWKsvAD6AsH0fhDeIwKVBk1uigw3ut7VKyyNSSNezy3RczengQy4OARZ
+9xaPEgorBgEEAZdVAQUBAQdAF1hhJLcRj77GF+lc9gEVziFZ1yJW/8LYSMZ0AAo9
+kkgDAQgHiGEEGBYIAAkFAln3Fo8CGwwACgkQiBx7pMf9WGxlJgD/RriX0jfA3Hjl
+pSCtbGRJGm6LZgYEn9XHzfmZ+ZTG9bsA/AxYjMrv4I3Ft4x6ogrqzvxmcga3zgGc
+QjcG/YKbNUQJ
+=/+FB
+-----END PGP PUBLIC KEY BLOCK-----
+`
+
+const testSignature = `-----BEGIN PGP MESSAGE-----
+
+owGbwMvMwCHWIVO95PjfiByGCWDunG/MMklrHloynhZLYoj8bmpdgQq4OuJYGMQ4
+GNhYmUCyDFycAjAtVeyMDAsPbJoqV7fr73PmkwouPLvPX02Oeye648Tq72GOz+68
+lTdiZLigI+QhMS++YiL/9uLLKyZmlnX3iZ89rLYhTKZe2b5JHIv5MBeCzP9zUvnk
+xI4vmaJe3MJav1zjZZc67ZSJYVy9+Q33resy8X0M/4Mmhrs7zvyssnTjiTOTPzus
+uXp/8adNSepq6kncd9iiU5kB
+=QVa3
+-----END PGP MESSAGE-----
+`
+
+// This signature payload ends prematurely, it claims to be signed by
+// both testKey1 (9CF6031C62ACE139) and testKey2 (881C7BA4C7FD586C)
+// but it only contains `signature packet` for 9CF6031C62ACE139. If we
+// test it with 881C7BA4C7FD586C, it should fail to read.
+const testSignatureMalformed = `-----BEGIN PGP MESSAGE-----
+
+kA0DAAgWiBx7pMf9WGwAkA0DAAgWnPYDHGKs4TkByxZiAFn3NTt4eHh4eHh4eHh4
+eHh4eHgKiF4EABYIAAYFAln3NTsACgkQnPYDHGKs4Tl6BwEAocCylR5+uv3nA8kg
+RAy7z9VjXu4VuMir91ZB5tztHzIBANAsEkgYnl94kQ+3c9OokWl2i44XzcMmsFYc
+fyM/ghcK
+=R0Rj
+-----END PGP ARMORED FILE-----
+`

openpgp/read.go

@@ -61,6 +61,9 @@ type MessageDetails struct {
 	Signature      *packet.Signature   // the signature packet itself, if v4 (default)
 	SignatureV3    *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature
 
+	// Does the Message include multiple signatures? Also called "nested signatures".
+	MultiSig bool
+
 	decrypted io.ReadCloser
 }
 
@@ -244,8 +247,17 @@ FindLiteralData:
 				return nil, err
 			}
 		case *packet.OnePassSignature:
-			if !p.IsLast {
-				return nil, errors.UnsupportedError("nested signatures")
+			if md.IsSigned {
+				// If IsSigned is set, it means we have multiple
+				// OnePassSignature packets.
+				md.MultiSig = true
+				if md.SignedBy != nil {
+					// We've already found the signature we were looking
+					// for, made by key that we had in keyring and can
+					// check signature against. Continue with that instead
+					// of trying to find another.
+					continue FindLiteralData
+				}
 			}
 
