trezor-agent/trezor_agent/gpg/keyring.py

"""Tools for doing signature using gpg-agent."""

import binascii
import io
import logging
import os
import re
import socket
import subprocess

from . import decode
from .. import util

log = logging.getLogger(__name__)


def connect_to_agent(sock_path='~/.gnupg/S.gpg-agent'):
    """Connect to GPG agent's UNIX socket."""
    sock_path = os.path.expanduser(sock_path)
    subprocess.check_call(['gpg-connect-agent', '/bye'])
    sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    sock.connect(sock_path)
    return sock


def _communicate(sock, msg):
    sock.sendall(msg + '\n')
    return _recvline(sock)


def _recvline(sock):
    reply = io.BytesIO()

    while True:
        c = sock.recv(1)
        if c == '\n':
            break
        reply.write(c)

    return reply.getvalue()


def _hex(data):
    return binascii.hexlify(data).upper()


def _unescape(s):
    s = bytearray(s)
    i = 0
    while i < len(s):
        if s[i] == ord('%'):
            hex_bytes = s[i+1:i+3]
            value = int(str(hex_bytes), 16)
            s[i:i+3] = [value]
        i += 1
    return bytes(s)


def _parse_term(s):
    size, s = s.split(':', 1)
    size = int(size)
    return s[:size], s[size:]


def _parse(s):
    if s[0] == '(':
        s = s[1:]
        name, s = _parse_term(s)
        values = [name]
        while s[0] != ')':
            value, s = _parse(s)
            values.append(value)
        return values, s[1:]
    else:
        return _parse_term(s)


def _parse_ecdsa_sig(args):
    (r, sig_r), (s, sig_s) = args
    assert r == 'r'
    assert s == 's'
    return (util.bytes2num(sig_r),
            util.bytes2num(sig_s))

_parse_dsa_sig = _parse_ecdsa_sig


def _parse_rsa_sig(args):
    (s, sig_s), = args
    assert s == 's'
    return (util.bytes2num(sig_s),)


def _parse_sig(sig):
    label, sig = sig
    assert label == 'sig-val'
    algo_name = sig[0]
    parser = {'rsa': _parse_rsa_sig,
              'ecdsa': _parse_ecdsa_sig,
              'dsa': _parse_dsa_sig}[algo_name]
    return parser(args=sig[1:])


def sign_digest(sock, keygrip, digest):
    """Sign a digest using specified key using GPG agent."""
    hash_algo = 8  # SHA256
    assert len(digest) == 32

    assert _communicate(sock, 'RESET').startswith('OK')

    ttyname = subprocess.check_output('tty').strip()
    options = ['ttyname={}'.format(ttyname)]  # set TTY for passphrase entry
    for opt in options:
        assert _communicate(sock, 'OPTION {}'.format(opt)) == 'OK'

    assert _communicate(sock, 'SIGKEY {}'.format(keygrip)) == 'OK'
    assert _communicate(sock, 'SETHASH {} {}'.format(hash_algo,
                                                     _hex(digest))) == 'OK'

    desc = ('Please+enter+the+passphrase+to+unlock+the+OpenPGP%0A'
            'secret+key,+to+sign+a+new+TREZOR-based+subkey')
    assert _communicate(sock, 'SETKEYDESC {}'.format(desc)) == 'OK'
    assert _communicate(sock, 'PKSIGN') == 'OK'
    line = _recvline(sock).strip()

    line = _unescape(line)
    log.debug('line: %r', line)
    prefix, sig = line.split(' ', 1)
    if prefix != 'D':
        raise ValueError(line)

    sig, leftover = _parse(sig)
    assert not leftover, leftover
    return _parse_sig(sig)


def get_keygrip(user_id):
    """Get a keygrip of the primary GPG key of the specified user."""
    args = ['gpg2', '--list-keys', '--with-keygrip', user_id]
    output = subprocess.check_output(args).decode('ascii')
    return re.findall(r'Keygrip = (\w+)', output)[0]


def get_public_key(user_id, use_custom=False):
    """Load existing GPG public key for `user_id` from local keyring."""
    args = ['gpg2', '--export'] + ([user_id] if user_id else [])
    pubkey_bytes = subprocess.check_output(args=args)
    if pubkey_bytes:
        return decode.load_public_key(io.BytesIO(pubkey_bytes),
                                      use_custom=use_custom)
    else:
        log.error('could not find public key %r in local GPG keyring', user_id)
        raise KeyError(user_id)
gpg: add agent-signing tool 9 years ago			`"""Tools for doing signature using gpg-agent."""`

			`import binascii`
			`import io`
			`import logging`
			`import os`
			`import re`
			`import socket`
gpg: rename load_from_gpg -> get_public_key 8 years ago			`import subprocess`
gpg: add agent-signing tool 9 years ago
			`from . import decode`
			`from .. import util`

			`log = logging.getLogger(__name__)`


gpg: rename agent -> keyring 8 years ago			`def connect_to_agent(sock_path='~/.gnupg/S.gpg-agent'):`
gpg: add agent-signing tool 9 years ago			`"""Connect to GPG agent's UNIX socket."""`
			`sock_path = os.path.expanduser(sock_path)`
gpg: rename load_from_gpg -> get_public_key 8 years ago			`subprocess.check_call(['gpg-connect-agent', '/bye'])`
gpg: add agent-signing tool 9 years ago			`sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)`
			`sock.connect(sock_path)`
			`return sock`


			`def _communicate(sock, msg):`
			`sock.sendall(msg + '\n')`
			`return _recvline(sock)`


			`def _recvline(sock):`
			`reply = io.BytesIO()`

			`while True:`
			`c = sock.recv(1)`
			`if c == '\n':`
			`break`
			`reply.write(c)`