 			h, wrappedHash, err = hashForSignature(p.Hash, p.SigType)
@@ -329,29 +341,54 @@ func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) {
 	n, err = scr.md.LiteralData.Body.Read(buf)
 	scr.wrappedHash.Write(buf[:n])
 	if err == io.EOF {
-		var p packet.Packet
-		p, scr.md.SignatureError = scr.packets.Next()
-		if scr.md.SignatureError != nil {
-			return
-		}
-
-		var ok bool
-		if scr.md.Signature, ok = p.(*packet.Signature); ok {
-			var err error
-			if fingerprint := scr.md.Signature.IssuerFingerprint; fingerprint != nil {
-				if !hmac.Equal(fingerprint, scr.md.SignedBy.PublicKey.Fingerprint[:]) {
-					err = errors.StructuralError("bad key fingerprint")
+		for {
+			var p packet.Packet
+			p, scr.md.SignatureError = scr.packets.Next()
+			if scr.md.SignatureError != nil {
+				if scr.md.MultiSig {
+					// If we are in MultiSig, we might have found other
+					// signature that cannot be verified using our key.
+					// Clear Signature field so it's clear for consumers
+					// that this message failed to verify.
+					scr.md.Signature = nil
 				}
+				return
 			}
-			if err == nil {
-				err = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
+
+			var ok bool
+			if scr.md.Signature, ok = p.(*packet.Signature); ok {
+				var err error
+				if keyID := scr.md.Signature.IssuerKeyId; keyID != nil {
+					if *keyID != scr.md.SignedBy.PublicKey.KeyId {
+						if scr.md.MultiSig {
+							continue // try again to find a sig we can verify
+						}
+						err = errors.StructuralError("bad key id")
+					}
+				}
+				if fingerprint := scr.md.Signature.IssuerFingerprint; fingerprint != nil {
+					if !hmac.Equal(fingerprint, scr.md.SignedBy.PublicKey.Fingerprint[:]) {
+						if scr.md.MultiSig {
+							continue // try again to find a sig we can verify
+						}
+						err = errors.StructuralError("bad key fingerprint")
+					}
+				}
+				if err == nil {
+					err = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature)
+				}
+				scr.md.SignatureError = err
+			} else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
+				scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
+			} else {
+				scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
+				return
 			}
-			scr.md.SignatureError = err
-		} else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok {
-			scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3)
-		} else {
-			scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature")
-			return
+
+			// Parse only one packet by default, unless message is MultiSig. Then
+			// we ask for more packets after discovering non-matching signature,
+			// until we find one that we can verify.
+			break
 		}
 
 		// The SymmetricallyEncrypted packet, if any, might have an

openpgp/read_test.go

@@ -116,7 +116,7 @@ func checkSignedMessage(t *testing.T, signedHex, expected string) {
 		return
 	}
 
-	if !md.IsSigned || md.SignedByKeyId != 0xa34d7e18c20c31bb || md.SignedBy == nil || md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) != 0 || md.IsSymmetricallyEncrypted {
+	if !md.IsSigned || md.SignedByKeyId != 0xa34d7e18c20c31bb || md.SignedBy == nil || md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) != 0 || md.IsSymmetricallyEncrypted || md.MultiSig {
 		t.Errorf("bad MessageDetails: %#v", md)
 	}
 
@@ -209,7 +209,7 @@ func TestSignedEncryptedMessage(t *testing.T) {
 			return
 		}
 
-		if !md.IsSigned || md.SignedByKeyId != test.signedByKeyId || md.SignedBy == nil || !md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) == 0 || md.EncryptedToKeyIds[0] != test.encryptedToKeyId {
+		if !md.IsSigned || md.SignedByKeyId != test.signedByKeyId || md.SignedBy == nil || !md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) == 0 || md.EncryptedToKeyIds[0] != test.encryptedToKeyId || md.MultiSig {
 			t.Errorf("#%d: bad MessageDetails: %#v", i, md)
 		}
 
@@ -897,6 +897,31 @@ func TestIllformedArmors(t *testing.T) {
 	}
 }
 
+func TestSignedTextMessageNoSignature(t *testing.T) {
+	kring, _ := ReadKeyRing(readerFromHex(testKeys1And2Hex))
+
+	md, err := ReadMessage(readerFromHex(signedTextMessageMalformed), kring, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !md.IsSigned || md.SignedByKeyId != 0xa34d7e18c20c31bb || md.SignedBy == nil || md.IsEncrypted || md.IsSymmetricallyEncrypted || len(md.EncryptedToKeyIds) != 0 || md.IsSymmetricallyEncrypted || md.MultiSig {
+		t.Errorf("bad MessageDetails: %#v", md)
+	}
+
+	contents, err := ioutil.ReadAll(md.UnverifiedBody)
+	if err != nil {
+		t.Errorf("error reading UnverifiedBody: %s", err)
+	}
+	if string(contents) != signedTextInput {
+		t.Errorf("bad UnverifiedBody got:%s want:%s", string(contents), signedTextInput)
+	}
+	if md.SignatureError == nil || md.Signature != nil {
+		t.Fatalf("Expected SignatureError, got nil")
+	}
+	t.Logf("SignatureError is: %s", md.SignatureError)
+}
+
 const testKey1KeyId = 0xA34D7E18C20C31BB
 const testKey3KeyId = 0x338934250CCC0360
 