			`return reply.getvalue()`


			`def _hex(data):`
			`return binascii.hexlify(data).upper()`


			`def _unescape(s):`
			`s = bytearray(s)`
			`i = 0`
			`while i < len(s):`
			`if s[i] == ord('%'):`
			`hex_bytes = s[i+1:i+3]`
			`value = int(str(hex_bytes), 16)`
			`s[i:i+3] = [value]`
			`i += 1`
			`return bytes(s)`


			`def _parse_term(s):`
			`size, s = s.split(':', 1)`
			`size = int(size)`
			`return s[:size], s[size:]`


			`def _parse(s):`
			`if s[0] == '(':`
			`s = s[1:]`
			`name, s = _parse_term(s)`
			`values = [name]`
			`while s[0] != ')':`
			`value, s = _parse(s)`
			`values.append(value)`
			`return values, s[1:]`
			`else:`
			`return _parse_term(s)`


gpg: refactor agent rsa/ecdsa signature parsing 9 years ago			`def _parse_ecdsa_sig(args):`
			`(r, sig_r), (s, sig_s) = args`
It works again! 9 years ago			`assert r == 'r'`
			`assert s == 's'`
			`return (util.bytes2num(sig_r),`
			`util.bytes2num(sig_s))`

gpg: initial support for ElGamal and DSA Doesn't verify anything (yet). 8 years ago			`_parse_dsa_sig = _parse_ecdsa_sig`

It works again! 9 years ago
gpg: refactor agent rsa/ecdsa signature parsing 9 years ago			`def _parse_rsa_sig(args):`
			`(s, sig_s), = args`
gpg: support RSA decode and verify 9 years ago			`assert s == 's'`
			`return (util.bytes2num(sig_s),)`


gpg: refactor agent rsa/ecdsa signature parsing 9 years ago			`def _parse_sig(sig):`
			`label, sig = sig`
			`assert label == 'sig-val'`
			`algo_name = sig[0]`
gpg: initial support for ElGamal and DSA Doesn't verify anything (yet). 8 years ago			`parser = {'rsa': _parse_rsa_sig,`
			`'ecdsa': _parse_ecdsa_sig,`
			`'dsa': _parse_dsa_sig}[algo_name]`
gpg: refactor agent rsa/ecdsa signature parsing 9 years ago			`return parser(args=sig[1:])`


gpg: rename agent -> keyring 8 years ago			`def sign_digest(sock, keygrip, digest):`
gpg: add agent-signing tool 9 years ago			`"""Sign a digest using specified key using GPG agent."""`
			`hash_algo = 8 # SHA256`
			`assert len(digest) == 32`

			`assert _communicate(sock, 'RESET').startswith('OK')`
agent: add support for gpg passphrase entry 9 years ago
gpg: rename load_from_gpg -> get_public_key 8 years ago			`ttyname = subprocess.check_output('tty').strip()`
agent: add support for gpg passphrase entry 9 years ago			`options = ['ttyname={}'.format(ttyname)] # set TTY for passphrase entry`
			`for opt in options:`
			`assert _communicate(sock, 'OPTION {}'.format(opt)) == 'OK'`

gpg: add agent-signing tool 9 years ago			`assert _communicate(sock, 'SIGKEY {}'.format(keygrip)) == 'OK'`
			`assert _communicate(sock, 'SETHASH {} {}'.format(hash_algo,`
			`_hex(digest))) == 'OK'`
fixup pep8 9 years ago
			`desc = ('Please+enter+the+passphrase+to+unlock+the+OpenPGP%0A'`
			`'secret+key,+to+sign+a+new+TREZOR-based+subkey')`
			`assert _communicate(sock, 'SETKEYDESC {}'.format(desc)) == 'OK'`
gpg: add agent-signing tool 9 years ago			`assert _communicate(sock, 'PKSIGN') == 'OK'`
			`line = _recvline(sock).strip()`

			`line = _unescape(line)`
			`log.debug('line: %r', line)`
			`prefix, sig = line.split(' ', 1)`
agent: raise explicit error when signature fails 9 years ago			`if prefix != 'D':`
			`raise ValueError(line)`
gpg: add agent-signing tool 9 years ago
			`sig, leftover = _parse(sig)`
agent: raise explicit error when signature fails 9 years ago			`assert not leftover, leftover`
gpg: refactor agent rsa/ecdsa signature parsing 9 years ago			`return _parse_sig(sig)`
gpg: add agent-signing tool 9 years ago

			`def get_keygrip(user_id):`
			`"""Get a keygrip of the primary GPG key of the specified user."""`
			`args = ['gpg2', '--list-keys', '--with-keygrip', user_id]`
gpg: fixup str/bytes issues 8 years ago			`output = subprocess.check_output(args).decode('ascii')`
gpg: add agent-signing tool 9 years ago			`return re.findall(r'Keygrip = (\w+)', output)[0]`
gpg: rename load_from_gpg -> get_public_key 8 years ago

			`def get_public_key(user_id, use_custom=False):`
			"""Load existing GPG public key for `user_id` from local keyring."""
			`args = ['gpg2', '--export'] + ([user_id] if user_id else [])`
			`pubkey_bytes = subprocess.check_output(args=args)`
			`if pubkey_bytes:`
gpg: fix pep8/pylint warning 8 years ago			`return decode.load_public_key(io.BytesIO(pubkey_bytes),`
			`use_custom=use_custom)`
gpg: rename load_from_gpg -> get_public_key 8 years ago			`else:`
			`log.error('could not find public key %r in local GPG keyring', user_id)`
			`raise KeyError(user_id)`