@@ -923,6 +948,11 @@ const signedMessageHex = "a3019bc0cbccc0c4b8d8b74ee2108fe16ec6d3ca490cbe362d3f83
 
 const signedTextMessageHex = "a3019bc0cbccc8c4b8d8b74ee2108fe16ec6d36a250cbece0c178233d3f352531472538b8b13d35379b97232f352158ca0b4312f57c71c1646462606365626906a062e4e019811591798ff99bf8afee860b0d8a8c2a85c3387e3bcf0bb3b17987f2bbcfab2aa526d930cbfd3d98757184df3995c9f3e7790e36e3e9779f06089d4c64e9e47dd6202cb6e9bc73c5d11bb59fbaf89d22d8dc7cf199ddf17af96e77c5f65f9bbed56f427bd8db7af37f6c9984bf9385efaf5f184f986fb3e6adb0ecfe35bbf92d16a7aa2a344fb0bc52fb7624f0200"
 
+// Same message as signedTextMessageHex but "signature packet" is
+// dropped from the end. So this message claims to be signed but it
+// cannot be verified, so verification should fail.
+const signedTextMessageMalformed = "900d03010201a34d7e18c20c31bb01cb2674004d4300d05369676e6564206d6573736167650d0a6c696e6520320d0a6c696e6520330d0a"
+
 const signedEncryptedMessageHex = "848c032a67d68660df41c70103ff5789d0de26b6a50c985a02a13131ca829c413a35d0e6fa8d6842599252162808ac7439c72151c8c6183e76923fe3299301414d0c25a2f06a2257db3839e7df0ec964773f6e4c4ac7ff3b48c444237166dd46ba8ff443a5410dc670cb486672fdbe7c9dfafb75b4fea83af3a204fe2a7dfa86bd20122b4f3d2646cbeecb8f7be8d2c03b018bd210b1d3791e1aba74b0f1034e122ab72e760492c192383cf5e20b5628bd043272d63df9b923f147eb6091cd897553204832aba48fec54aa447547bb16305a1024713b90e77fd0065f1918271947549205af3c74891af22ee0b56cd29bfec6d6e351901cd4ab3ece7c486f1e32a792d4e474aed98ee84b3f591c7dff37b64e0ecd68fd036d517e412dcadf85840ce184ad7921ad446c4ee28db80447aea1ca8d4f574db4d4e37688158ddd19e14ee2eab4873d46947d65d14a23e788d912cf9a19624ca7352469b72a83866b7c23cb5ace3deab3c7018061b0ba0f39ed2befe27163e5083cf9b8271e3e3d52cc7ad6e2a3bd81d4c3d7022f8d"
 
 const signedEncryptedMessage2Hex = "85010e03cf6a7abcd43e36731003fb057f5495b79db367e277cdbe4ab90d924ddee0c0381494112ff8c1238fb0184af35d1731573b01bc4c55ecacd2aafbe2003d36310487d1ecc9ac994f3fada7f9f7f5c3a64248ab7782906c82c6ff1303b69a84d9a9529c31ecafbcdb9ba87e05439897d87e8a2a3dec55e14df19bba7f7bd316291c002ae2efd24f83f9e3441203fc081c0c23dc3092a454ca8a082b27f631abf73aca341686982e8fbda7e0e7d863941d68f3de4a755c2964407f4b5e0477b3196b8c93d551dd23c8beef7d0f03fbb1b6066f78907faf4bf1677d8fcec72651124080e0b7feae6b476e72ab207d38d90b958759fdedfc3c6c35717c9dbfc979b3cfbbff0a76d24a5e57056bb88acbd2a901ef64bc6e4db02adc05b6250ff378de81dca18c1910ab257dff1b9771b85bb9bbe0a69f5989e6d1710a35e6dfcceb7d8fb5ccea8db3932b3d9ff3fe0d327597c68b3622aec8e3716c83a6c93f497543b459b58ba504ed6bcaa747d37d2ca746fe49ae0a6ce4a8b694234e941b5159ff8bd34b9023da2814076163b86f40eed7c9472f81b551452d5ab87004a373c0172ec87ea6ce42ccfa7dbdad66b745496c4873d8019e8c28d6b3"